-
Notifications
You must be signed in to change notification settings - Fork 0
HTML Report
The HTML report is the primary output of infostealer_audit.py. This
page explains each tab in detail.
reports/
├── infostealer_<timestamp>.html # default
├── infostealer_showpassword_<timestamp>.html # with --showpassword
└── audit_aggressive_<timestamp>.log # console log from pwd_audit --aggressive
The banner at the top has:
- A risk colour (CRITICAL / HIGH / MEDIUM / LOW) for your overall exposure.
- Quick stats: number of browsers, decrypted vs. protected credentials, number of outdated browsers, number of infostealer targets present, number of recovery tools available.
A short paragraph under the banner explains what the report represents and reminds you that the password mode (masked vs. plaintext) is shown.
The first thing you see after the banner. It contains the version comparison matrix:
| Column | Meaning |
|---|---|
| Browser | Name of the detected browser |
| Installed | Version currently installed on this machine |
| Current stable | Latest stable version fetched live from the vendor |
| Δ | Difference in major version. +0 = up-to-date; +1 = one major behind; +N for older |
| Risk | OK / LOW / MEDIUM / HIGH / CRITICAL based on the gap |
Rows with Risk = OK are green. Anything else is amber/red.
For each browser and each profile, a collapsible table with one row per saved credential. Columns:
| Column | Meaning |
|---|---|
| URL | The site this credential is for |
| Username | The username (left as stored) |
| Password | Masked (M*****a) or plaintext if --showpassword. For v20-protected, shows [v20-PROTECTED]
|
| Cipher | Which encryption scheme was used to store this credential. Colour-coded. |
| Category | Auto-classification: Banking / Email / Cloud-Dev / Gaming / Social / Shopping / Router / etc. |
| Risk | CRITICAL / HIGH / MEDIUM / LOW based on the site category |
Sort order: by decryptability first (decrypted on top), then by site criticality, then by URL.
| Tag | Meaning | Risk |
|---|---|---|
v10 (AES-GCM + DPAPI user) |
Chrome 80–126 scheme. User-mode infostealer can decrypt in seconds. | 9/10 |
v20 (ABE - DECRYPTED!) |
Chrome 127+ App-Bound Encryption, but the tool managed to decrypt it. Indicates aggressive-mode or external help. | 8/10 |
v20-ABE protected |
Chrome 127+ ABE, the tool could not decrypt. Best protection currently. | 2/10 |
pre-v10 (DPAPI direct) |
Chrome <80 scheme. Trivial to decrypt. | 10/10 |
NSS PBKDF2+AES-256 |
Firefox scheme. Decryptable in user-mode unless a Primary Password is set. | 6/10 |
Reproduces the version comparison from Overview plus, for each installed browser, the list of bypass techniques known to work against that version, sourced from the KB.
Each bypass technique is shown as a card with:
- Name of the technique
- Complexity tag
- Description
- Used by list of infostealer families that have implemented it
- Ref link to the public research
At the bottom: a "Fix" call-out with the milestone version and release date that fixed each technique.
A table of nine classic infostealer targets:
| Target | Description |
|---|---|
| Discord Token | %APPDATA%\discord\Local Storage\leveldb |
| Steam autologin |
loginusers.vdf + ssfn* files |
| Crypto wallets (browser ext.) | 25+ wallet extension IDs |
| Telegram Desktop session |
tdata folder |
| SSH private keys |
~/.ssh/id_rsa, id_ed25519, etc. |
| GPG keyring | ~/AppData/Roaming/gnupg |
| FileZilla saved sites | sitemanager.xml |
| Windows Credential Manager | total entry count |
| VPN client configs | OpenVPN .ovpn, WireGuard configs |
Each row is colour-coded: amber if present, grey if not. Value column shows the severity rating for an attacker.
