Go to file
dependabot[bot] 2849dda044 Bump nuitka from 1.8.4 to 1.8.5
Bumps [nuitka](https://github.com/Nuitka/Nuitka) from 1.8.4 to 1.8.5.
- [Changelog](https://github.com/Nuitka/Nuitka/blob/develop/Changelog.rst)
- [Commits](https://github.com/Nuitka/Nuitka/commits)

---
updated-dependencies:
- dependency-name: nuitka
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-31 14:28:33 +01:00
.devcontainer upgrade devcontainer to Python 3.11 2022-10-31 22:11:55 +01:00
.github enable python 3.12 2023-10-06 12:06:02 +02:00
.vscode capture QR codes from camera and major refactoring 2023-01-03 00:28:32 +01:00
docker enable python 3.12 2023-10-06 12:06:02 +02:00
docs improve pyzbar missing warning; bump libs 2023-03-05 11:53:52 +01:00
installer release: improve macos docs after macos tests 2023-02-12 19:00:29 +01:00
src bump protobuf to 24.0, cv2 and mypy 2023-08-12 12:44:45 +02:00
tests bump versions: cv2 4.8 compatibility 2023-07-07 12:43:38 +02:00
.editorconfig capture QR codes from camera and major refactoring 2023-01-03 00:28:32 +01:00
.flake8 fix optional QRCode import 2022-09-03 23:46:05 +02:00
.gitignore upgrade docker debian from bullseye (11) to bookworm (12) 2023-08-06 19:29:59 +02:00
build.sh enable python 3.12 2023-10-06 12:06:02 +02:00
devbox.json add a devbox.json to convenientally run this 2022-09-03 11:13:45 +02:00
example_export.png refactor image import and add Alpine docker image 2023-01-03 00:26:46 +01:00
example_export.txt capture QR codes from camera and major refactoring 2023-01-03 00:28:32 +01:00
example_keepass_output.hotp.csv add keepass csv export; improve hotp 2022-12-04 16:19:30 +01:00
example_keepass_output.totp.csv add utf-8 encoding tests 2022-12-19 22:37:23 +01:00
example_output.csv add utf-8 encoding tests 2022-12-19 22:37:23 +01:00
example_output.json add utf-8 encoding tests 2022-12-19 22:37:23 +01:00
extract_otp_secrets.code-workspace fix: rename vscode workspace 2023-02-12 19:00:29 +01:00
LICENSE Add GPL3 LICENSE 2022-09-03 18:23:30 +02:00
mypy.ini improve numpy typing 2023-08-06 21:45:56 +02:00
Pipfile remove Python 3.7 workarounds, fixes #103 2023-08-06 19:29:59 +02:00
Pipfile.lock Bump nuitka from 1.8.4 to 1.8.5 2023-10-31 14:28:33 +01:00
pyproject.toml remove Python 3.7 workarounds, fixes #103 2023-08-06 19:29:59 +02:00
pytest.ini refactor image import and add Alpine docker image 2023-01-03 00:26:46 +01:00
README.md enable python 3.12 2023-10-06 12:06:02 +02:00
requirements-dev.txt add nuitka to local build.sh; bump versions 2023-04-15 10:43:26 +02:00
requirements.txt cv2: save as csv/json/keppass by key command 2023-01-29 16:50:55 +01:00
run_pytest.sh build and upload executables created by PyInstaller 2023-01-24 21:19:38 +01:00
setup.cfg build and upload executables created by PyInstaller 2023-01-24 21:19:38 +01:00
setup.py capture QR codes from camera and major refactoring 2023-01-03 00:28:32 +01:00

Extract TOTP/HOTP secrets from QR codes exported by two-factor authentication apps

CI tests CI docker coverage License GitHub release (latest SemVer)
python versions Docker image Linux Windows MacOS Download executable
Stand With Ukraine


The Python script extract_otp_secrets.py extracts one time password (OTP) secrets from QR codes exported by two-factor authentication (2FA) apps such as "Google Authenticator". The exported QR codes from authentication apps can be read in three ways:

  1. Capture the QR codes with the system camera using a GUI, 🆕
  2. Read image files containing the QR codes, and 🆕
  3. Read text files containing the QR code data generated by third-party QR readers.

The secrets can be exported to JSON or CSV, or printed as QR codes to console or saved as PNG.

