# Credentials from Web Browsers Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, **AppData\Local\Google\Chrome\User Data\Default\Login Data** and executing s SQL query: **SELECT action\_url, username\_value, password\_value FROM logins;**. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim's cached logon credentials as the decryption key. Adversaries have executed similar procedures for common web browsers such as Firefox, Safari, Edge, etc. Adversaries may also acquire credentials by searching web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator). **Example:** Users login a plethora of times using browsers in there Day to Day lives there are paths that contains these passwords encrypted that we could find and there are also Tools that can help us crack these passwords and find these logins from many browsers some great tools are [Lazagne](https://github.com/AlessandroZ/LaZagne/releases) and [SharpWeb](https://github.com/djhohnstein/SharpWeb) ![](/files/-MRkeX7ZmgDaFRTb-A7s) ![](/files/-MRkeXspbb14ZL1sCmhG) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1555-credentials-from-password-stores/credentials-from-web-browsers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.