Built-in pure-Python replica of the most useful LaZagne categories. Each subsection has its own table:
-
Wi-Fi profiles — SSID, auth, cipher, key (cleartext if
--showpassword) - PuTTY sessions — host, port, user, protocol (no passwords by design)
- WinSCP sessions — host, user, decrypted password (XOR algorithm)
-
Git credentials — URL, user, password (
~/.git-credentialsis plaintext!) - OpenVPN configs — config file, auth file, username/password if saved
- FileZilla saved sites — host, user, password (base64)
- Thunderbird credentials — same NSS scheme as Firefox
- Pidgin chat accounts — protocol, name, password (plaintext)
- DBVisualizer databases — alias, URL, user, password
- RDP files — host, user, whether DPAPI-encrypted password is attached
- Cisco AnyConnect profiles — host list
- Chat/messaging apps — Slack/Teams/Telegram/Signal/WhatsApp presence
If your PC is a desktop without a wireless adapter you will see "Wi-Fi
profiles (n/a)" instead of an empty table — the tool detects the
wlansvc service not running.
-
Windows Credential Manager — table of
cmdkey /listentries (target, type, user, persistence). The actual cleartext password is not extracted by default; this section just shows what's there. -
IE / Edge Legacy Vault — count of
.vcrd/.vpolfiles in%LOCALAPPDATA%\Microsoft\Vault\. Decryption is documented but not implemented (LaZagne has it if you really need it). - Wi-Fi profiles — same as in the LaZagne Light tab, duplicated here for legacy parity.
- Outlook profiles — registry entries enumerated.
Status of the optional external Python tools the audit can leverage:
-
pypykatz— mimikatz pure-Python -
firepwd_internal— our built-in Firefox NSS decryptor -
browser_cookie3— cookie extractor -
LaZagne— opt-in only (PUA-flagged)
Each card shows: installed yes/no, whether it was newly installed or upgraded on this run, the GitHub URL, and use-case examples.
Ordered by priority: CRITICAL first. Each card has:
- Action — what to do, one sentence.
- Why — the rationale, citing risk level and threat model.
- How — exact steps.
Examples:
- "Update Chrome to 148" — because outdated browsers expose more techniques.
- "Disable Save Password in the browser" — because reducing the attack surface is better than relying on encryption.
- "Migrate to a password manager" — because v10 is decryptable in seconds and v20 protection cannot keep up with every infostealer release.
Chrome version ranges from < 127 to >= 148, each annotated with:
- Label for that era ("Pre-ABE", "Inner AES wrapping", ...)
- Decrypt difficulty
- Description
- Applicable bypasses as code-formatted IDs
- Fix — milestone version + release date
The row matching your Chrome version is highlighted in blue.
This is the most useful tab for understanding why the answer is what it is. Read it top-to-bottom.
The HTML report is fully localised in five languages:
| Code | Language | Auto-detected from |
|---|---|---|
it |
Italiano | Windows locale it-IT, it-CH, etc. |
en |
English | Any locale not matched below (default) |
fr |
Français | Windows locale fr-*
|
de |
Deutsch | Windows locale de-* (also --lang du) |
es |
Español | Windows locale es-*
|
The language is auto-detected from the Windows registry key
HKCU\Control Panel\International\LocaleName at runtime. You can
override it with --lang:
py infostealer_audit.py --lang fr
py pwd_audit.py --lang deEvery string in the report — tab names, column headers, stat-box
labels, warning messages, fix recommendations wording — is translated.
The <html lang="xx"> attribute is also set correctly, which helps
screen readers and browser spell-checkers.
Translations live in modules/i18n.py. See
Architecture for details, and
Adding a Browser for the extension pattern
(the same applies to adding a new language).
Five sanitized demo reports (one per language) are available in
wiki/demo-reports/:
| Report | Language |
|---|---|
| IT_infostealer_demo.html | 🇮🇹 Italiano |
| EN_infostealer_demo.html | 🇬🇧 English |
| FR_infostealer_demo.html | 🇫🇷 Français |
| DE_infostealer_demo.html | 🇩🇪 Deutsch |
| ES_infostealer_demo.html | 🇪🇸 Español |
All personal data in those files has been replaced with fictional placeholders. See Demo Reports for the full description.
- The HTML is self-contained (no external CSS or JS). You can email it, attach to a ticket, or print to PDF.
- If you used
--showpassword, do not share the report — it contains plaintext credentials. Either redact, regenerate without the flag, or delete after use. - The HTML uses
localStorageonly for the LaZagne tab interactivity in some versions; no remote tracking, no analytics.