This project/script was renamed from extract_otp_secret_keys to extract_otp_secrets.

Table of contents

Table of contents

Download and run binary executable (🆕 since v2.1)

  1. Download executable for your platform from latest release, see assets
  2. Linux and macOS: Set executable bit for the downloaded file, e.g in terminal with chmod +x extract_otp_secrets_X.Y.Z_OS_ARCH
  3. Start executable by clicking or from command line (macOS: startable only from command line, see below)

✔️ Everything is just packed in one executable.
✔️ No installation needed, neither Python nor any dependencies have to be installed.
✔️ Easy and convenient

There is a delay after starting the executable since the files have internally to be unpacked.

If you are a developer, you might prefer to run the Python script directly, see Installation

⚠️ Some antivirus tools may show a virus or trojan alert for the executable. This alert is a false positive. This is a known problem for executables generated by PyInstaller. If you have any doubt, please use directly the Python script.

The executables are not signed. Thus, the operating system may show a warning about download from unknown source.

MacOS

Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized. However, you arent required to notarize software that you distribute through the Mac App Store because the App Store submission process already includes equivalent security checks. developer.apple.com

Unfortunately, I cannot provide a signed and notarized installable application for macOS as .dmg or .pkg. Apple is not Open Source friendly and requires a yearly Developer ID subscription. I am not willing to pay USD 99 per year to Apple for this little open source tool.

However, the bare executable can be executed from the command line:

  1. Download executable for macOS platform from latest release, see assets
  2. Open Terminal application
  3. Change to Downloads folder in Terminal: cd $HOME/Downloads
  4. Set executable bit for the downloaded file: chmod +x extract_otp_secrets_X.Y.Z_macos_x86_64
  5. Start executable from command line: ./extract_otp_secrets_X.Y.Z_macos_x86_64

Replace X.Y.Z in above commands with the version number of your downloaded file, e.g. extract_otp_secrets_2.4.0_macos_x86_64

If Rosetta2 emulation is installed, these steps work also for M1 and M2 Apple Silicon processors and the program can be executed directly.

⚠️ It seems the GUI mode is not working in Terminal on macOS. In tests no GUI window was opened. (Remarks and hints about macOS are welcome since I do not know macOS.)

Usage

Capture QR codes from camera (🆕 since version 2.0)

  1. Open "Google Authenticator" app on the mobile phone
  2. Export the QR codes from "Google Authenticator" app (see how to export)
  3. Point the exported QR codes to the camera of your computer
  4. Run the program without infile parameters:
extract_otp_secrets

CV2 Capture from camera screenshot

Detected QR codes are surrounded with a frame. The color of the frame indicates the extracting result:

  • Green: The QR code is detected, decoded and the OTP secret was successfully extracted.
  • Red: The QR code is detected and decoded, but could not be successfully extracted. This is the case if a QR code not containing OTP data is captured.
  • Magenta: The QR code is detected, but could not be decoded. The QR code should be presented better to the camera or another QR reader could be used.

Key commands:

  • Space: change QR code reader
  • C: save as csv file (🆕 since v2.2)
  • J: save as json file (🆕 since v2.2)
  • K: save as KeePass csv file (🆕 since v2.2)
  • ESC, ENTER, Q: quit the program

The secrets are printed by default to the console. Set program parameters for other types of output, e.g. --csv exported_secrets.csv.

With builtin QR decoder from image files (🆕 since version 2.0)

  1. Open "Google Authenticator" app on the mobile phone
  2. Export the QR codes from "Google Authenticator" app (see how to export)
  3. Save the QR code as image file, e.g. example_export.png
  4. Transfer the images files to the computer where his script is installed.
  5. Call this script with the file as input:
extract_otp_secrets example_export.png
  1. Remove unencrypted files with secrets from your computer and mobile.

With external QR decoder app from text files

  1. Open "Google Authenticator" app on the mobile phone
  2. Export the QR codes from "Google Authenticator" app (see how to export)
  3. Read QR codes with a third-party QR code reader (e.g. from another phone)
  4. Save the captured QR codes from the QR code reader to a text file, e.g. example_export.txt. Save each QR code on a new line. (The captured QR codes look like otpauth-migration://offline?data=…)
  5. Transfer the file to the computer where his script is installed.
  6. Call this script with the file as input:
extract_otp_secrets example_export.txt
  1. Remove unencrypted files with secrets from your computer and mobile.
git clone https://github.com/scito/extract_otp_secrets.git
cd extract_otp_secrets
pip install -U -r requirements.txt

python src/extract_otp_secrets.py example_export.txt

In case this script is not starting properly, the debug mode can be activated by adding parameter -d in the command line.

