Category: security tools

Detecting Rogue Virtual Machine- My Script

I wrote a post about detecting rogue virtual machine a while ago. Today I am publishing my script for how to get list of mac addresses and their manufacturer. It is easy to put an if statement and make this script to detect virtual machines. This is just start, if I get some time I will make this smarter.

#scan C subnet assuming you're in 192.168.1.X
#check arp info
for ((i=0; i<255; i++))
do
ping -t 1 192.168.1.$i >temp.txt
done
arp -a | awk /:/ | cut -f 4 -d " " > macAddresses.txt
arp -a | awk /:/ | cut -f 2 -d " " > ipAddresses.txt
fileName=macAddresses.txt
#lookup those mac address on the web
cat $fileName | while read mac
do

#for each mac addresses we are sending post request and formating the output
#-qO- means show the output in terminal, not save in a file
#post data is obvious, use post method to fill a field "mac" on the form
#awk the Company part and format to gather the result

wget -qO- --post-data="mac=$mac" http://aruljohn.com/mac.pl | awk /\>Company/ | cut -f 5 -d ">" >>companiesTemp.txt

done

#little more formating for companies.Temp required

cut -f 1 -d "<" companiesTemp.txt >companies.txt
#combining ip,mac, and companies in a single file
paste ipAddresses.txt macAddresses.txt companies.txt>finalResult.txt

#printing final result on the screen
echo "The results are saved in local finalResult.txt, and we are kind enough to show them here"
cat ./finalResult.txt

#cleanUp temp files
rm temp.txt companies.txt companiesTemp.txt ipAddresses.txt macAddresses.txt

PCI Vulnerability Scans – Part II: PCI and Wireless

In my  previous PCI blog post we discussed risk level of vulnerabilities for PCI. In this blog post I will go over wireless requirements and how to detect rogue APs.

11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

11.1.a Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis.

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

_ WLAN cards inserted into system components

_ Portable wireless devices connected to system components

(e.g., by USB, etc.)

_ Wireless devices attached to a network port or network device

11.1.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.

11.1.d If automated monitoring is utilized (e.g., wireless IDS/IPS, NAC), verify the configuration will generate alerts to personnel.

11.1.e Verify the organizationʼs incident response plan (Requirement 12.9) includes a response in the event unauthorized wireless devices are detected.

PCI wants you to detect rogue access points. However there is a flaw here. PCI doesn’t require you to monitor your network for rogue access points. It just want you detect them quarterly…

Well, what if attacker deploy an AP after you run your quarterly scan? You will be vulnerable lots of networking attack for a 3 more months and you will think you’re secure since you have PCI certification… This is another example of why you should not think you are secure just because you have a certification…

Anyway, let’s return our subject. So we need to determine rogue AP quarterly. Himm. Let’s see. We can do this by scanning all wireless APs and comparing the BSSIDs (mac address) of the APs that have same SSID with our APs. If we see any AP that has our SSID but not in our asset, that AP is a rogue AP.

A. Windows

Go to Start, type powershell, on the blue screen of power shell run these two following commands:

Netsh wlan show networks mode=bssid -> To get all BSSIDs

Netsh wlan show networks mode=ssid-> To get all SSIDs

B. MAC

KisMAC is a free, open source wireless stumbling and security tool for Mac OS

You can download it at http://kismac-ng.org/

After you run the KisMAC, click Start Scan in the bottom right corner.

C. Linux

Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring

mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic (devices and drivers permitting).

Linux users can download Kismet at http://www.kismetwireless.net

Note: Please read the full manual, but for the quick starters, here is the bare minimal instruction to operate Kismet:

• Download Kismet from http://www.kismetwireless.net/download.shtml

• Run “./configure”. Pay attention to the output! If Kismet cannot find all the  headers and libraries it needs, major functionality may be missing. Most notably, compiling Kismet yourself will require the development packages and headers, usually called foo-dev or foo-devel.

• Make sure that all the functionality you need was enabled properly in configure. Almost all users will need pcap and libnl support for proper operation.

