# Extract TOTP/HOTP secret keys from Google Authenticator [![CI Status](https://github.com/scito/extract_otp_secret_keys/actions/workflows/ci.yml/badge.svg)](https://github.com/scito/extract_otp_secret_keys/actions/workflows/ci.yml) ![coverage](https://img.shields.io/badge/coverage-95%25-brightgreen) [![docker](https://github.com/scito/extract_otp_secret_keys/actions/workflows/ci_docker.yml/badge.svg)](https://github.com/scito/extract_otp_secret_keys/actions/workflows/ci_docker.yml) ![PyPI - Python Version](https://img.shields.io/pypi/pyversions/protobuf) [![GitHub Pipenv locked Python version](https://img.shields.io/github/pipenv/locked/python-version/scito/extract_otp_secret_keys)](https://github.com/scito/extract_otp_secret_keys/blob/master/Pipfile.lock) ![protobuf version](https://img.shields.io/badge/protobuf-4.21.12-informational) [![License](https://img.shields.io/github/license/scito/extract_otp_secret_keys)](https://github.com/scito/extract_otp_secret_keys/blob/master/LICENSE) [![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/scito/extract_otp_secret_keys?sort=semver&label=version)](https://github.com/scito/extract_otp_secret_keys/tags) [![Stand With Ukraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://stand-with-ukraine.pp.ua) --- TODO add src/ TODO rename extract_otp_secret_keys Extract two-factor authentication (2FA, TFA, OTP) secret keys from export QR codes of "Google Authenticator" app. The secret and otp values can be printed and exported to json or csv. The QR codes can be printed or saved as PNG images. ## Installation git clone https://github.com/scito/extract_otp_secret_keys.git cd extract_otp_secret_keys ## Usage ### Capture QR codes from camera 1. Open "Google Authenticator" app on the mobile phone 2. Export the QR codes from "Google Authenticator" app 3. Point the QR codes to the camera of your computer 4. Call this script with the file as input: python extract_otp_secrets.py ### With builtin QR decoder from image files 1. Open "Google Authenticator" app on the mobile phone 2. Export the QR codes from "Google Authenticator" app 4. Save the captured QR codes as image files, e.g. example_export.png 5. Transfer the images files to the computer where his script is installed. 6. Call this script with the file as input: python extract_otp_secrets.py example_export.png ### With external QR decoder app from text files 1. Open "Google Authenticator" app on the mobile phone 2. Export the QR codes from "Google Authenticator" app 3. Read QR codes with a QR code reader (e.g. from another phone) 4. Save the captured QR codes in the QR code reader to a text file, e.g. example_export.txt. Save each QR code on a new line. (The captured QR codes look like `otpauth-migration://offline?data=...`) 5. Transfer the file to the computer where his script is installed. 6. Call this script with the file as input: python extract_otp_secrets.py example_export.txt ## Program help: arguments and options
usage: extract_otp_secrets.py [-h] [--camera NUMBER] [--qr {QREADER,DEEP_QREADER,ZBAR,CV2,WECHAT}] [--json FILE] [--csv FILE] [--keepass FILE] [--printqr] [--saveqr DIR] [--verbose | --quiet] [infile ...] Extracts one time password (OTP) secret keys from QR codes, e.g. from Google Authenticator app. If no infiles are provided, the QR codes are interactively captured from the camera. positional arguments: infile a) file or - for stdin with 'otpauth-migration://...' URLs separated by newlines, lines starting with # are ignored; b) image file containing a QR code or = for stdin for an image containing a QR code options: -h, --help show this help message and exit --camera NUMBER, -C NUMBER camera number of system (default camera: 0) --qr {QREADER,DEEP_QREADER,ZBAR,CV2,WECHAT}, -Q {QREADER,DEEP_QREADER,ZBAR,CV2,WECHAT} QR reader (default: ZBAR) --json FILE, -j FILE export json file or - for stdout --csv FILE, -c FILE export csv file or - for stdout --keepass FILE, -k FILE export totp/hotp csv file(s) for KeePass, - for stdout --printqr, -p print QR code(s) as text to the terminal (requires qrcode module) --saveqr DIR, -s DIR save QR code(s) as images to the given folder (requires qrcode module) --verbose, -v verbose output --quiet, -q no stdout output, except output set by - examples: python extract_otp_secrets.py python extract_otp_secrets.py example_*.txt python extract_otp_secrets.py - < example_export.txt python extract_otp_secrets.py --csv - example_*.png | tail -n+2 python extract_otp_secrets.py = < example_export.png## Dependencies pip