For reading QR codes with ZBAR QR reader, the zbar library must be installed. If you do not use the ZBAR QR reader, you do not need to install the zbar shared library. Note: The ZBAR QR reader is the showed for me the best results and is thus default QR Reader.

For a detailed installation documentation of pyzbar.

Linux (Debian, Ubuntu, …)

sudo apt-get install libzbar0

Linux (OpenSUSE)

sudo zypper install libzbar0

Linux (Fedora)

sudo dnf install zbar

Linux (Arch Linux)

pacman -S zbar

Mac OS X

brew install zbar

Windows

zbar

The zbar DLLs are included with the Windows Python wheels. However, you might need additionally to install Visual C++ Redistributable Packages for Visual Studio 2013. Install vcredist_x64.exe if using 64-bit Python, vcredist_x86.exe if using 32-bit Python. For more information see pyzbar

OpenCV (CV2)

OpenCV requires Visual C++ redistributable 2015. For more information see opencv-python

Program help: arguments and options

usage: extract_otp_secrets.py [-h] [--csv FILE] [--keepass FILE] [--json FILE] [--txt FILE] [--printqr] [--saveqr DIR] [--camera NUMBER] [--qr {ZBAR,QREADER,QREADER_DEEP,CV2,CV2_WECHAT}] [-i] [--no-color] [--version] [-d | -v | -q] [infile ...]

Extracts one time password (OTP) secrets from QR codes exported by two-factor authentication (2FA) apps
If no infiles are provided, a GUI window starts and QR codes are captured from the camera.

positional arguments:
  infile                        a) file or - for stdin with 'otpauth-migration://...' URLs separated by newlines, lines starting with # are ignored;
                                b) image file containing a QR code or = for stdin for an image containing a QR code

options:
  -h, --help                    show this help message and exit
  --csv FILE, -c FILE           export csv file or - for stdout
  --keepass FILE, -k FILE       export totp/hotp csv file(s) for KeePass, - for stdout
  --json FILE, -j FILE          export json file or - for stdout
  --txt FILE, -t FILE           export txt file or - for stdout
  --printqr, -p                 print QR code(s) as text to the terminal
  --saveqr DIR, -s DIR          save QR code(s) as images to directory
  --camera NUMBER, -C NUMBER    camera number of system (default camera: 0)
  --qr {ZBAR,QREADER,QREADER_DEEP,CV2,CV2_WECHAT}, -Q {ZBAR,QREADER,QREADER_DEEP,CV2,CV2_WECHAT}
                                QR reader (default: ZBAR)
  -i, --ignore                  ignore duplicate otps
  --no-color, -n                do not use ANSI colors in console output
  --version, -V                 print version and quit
  -d, --debug                   enter debug mode, do checks and quit
  -v, --verbose                 verbose output
  -q, --quiet                   no stdout output, except output set by -

examples:
python extract_otp_secrets.py
python extract_otp_secrets.py example_*.txt
python extract_otp_secrets.py - < example_export.txt
python extract_otp_secrets.py --csv - example_*.png | tail -n+2
python extract_otp_secrets.py = < example_export.png

Examples

Printing otp secrets form text file

python src/extract_otp_secrets.py example_export.txt

Printing otp secrets from image file

python src/extract_otp_secrets.py example_export.png

Writing otp secrets to csv file

python src/extract_otp_secrets.py -q --csv extracted_secrets.csv example_export.txt

Writing otp secrets to json file

python src/extract_otp_secrets.py -q --json extracted_secrets.json example_export.txt

Printing otp secrets multiple files

python src/extract_otp_secrets.py example_*.txt
python src/extract_otp_secrets.py example_*.png
python src/extract_otp_secrets.py example_export.*
python src/extract_otp_secrets.py example_*.txt example_*.png