• Compile Kismet with “make”.

• Install Kismet with either “make install” or “make suidinstall”.

Note: you must read the “suid” installation and security” section of the Readme or your system may be insecure.

• If you have installed Kismet as suid-root, add your user to the “kismet” group

• Run “kismet”. If you did not install Kismet with suid-root support, you need to start it as root in nearly all situations. This is not recommended as it is

less secure than privsep mode, where packet processing is segregated  from admin rights.

• When prompted to start the Kismet server, choose “Yes”.

• When prompted to add a capture interface, add your wireless interface. In nearly all cases, Kismet will autodetect the device type and supported

channels. If it does not, you will have to manually define the capture type   (as explained later in this README).

• Logs will be stored in the directory created when you started using Kismet, unless it changed via the “logprefix” config file or “–log-prefix” startup option.

• READ THE REST OF THIS README. Kismet has a lot of features and a lot of configuration options. To get the most out of it, you must read all of

the documentation.

 

With these tools you can get all SSIDs and BSSIDs on your area (It is good idea to capture packets in different areas of your buildings so that you have better chance to detect any existed rogue APs.

 

Update: I have received couple of e-mail about PCI scope on wireless. Here is what PCI says about it:

“Wireless
If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless
local area network (WLAN) is connected to, or part of, the cardholder data environment (for example, not clearly separated by a firewall), the PCI
DSS requirements and testing procedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and
4.1.1). Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider
deploying wireless technology only for non-sensitive data transmission.”

I believe it is pretty straight forward.  If there is no separation of wired/wireless networks with a firewall on your cardholder data environment you cannot think wireless network is out of your scope…

Reset Your Windows Password

We have lots of password to remember : workstation, servers, banks, forums, mails etc… This makes forgetting passwords easier. Today I would like to mention how to remove reset admin password on windows.

I am going to use chntpw. chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry’s SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk).

1. Insert Backtrack’s DVD on your windows computer and boot from CD (usually you can hit f2, f12 in order to see boot order, then you can force computer to boot from CD/DVD).

2. Mount your windows partition:

2.1. Run fdisk -l to determine where is your windows partition.
My windows partition is /dev/sda1

2.2 Create empty folder to mount windows partition.
mkdir /mnt/windows

2.3mount /dev/sda1 /mnt/windows

3. Go into chntpw directory
cd /pentest/passwords/chntpw

4. Run chntpw against your SAM

./chntpw -i /mnt/windows//WINDOWS/system32/config/SAM
5. Type the username you want to reset password, enter, then press 1, enter.

6. After made the changes,  you need to exit from the main chntpw menu and press “Y” to write the changes or “N”to ignore the changes.

 

PCI Vulnerability Scans – Part I : Severity Levels (Risk Rankings)

PCI requires you to have both external and internal vulnerability scans. We will discuss them in detail later. Today I will focus on the risk rankings that PCI uses for vulnerabilities.

PCI DSS requirement 6.2: Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.

Notes:

Risk rankings should be based on industry best practices. For example, criteria for ranking “High” risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as “critical,” and/or a vulnerability affecting a critical system component.

The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.

6.2.a Interview responsible personnel to verify that processes are implemented to identify new security vulnerabilities, and that a risk ranking is assigned to such vulnerabilities. (At minimum, the most critical, highest risk vulnerabilities should be ranked as “High.”

6.2.b Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information.

Himm, as you see with PCI version 2 there is a change in the vulnerability severity categorization. Now PCI asks us to use CVSS and telling that CVSS will be a standardized severity level for PCI vulnerability scans after June 30, 2011.

The table above should give you a very clear idea of which severity category that a vulnerability will be assigned.  For example a vulnerability that has CVSS score of 5 will be a medium level vulnerability that should be fixed to pass PCI compliance.

In order to pass PCI compliance all the vulnerabilities should have 3.9 or less CVSS. There are four exceptions for this rule:

1. The vulnerability is not included in the NVD (National Vulnerability Database): If it is a new vulnerability you have a chance that you don’t have the vulnerability in the NVD.