install -r requirements.txt Known to work with * Python 3.10.8, protobuf 4.21.9, qrcode 7.3.1, and pillow 9.2 * Python 3.11.1, protobuf 4.21.12, qrcode 7.3.1, and pillow 9.2 For protobuf versions 3.14.0 or similar or Python 3.6, use the extract_otp_secrets version 1.4.0. ### Shared libs installation for reading QR code images For reading QR code images the zbar library must be installed. If you do not extract directly from images, you do not need to install the zbar shared library. For a detailed installation documentation of [pyzbar](https://github.com/NaturalHistoryMuseum/pyzbar#installation). #### Windows The zbar DLLs are included with the Windows Python wheels. On other operating systems, you will need to install the zbar shared library. #### Linux (Debian, Ubuntu, ...) sudo apt-get install libzbar0 #### Linux (OpenSUSE) sudo zypper install libzbar0 #### Linux (Fedora) sudo dnf install libzbar0 #### Mac OS X brew install zbar ## Examples ### Printing otp secrets form text file python extract_otp_secrets.py example_export.txt ### Printing otp secrets from image file python extract_otp_secrets.py example_export.png ### Printing otp secrets multiple files python extract_otp_secrets.py example_*.txt python extract_otp_secrets.py example_*.png python extract_otp_secrets.py example_export.* python extract_otp_secrets.py example_*.txt example_*.png ### Printing otp secrets from stdin (text) python extract_otp_secrets.py - < example_export.txt ### Printing otp secrets from stdin (image) python extract_otp_secrets.py = < example_export.png ### Printing otp secrets csv to stdout python extract_otp_secrets.py --csv - example_export.txt ### Printing otp secrets csv to stdout without header line python extract_otp_secrets.py --csv - example_*.png | tail -n+2 ### Reading from stdin and printing to stdout cat example_*.txt | python extract_otp_secrets.py --csv - - | tail -n+2 ## Features * Free and open source * Supports Google Authenticator exports (and compatible apps like Aegis Authenticator) * Captures the the QR codes directly from the camera using QR code detection (based on OpenCV) * Supports TOTP and HOTP * Generates QR codes * Exports to various formats: * CSV * JSON * Dedicated CSV for KeePass * QR code images * Supports reading from stdin and writing to stdout * Reads QR codes images: (See [OpenCV docu](https://docs.opencv.org/3.4/d4/da8/group__imgcodecs.html#ga288b8b3da0892bd651fce07b3bbd3a56)) * Portable Network Graphics - *.png * WebP - *.webp * JPEG files - *.jpeg, *.jpg, *.jpe * TIFF files - *.tiff, *.tif * Windows bitmaps - *.bmp, *.dib * JPEG 2000 files - *.jp2 * Portable image format - *.pbm, *.pgm, *.ppm *.pxm, *.pnm * Sun rasters - *.sr, *.ras * OpenEXR Image files - *.exr * Radiance HDR - *.hdr, *.pic * Raster and Vector geospatial data supported by GDAL * Errors and warnings are written to stderr * Many ways to run the script: * Native Python * pipenv * pip * venv * Docker * VSCode devcontainer * devbox * Compatible with major platforms: * Linux * macOS * Windows * Uses UTF-8 on all platforms * Supports Python >= 3.7 * All these features are backed by tests ran nightly * All functionality in one Python script: extract_otp_secrets.py (except protobuf generated code in protobuf_generated_python) ## KeePass [KeePass 2.51](https://keepass.info/news/n220506_2.51.html) (released in May 2022) and newer [support the generation of OTPs (TOTP and HOTP)](https://keepass.info/help/base/placeholders.html#otp). KeePass can generate the second factor password (2FA) if the OTP secret is stored in `TimeOtp-Secret-Base32` string field for TOTP or `HmacOtp-Secret-Base32` string field for HOTP. You view or edit them in entry dialog on the 'Advanced' tab page. KeePass provides menu commands in the main window for generating one-time passwords ('Copy HMAC-Based OTP', 'Show HMAC-Based OTP', 'Copy Time-Based OTP', 'Show Time-Based OTP'). Furthermore, one-time passwords can be generated during auto-type using the {HMACOTP} and {TIMEOTP} placeholders. In order to simplify the usage of the second factor password generation in KeePass a specific KeePass CSV export is available with option `-keepass` or `-k`. This KeePass CSV file can be imported by the ["Generic CSV Importer" of KeePass](https://keepass.info/help/kb/imp_csv.html). If TOTP and HOTP entries have to be exported, then two files with an intermediate suffix .totp or .hotp will be added to the KeePass export filename. Example: - Only TOTP entries to export and parameter --keepass example_keepass_output.csv