Printing otp secrets from stdin (text)

python src/extract_otp_secrets.py - < example_export.txt

Printing otp secrets from stdin (image)

python src/extract_otp_secrets.py = < example_export.png

Printing otp secrets csv to stdout

python src/extract_otp_secrets.py --csv - example_export.txt

Printing otp secrets csv to stdout without header line

python src/extract_otp_secrets.py --csv - example_*.png | tail -n+2

Reading from stdin and printing to stdout

cat example_*.txt | python src/extract_otp_secrets.py --csv - - | tail -n+2

Features

  • Free and open source
  • Supports Google Authenticator exports (and compatible apps like Aegis Authenticator)
  • Captures the the QR codes directly from the camera using different QR code libraries (based on OpenCV) (🆕 since v2.0)
  • Program usable as pure GUI application without any command line switches (🆕 since v2.2)
    • Save otp secrets as csv file (🆕 since v2.2)
    • Save otp secrets as json file (🆕 since v2.2)
    • Save otp secrets as KeePass csv file(s) (🆕 since v2.2)
  • Supports TOTP and HOTP standards
  • Generates QR codes
  • Exports to various formats:
    • CSV
    • JSON
    • Dedicated CSV for KeePass
    • QR code images
  • Supports reading from stdin and writing to stdout, thus pipes can be used
  • Handles multiple input files (🆕 since v2.0)
  • Reads QR codes images: (See OpenCV docu) (🆕 since v2.0)
    • Portable Network Graphics - *.png
    • WebP - *.webp
    • JPEG files - *.jpeg, *.jpg, *.jpe
    • TIFF files - *.tiff, *.tif
    • Windows bitmaps - *.bmp, *.dib
    • JPEG 2000 files - *.jp2
    • Portable image format - *.pbm, *.pgm, *.ppm *.pxm, *.pnm
  • Prints errors and warnings to stderr (🆕 since v2.0)
  • Prints colored output (🆕 since v2.0)
  • Startable as executable (script, Python, and all dependencies packed in one executable) (🆕 since v2.1)
    • extract_otp_secrets_linux_x86_64 (requires glibc >= 2.31)
    • extract_otp_secrets_linux_arm64 (requires glibc >= 2.31)
    • extract_otp_secrets_win_x86_64.exe
    • extract_otp_secrets_macos_x86_64 (optional libzbar needs to be installed manually if needed)
      • extract_otp_secrets_macos_x86_64.dmg N/A, see why
      • extract_otp_secrets_macos_x86_64.pkg N/A, see why
  • Prebuilt Docker images provided for amd64 and arm64 (🆕 since v2.0)
  • Many ways to run the script:
    • Native Python
    • pipenv
    • pip
    • venv
    • Docker
    • VSCode devcontainer
    • devbox
  • Compatible with major platforms:
    • Linux
    • macOS
    • Windows
  • Uses UTF-8 on all platforms
  • Supports Python >= 3.8
  • Installation of shared system libraries is optional (🆕 since v2.3)
  • Provides a debug mode (-d) for analyzing import problems
  • Written in modern Python using type hints and following best practices
  • All these features are backed by tests ran nightly
  • All functionality in one Python script: src/extract_otp_secrets.py (except protobuf generated code in protobuf_generated_python)

KeePass

KeePass 2.51 (released in May 2022) and newer support the generation of OTPs (TOTP and HOTP).

KeePass can generate the second factor password (2FA) if the OTP secret is stored in TimeOtp-Secret-Base32 string field for TOTP or HmacOtp-Secret-Base32 string field for HOTP. You view or edit them in entry dialog on the 'Advanced' tab page.

KeePass provides menu commands in the main window for generating one-time passwords ('Copy HMAC-Based OTP', 'Show HMAC-Based OTP', 'Copy Time-Based OTP', 'Show Time-Based OTP'). Furthermore, one-time passwords can be generated during auto-type using the {HMACOTP} and {TIMEOTP} placeholders.

In order to simplify the usage of the second factor password generation in KeePass a specific KeePass CSV export is available with option -keepass or -k. This KeePass CSV file can be imported by the "Generic CSV Importer" of KeePass.

If TOTP and HOTP entries have to be exported, then two files with an intermediate suffix .totp or .hotp will be added to the KeePass export filename.