You can still use CVSS system to calculate the risk ranking score. PCI also asks you to reference to other external resources of information about the vulnerability.

2. You disagree with the CVSS score noted in the NVD: Sometimes the CVSS score may not make sense for your organization for a specific vulnerability. In this case PCI asks you to provide followings:  Score in the NVD, your score, and why you are disagree with the score provided in the NVD.

3. It is a denial of service (DoS) vulnerability:  If it is a purely DoS type of vulnerability you have found, you can ignore it regardless of CVSS score since it is not in the scope of PCI compliance.

4. It is one of the “automatic failure” type of vulnerability: Like DoS vulnerability, you will not care CVSS score (this time it is other way around, the CVSS score is lower than 4.0 but due to the nature of the vulnerability system cannot be PCI compliant)

Here are the all automatic failures:

  • Operating system has no longer supported by the vendor
  • There is an open access to database from internet
  • Built in accounts (OS, DB, Web, Application, Network, etc…)
  • Unrestricted DNS zone transfer
  • SQL injection, XSS, director traversal, HTTP response splitting/header injection
  • The presence of well-known, remotely detectable backdoor applications installed on the servers.
  • If server supports SSL 2.0 or older, or SSL 3.0 with 128-bit encryption

In my next PCI post, I go over wireless requirements and how to detect rogue APs.

Detecting Rogue Virtual Machines On A Network

Introduction

Today our topic is detecting rogue virtual machines. Rogue virtual machines can pose huge threat to your organization. Even with your managed machines, you might have unauthorized virtual machines. There are some ways to keep the number of rogue vm’s very low on your network such as using software policy, restricting admin accounts for those only need them etc..

What if your employees install virtual machines without your knowledge. How can you detect those virtual machines?

Detecting “evil” at rest

If you can identify all virtual machines that sits on your network, then you can compare them with the authorized virtual machines. In this way you can find rogue virtual machines.

There are two ways you can identify virtual machines. One way is checking MAC address, other is checking running process.

First way: Checking MAC address of remote system

MAC addresses are unique to each device. If you can get a mac address of a device then you can tell what company is made the device. Since virtual machines uses their virtual network adapter to connect a network and this virtual adapters are unique to each company, we can determine if mac address belong to a virtual machine company.

So how can we get mac addresses of other computers on a network?

The answer is easy. We can ping each devices on the network and then check our arp tables.

OR we can use nmap.

nmap -sP 192.168.1.1/24
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-03-17 22:35 EDT
Nmap scan report for 192.168.1.1
Host is up (0.018s latency).
MAC Address: 00:24:A1:17:44:CD (Motorola CHS)
Nmap scan report for 192.168.1.13
Host is up (0.000094s latency).
MAC Address: 00:26:BB:07:17:DD (Apple)
Nmap scan report for 192.168.1.11
Host is up (0.014s latency).
MAC Address: 00:1B:77:CD:FF:CD (Intel Corporate)
Nmap scan report for 192.168.1.13
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.53 seconds

As you see nmap has predefined mac database so it can convert mac addresses to manufacturer’s name.

Second way: Checking Process Names

You can get mac address of the computers that sits on the same vlan/lan with you so first option is only good for you have only one lan. Moreover some virtual adapters can be on NAT mode so you cannot see their MAC address.  (On NAT mode they use same mac address with the physical machine.)

Each virtual machine software will have running processes. For example VM Fusion has vmware-vmx as running process on OSX. So you can login each machine to see if there is a running process related with a virtual machine software.

Nessus has a plugin for checking vm ware machines  by using this technique(http://blog.tenablesecurity.com/2007/04/i_was_speaking_.html) , you can write your own plugin to find other virtual instances.

The disadvantage of this method is you need to have admin credentials.

Summary

We can find rogue virtual machines on network by comparing all virtual machines with authorized virtual machines. We can identify all vms by using mac addresses or running processes. With the first method we can only identify virtual instances on the same LAN. With the second method we need to have admin credentials for the boxes we scan.

Update: Please check here for more info http://realinfosec.com/?p=678

 

 

 

CEH Module 5: Scanning (NMAP)

Today I would like to write about CEH module 5, that is Scanning. The last module was covered on this blog was Footprinting can be found here If you want to see all the modules written about CEH, you can click “Certified Ethical Hacker” section at the right side bar.

Even tough I will talk about some general scanning techniques, my focus will be on practical knowledge of nmap that is heavily is tested on your CEH exam. I will not go deep on the nmap, you can do lots of cool stuff with it, but my focus will be its general usage for the ceh exam.

NMAP

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

You need to know some basic options, scan types, IP addresses’ and ports’ formats in nmap.

OPTIONS

-sT: connect scan -sX:XMAS scan
-sS: syn scan (half open) -sP: ping scan
-sF: fyn scan -sU:UDP scan
-sO: raw scan -O: OS detection

3 way hand shake will be performed on the connect scan, that is why this option is slow and will have lots of footprints on the target system.
Syn scan will only send SYN packets to targets. If the port is open then we will receive SYN+ACK other wise we will receive RST that indicates the port is closed…
Ping scan: This also known as ping sweep. Basically nmap will be pinging all the given machines and determine live hosts.
UDP scan: In case you want to see UDP ports, you need to run a UDP scan.

IP addresses

192.168.0.1-255
scanme.nmap.org/24
192.168.0.1/26

Port

-p23,25,80
-p1-1000

Examples

nmap -sS scanme.nmap.org/24 -p1-65535
nmap -sT -O 192.168.0.1-25 -p23

TCPTraceroute to Bypass the Firewall filters

Introduction

The first step for penetration testers is getting information about the system. Traceroute is a great tool for this purpose.

Traceroute shows the route between you and the target machine.  Linux has a command line utility called traceroute.

traceroute

traceroute uses UDP.

Windows has a tool called tracert.

tracert

tracert uses ICMP.

It is quite common for firewalls to be configured to block ICMP or UDP and thereby prevent Traceroute from returning useable information.

One program designed to get around this issue is Michael Toren’s TCPTraceroute.

TCPTraceroute uses TCP SYNpackets insted of ICMP or UDP and is able to bypass common firewall filters.

Installation

TCPTraceroute is currently available for only Linux. You can install on your debian based machine by using apt-get:

<p style=”background: black; color: white”>
</p>ISMAIL

sudo apt-get install tcptraceroute

Example

tcptraceroute

Summary

As a penetration tester to gain information about the target system, you need to be familiar with several tools. One of these tools is tcptraceroute. It can bypass most of the firewalls since it uses TCP unlike tracert and traceroute.

A Powerful Vulnerability Scanner: Nessus- Part II

In my last blog post, I mentioned about Nessus licenses and installation processes. Today, I would like to write about usage of Nessus.

Updating Plug-ins

After you register and activate the nessus server, it will start to download and then update the plugins. Plug-ins are kind of virus signatures.  Plug-ins test the common vulnerabilities on a machine. Nessus plugins are written on Nessus Attack Scripting Language (NASL). [It might be a good idea to have articles for how to write NASL too.]

nessus_Download

Updating plug-ins (for the first time) can take up to 20 minutes so be patient.

Client Configuration

Start Nessus Client  from Start->Applications->Tenable->Nessus Client.

Click the ‘+’ sign at the left. This will bring ‘Target Window’ where we can set which targets we want to scan.

nessus_client

We have 4 options that we can use the scan the network. The first one is single host. You can use the hostname or the IP address. (example.com or 123.4.5.67)

Second option is IP range. Basically, we can provide a valid ip range such as 192.168.0.1-192.168.0.254.

We can also scan a subnet by providing its network and subnet address. (Network Address: 192.168.0.0; Subnet mask: 255.255.255.0)

We can provide host names or IP we want to scan in a text file. This is beneficial if you already have the list of the machines you want to scan and don’t want to scan all the network.