Example:

  • Only TOTP entries to export and parameter --keepass example_keepass_output.csv
    → example_keepass_output.csv with TOTP entries will be exported
  • Only HOTP entries to export and parameter --keepass example_keepass_output.csv
    → example_keepass_output.csv with HOTP entries will be exported
  • If both TOTP and HOTP entries to export and parameter --keepass example_keepass_output.csv
    → example_keepass_output.totp.csv with TOTP entries will be exported
    → example_keepass_output.hotp.csv with HOTP entries will be exported

Import CSV with TOTP entries in KeePass as

  • Title
  • User Name
  • String (TimeOtp-Secret-Base32)
  • Group (/)

Import CSV with HOTP entries in KeePass as

  • Title
  • User Name
  • String (HmacOtp-Secret-Base32)
  • String (HmacOtp-Counter)
  • Group (/)

KeePass can be used as a backup for one time passwords (second factor) from the mobile phone.

How to export otp secrets from Google Authenticator app

  1. Open "Google Authenticator" app
  2. Select "Transfer accounts" in the three dot menu of the app.
    Transfer accounts option in the Google Authenticator.
  3. Select "Export accounts"
    Export account option in the Google Authenticator.
  4. Pass the verification by password or fingerprint.
  5. Select your accounts
  6. Press "Next" button
  7. The exported QR code(s) ready for extraction are shown.
    Exported Google Authenticator QR codes

Glossary

  • OTP = One-time password
  • TOTP = Time-based one-time password
  • HOTP = HMAC-based one-time password (using a counter)
  • 2FA = Second factor authentication
  • TFA = Two factor authentication
  • QR code = Quick response code

Alternative installation methods

pip using github

pip install -U git+https://github.com/scito/extract_otp_secrets
extract_otp_secrets

or run it

python -m extract_otp_secrets

or from a specific tag

pip install -U git+https://github.com/scito/extract_otp_secrets.git@v2.0.0
extract_otp_secrets
curl -s https://raw.githubusercontent.com/scito/extract_otp_secrets/master/example_export.txt | python -m extract_otp_secrets -

local pip

git clone https://github.com/scito/extract_otp_secrets.git
pip install -U -e extract_otp_secrets
extract_otp_secrets extract_otp_secrets/example_export.txt

or run it

python -m extract_otp_secrets extract_otp_secrets/example_export.txt

pipenv

You can you use Pipenv for running extract_otp_secrets.

pipenv --rm
pipenv install
pipenv shell
python src/extract_otp_secrets.py example_export.txt

Visual Studio Code Remote - Containers / VSCode devcontainer

You can you use VSCode devcontainer for running extract_otp_secrets.

Requirement: Docker

  1. Start VSCode
  2. Open extract_otp_secrets.code-workspace
  3. Open VSCode command palette (Ctrl-Shift-P)
  4. Type command "Remote-Containers: Reopen in Container"
  5. Open integrated bash terminal in VSCode
  6. Execute: python src/extract_otp_secrets.py example_export.txt

venv

Alternatively, you can use a python virtual env for the dependencies:

python -m venv venv
. venv/bin/activate
pip install -U -r requirements-dev.txt
pip install -U -r requirements.txt

The requirements*.txt files contain all the dependencies (also the optional ones). To leave the python virtual env just call deactivate.

devbox

Install devbox, which is a wrapper for nix. Then enter the environment with Python and the packages installed with:

devbox shell

docker

Install Docker.

Prebuilt docker images are available for amd64 and arm64 architectures on Docker Hub and on GitHub Packages.

Extracting from an QR image file:

curl -s https://raw.githubusercontent.com/scito/extract_otp_secrets/master/example_export.png | docker run --pull always -i --rm -v "$(pwd)":/files:ro scit0/extract_otp_secrets =

Capturing from camera in GUI window (X Window system required on host):

docker run --pull always --rm -v "$(pwd)":/files:ro -i --device="/dev/video0:/dev/video0" --env="DISPLAY" -v /tmp/.X11-unix:/tmp/.X11-unix:ro scit0/extract_otp_secrets

If only text processing is required, there is a small Image based on Alpine Linux:

curl -s https://raw.githubusercontent.com/scito/extract_otp_secrets/master/example_export.txt | docker run --pull always -i --rm -v "$(pwd)":/files:ro scit0/extract_otp_secrets:latest-only-txt -