Choose what ever option you like and then click ‘Save’.

Connecting to the Nessus Server

We will use ‘connection manager’ to connect to the Nessus server.

First, click the Connect button at the lower left side. It should bring connection manager.

Nessus_ConnectionManager

As you see, by default we can connect the localhost. (since I have running nessus server on the local machine I will use this option.) If we have our server on a different machine than local machine, then click plus sign at the bottom left side.

You can name the new connection and choose the authentication method you want. You can simply use password based authentication or SSL based authentication.

After you set up the connection, click ‘Save’. You should see a ‘New Certificate Window’ if you are connecting to the server first time. Click ‘Yes’ and login to the server.

Nessus_Certificate

Policies

Now, we need to add a new policy. Click the plus sign at the right side and save this policy as Default Policy. In this way, you will always have the default policy in the policy section.  Let’s create a more specific policy. We will scan a Linux server (CentOS) which has Apache and MySQL on it.

Plugin Selection

To create a new specific policy for our example, click the plus sign again and then hit ‘Plugin Selection’ tab. The server we are scanning is a CentOS Linux. So we don’t need to have Local Security Checks Plug-ins for Windows, Fedora, Redhat, Ubuntu and Debian. Uncheck all of these (Of course you will uncheck the ones except your OS). Same thing goes with IIS Webserver. Now, click Policy tab and save this Policy as Linux_CentOS Policy.

Important Note: The “Denial of Service” family contains some plugins (all of DoS plugins are enabled by default) that could cause outages on a corporate network if the “Safe Checks” option (Safe Check is also enabled by default-it is under the Options tab) is not enabled, but does contain some useful checks that will not cause any harm. The “Denial of Service” family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plug-ins are not run. However, it is recommended that the “Denial of Service” family not be used on a production network.

Let’s start scanning by clicking ‘Scan now’ button at the below.

Reports

After scan completes, you can see the result under the ‘Report’ section.

Nessus_Report

Nessus found one medium and 8 low risks. Usually, you can ignore the low risk and you can ignore the medium risk for some cases.Orange color on a port number (in our example, it is port 80 ) means the highest risk is medium. Red means highest risk is a ‘high risk’ (!) and black means it is a ‘low risk’.

Nessus gives the important information about possible vulnerabilities. You will see Synopsis, Description, Solution, Risk Factor and Plugin Output on the report.

Nessus_Report2

We can sort the output based on Vulnerabilities, hosts, ports, IPs (one host can have more than one IP, right!) by using ‘View Template’ button on the lower right side.

We can export the report as html which is useful. We can also get CVE output and create an excel file if it is some thing you want. ( I prefer creating excel files using csv templates on Nessus, it makes my report more customizable)

Conclusion

In this blog post, we learned how to configure a Nessus client and connect it to a Nessus server,  how to scan networks, and how to read Nessus reports. In the next blog post(s), we look into more details about scanning progress and user management on Nessus.

A Powerful Vulnerabilty Scanner: Nessus- Part I

I will have some blog posts about Nessus. In this first one, I will mention general issues about it.

What is Nessus?

Nessus is a proprietary comprehensive vulnerability scanning software. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.

You can scan ports and see the things crackers can find to hack so you can take action before they do! There will be some examples later for the vulnerabilities we can find with Nessus.

I always think Nessus is kind of outbox scanner for remote stuff and usually it works in that way. However, it can find default password or weak passwords too.

If you are working on a vulnerability management project, I will recommend you to have another scanner for scanning in the boxes ( i.e vulnerabilities for the software running on the machines. I like  Sunbelt Network Security Inspector for this purpose)

Anyway, let’s check License options for Nessus.

Licenses: What are Licenses? Wasn’t Nessus GPL and free ?

It was free but in 2005 creator of  Nessus sold it to Tenable Network Security. Tenable still maintains  Nessus 2.0 under GPL. They closed the source code for the version 3.0 and higher.