Docker image from GitHub:

docker login ghcr.io -u USERNAME
curl -s https://raw.githubusercontent.com/scito/extract_otp_secrets/master/example_export.png | docker run --pull always -i --rm -v "$(pwd)":/files:ro ghcr.io/scito/extract_otp_secrets =

More docker examples

docker run --pull always --rm -v "$(pwd)":/files:ro scit0/extract_otp_secrets example_export.png

docker run --pull always --rm -i -v "$(pwd)":/files:ro scit0/extract_otp_secrets_only_txt - < example_export.txt

cat example_export.txt | docker run --pull always --rm -i -v "$(pwd)":/files:ro scit0/extract_otp_secrets:latest_only_txt - -c - > example_out.csv

Tests

PyTest

The script is covered by pytests, see extract_otp_secrets_test.py.

Run tests:

pytest

or

python -m pytest

Hints

Your tests can run against an installed version after executing pip install .

Your tests can run against the local copy with an editable install after executing pip install --editable .

If you dont use an editable install and are relying on the fact that Python by default puts the current directory in sys.path to import your package, you can execute python -m pytest to execute the tests against the local copy directly, without using pip.

https://docs.pytest.org/en/7.1.x/explanation/pythonpath.html#pytest-vs-python-m-pytest

unittest

There are some unittests, see extract_otp_secrets_txt_unit_test.py.

Run tests:

python -m unittest

Note the pytests are preferred and complete. For each unittest there is also a test in pytest.

VSCode Setup

Setup for running the tests in VSCode.

  1. Open VSCode command palette (Ctrl-Shift-P)
  2. Type command "Python: Configure Tests"
  3. Choose unittest or pytest. (pytest is recommended, both are supported)
  4. Set ". Root" directory

Development

Build

cd extract_otp_secrets/
pip install -U -e .
python src/extract_otp_secrets.py

pip wheel .

Note: python -m build --wheel = pip wheel --no-deps .

Upgrade pip Packages

pip install -U -r requirements.txt

Build docker images

Debian (full functionality)

Build and run the app within the container:

docker build . -t extract_otp_secrets --pull -f docker/Dockerfile --build-arg RUN_TESTS=false

Run tests in docker container:

docker run --entrypoint /extract/run_pytest.sh --rm -v "$(pwd)":/files:ro extract_otp_secrets

Alpine (only text file processing)

docker build . -t extract_otp_secrets:only_txt --pull -f docker/Dockerfile_only_txt --build-arg RUN_TESTS=false

Run tests in docker container:

docker run --entrypoint /extract/run_pytest.sh --rm -v "$(pwd)":/files:ro extract_otp_secrets_only_txt extract_otp_secrets_test.py -k "not qreader" --relaxed

Create executables with pyinstaller

Linux

pyinstaller -y --add-data $pythonLocation/__yolo_v3_qr_detector/:__yolo_v3_qr_detector/ --onefile src/extract_otp_secrets.py

Output is executable dist/extract_otp_secrets

Windows

pyinstaller -y --add-data "%pythonLocation%\__yolo_v3_qr_detector;__yolo_v3_qr_detector" --add-binary "%pythonLocation%\pyzbar\libiconv.dll;pyzbar" --add-binary "%pythonLocation%\pyzbar\libzbar-64.dll;pyzbar" --add-binary "%windir%\system32\msvcr120.dll;pyzbar" --add-binary "%windir%\system32\msvcp120.dll;pyzbar" --add-binary "%windir%\system32\vcamp120.dll;pyzbar" --add-binary "%windir%\system32\vcomp120.dll;pyzbar" --add-binary "%windir%\system32\vccorlib120.dll;pyzbar" --add-binary "%windir%\system32\mfc120.dll;pyzbar" --add-binary "%windir%\system32\mfc120u.dll;pyzbar" --add-binary "%windir%\system32\mfc120chs.dll;pyzbar" --add-binary "%windir%\system32\mfc120cht.dll;pyzbar" --add-binary "%windir%\system32\mfc120deu.dll;pyzbar" --add-binary "%windir%\system32\mfc120enu.dll;pyzbar" --add-binary "%windir%\system32\mfc120esn.dll;pyzbar" --add-binary "%windir%\system32\mfc120fra.dll;pyzbar" --add-binary "%windir%\system32\mfc120ita.dll;pyzbar" --add-binary "%windir%\system32\mfc120jpn.dll;pyzbar" --add-binary "%windir%\system32\mfc120kor.dll;pyzbar" --add-binary "%windir%\system32\mfc120rus.dll;pyzbar" --onefile --version-file build\file_version_info.txt src\extract_otp_secrets.py

Output is dist\extract_otp_secrets.exe

Full local build (bash)

There is a Bash script for a full local build including linting and type checking.