Version 3.0 was the first one which was done by Tenable. It was running almost 5 times faster than v2.  V3 was popular too but having 3 licenses for one product makes users a little confused.

The first type of the licenses is ProfessionalFeed License. With this license, Tenable provides you support of the application. They also provide plugins for you earlier than other licenses.

Pricing for the ProfessionalFeed is based upon the number of Nessus scanners in use within your organization, consultancy or service. The cost is $1,200 per scanner per year.

You can buy ProfessionalFeed from here.

The other type of License is HomeFeed License. A HomeFeed is available for free to individual home users, and cannot be used by organizations or individuals professionally.

The last one is on demand. It allows you to evaluate the ProfessionalFeed by using the HomeFeed subscription commercially for 15 days. You may only perform such an evaluation once.

The on-demand evaluation does not give you access to the customer portal, nor to the features specific to the ProfessionalFeed but should be adequate to test Nessus. You can obtain an activation code here.

Installing and Activating Nessus

Installing Nessus is so straight forward. You can download it from this link. It can run on Linux, Windows and Mac.

For this blog post, I installed it on a windows machine.

After you set it up, don’t forget to activate it. (Remember, even non-professional use of nessus, you are  required to get it activated. (They will send you activation key via e-mail, just grab the key and paste on the dialog window)

How It Works

You need to understand how the software works before scanning the machines across the network.

The most important thing you need to know is Nessus is agentless scanner. What is agentless?

Well, some security software needs to be installed on each machine you scan. However, the way nessus works is different. It uses client/server architecture. There will be a client machine in which you can run the software and make configuration for the scan. There will also be a server, the machine which performs what you tell by using the client machine.

Server and client can be same machine. Don’t forget, you don’t need to pay for each client but you need to pay for each server you install (They are required to have different licenses)

Client/Server Architecture brings some flexibilities. The first one is remote scanning.

You can install the server inside of the network and run client from a remote place say your home. This is so helpful since you don’t need to deal with firewall or IDS issues which can effect the scanning result.

Second advantage is one machine is enough to run a scan for all the network. This is definitely time saving!

I will cover the usage and configuration of Nessus in the next blog post.

Hacking / Recovering Firefox Saved Passwords

Introduction

I covered how/where Firefox store saved passwords on the previous blog post. Today, I will mention how to hack them.

As discussed previously, Firefox uses TripleDES as its encryption algorithm. If master password is not set, we can crack the password with any 64 base decoder since there won’t be encryption.

If master password is used, user needs to attack  key3.db with a password cracker such as FirePassword to recover master password.

Master password is not stored on the key3.db. Firefox stores  encrypted data associated with known string.

Say the known string is realinfosec. If user enter correct master password, he can decrypt the encrypted data as realinfosec.  BOOM!

Known string and decrypted one matched! Firefox now knows that user entered correct master password, so it will decrypt all the saved passwords.

The way Firemaster works is same.

  1. First, Firemaster generates password by using bruteforce, hybrid and dictionary attacks.
  2. After that, it computes hash of master password.
  3. Firepassword uses this hash to decrypt encrypted data.
  4. If the decrypted data matches with the string (i.e realinfosec), it means FireMaster gets the password!

firemaster1

After having master password,  you can decrypt saved passwords via FirePassword.

Currently, Firepassword can only decrypt saved passwords on Sigons.txt files not the ones on the signons.sqlite

Nagareshwar Talekar, creator of these two nice tools,  informed me that he will try to update FirePassword, then it may crack saved passwords stored on the signons.sqlite.

Conclusion

1-) If you forget your master password, you can get it back via FireMaster.

2-) Strength of encryption is depend on the strength of the Master Password you choose

3-)Nothing is impossible, you can recover your Firefox password. However, this means that hackers can crack them as well… Don’t forget; they only need to have key3.db and sigons files (txt and sqlite) to do that. You need to be sure that physical security and network security for your machine are OK.