./build.sh

The options of the build script:

Build extract_otp_secrets project

./build.sh [options]

Options:
-i                      Interactive mode, all steps must be confirmed
-C                      Ignore version check of protobuf/protoc
-e                      Build exe
-n                      Build nuitka exe
-L                      Do not build local (exes)
-d                      Build docker
-a                      Build arm
-X                      Do not build x86_64
-B                      Do not build base
-V                      Do not run pipenv
-g                      Start extract_otp_secrets.py in GUI mode
-c                      Clean everything
-r                      Generate result files
-h, --help              Show help and quit

Technical background

The export QR code of "Google Authenticator" contains the URL otpauth-migration://offline?data=…. The data parameter is a base64 encoded proto3 message (Google Protocol Buffers).

Command for regeneration of Python code from proto3 message definition file (only necessary in case of changes of the proto3 message definition or new protobuf versions):

protoc --plugin=protoc-gen-mypy=path/to/protoc-gen-mypy --python_out=src/protobuf_generated_python --mypy_out=src/protobuf_generated_python src/google_auth.proto

The generated protobuf Python code was generated by protoc 24.4 (https://github.com/protocolbuffers/protobuf/releases/tag/v24.4).

For Python type hint generation the mypy-protobuf package is used.

References

Issues

Problems and Troubleshooting

Windows error message

If you see an ugly ImportError on Windows you will most likely need the Visual C++ Redistributable Packages for Visual Studio 2013. Install vcredist_x64.exe if using 64-bit Python, vcredist_x86.exe if using 32-bit Python.

This library shared library is required by pyzbar.

Traceback (most recent call last):
  File "C:\Users\Admin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.11_qbz5n2kfra8p0\LocalCache\local-packages\Python311\site-packages\pyzbar\zbar_library.py", line 58, in load
    dependencies, libzbar = load_objects(Path(''))
                            ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Admin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.11_qbz5n2kfra8p0\LocalCache\local-packages\Python311\site-packages\pyzbar\zbar_library.py", line 50, in load_objects
    deps = [
           ^
  File "C:\Users\Admin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.11_qbz5n2kfra8p0\LocalCache\local-packages\Python311\site-packages\pyzbar\zbar_library.py", line 51, in <listcomp>
    cdll.LoadLibrary(str(directory.joinpath(dep)))
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.11_3.11.496.0_x64__qbz5n2kfra8p0\Lib\ctypes\__init__.py", line 454, in LoadLibrary
    return self._dlltype(name)
           ^^^^^^^^^^^^^^^^^^^
  File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.11_3.11.496.0_x64__qbz5n2kfra8p0\Lib\ctypes\__init__.py", line 376, in __init__
    self._handle = _dlopen(self._name, mode)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: Could not find module 'libiconv.dll' (or one of its dependencies). Try using the full path with constructor syntax.
  • ZBar is an open source software suite for reading bar codes from various sources, including webcams.
  • Aegis Authenticator is a free, secure and open source 2FA app for Android. This app can scan Google export QR codes and export the secrets, e.g. as JSON. However, a second device is required.
  • pyzbar is a good QR code reader Python module
  • OpenCV (CV2) Open Source Computer Vision library with opencv-python
  • Python QReader Python QR code readers
  • Android OTP Extractor can extract your tokens from popular Android OTP apps and export them in a standard format or just display them as QR codes for easy importing. [Requires a rooted Android phone.]
  • Google Authenticator secret extractor is similar project written in JavaScript. It also extracts otp secrets from Google Authenticator.

#StandWithUkraine 🇺🇦

#RussiaInvadedUkraine on 24 of February 2022, at 05:00 the armed forces of the Russian Federation attacked Ukraine. Please, stand with Ukraine, stay tuned for updates on Ukraine's official sources and channels in English and support Ukraine in its fight for freedom and democracy in Europe.