Recovering Internet Explorer Passwords: Theory and PracticePosted by Nick Niesen on October 26th, 2010 Recovering Internet Explorer Passwords: Theory and Practice 1. Introduction
1. Introduction Many of today's websites require registration, which means, user would have to enter user name and password. If you use more than a dozen of such websites, you will likely need a password manager. All modern browsers have a built-in password manager in their arsenal, and Internet Explorer is not an odd. Indeed, why would one have to remember yet another password if it is going to be forgotten some time soon anyway? Much easier would be to have browser do the routine work of remembering and storing passwords for you. It's convenient and comfortable. This would be a totally perfect solution; however, if your Windows operating system crashed or reinstalled not the way it's supposed to be reinstalled, you can easily lose the entire list of your precious passwords. That's the toll for the comfort and convenience. It's good just about every website has a saving 'I forgot password' button. However, this button will not always take your headache from you. Each software developer solves the forgotten password recovery problem their own way. Some of them officially recommend copying a couple of important files to another folder, while other send all registered users a special utility that allows managing the migration of private data, and the third ones pretend they are not seeing the problem. Nevertheless, the demand creates the offer, and password recovery programs are currently on a great demand. In this article, let's try to classify types of private data stored in Internet Explorer, look at programs for the recovery of the data, and study real-life examples of recovering lost Internet passwords.
2. Types of passwords stored in Internet Explorer
2.1. Internet Credentials for websites If the option 'Remember my password' is selected in that prompt, the user credentials will be saved to your local computer. The older versions of Windows 9a stored that data in user's PWL file; Windows 2000 and newer store it in the Protected Storage.
The HTML page title and website address are not stored. Is that good or bad? It's difficult to determine; more likely to be good than bad. Here are the obvious pros: it saves free space and speeds up browser's performance. If you think the last note is insignificant, try to imagine how you would have to perform several extra checkups in a multi-thousand (this is not as rare as it may seem to be) auto-fill list. Another obvious plus is that data for identical by name (and often by subject) HTML form fields will be stored in the same place, and the common data will be used for the automatic filling of such pages. We will see this by this example. If one HTML page contains an auto-fill field with the name 'email', and user entered his e-mail address in that field, IE will put in the storage, roughly, 'email=my@email.com'. From now on, if the user opens another website, which has a page with the same field name 'email', the user will be suggested to auto-fill it with the value that he entered on the first page (my@email.com). Thus, the browser somewhat discovers AI capabilities within itself. The major drawback of this data storage method comes out of its advantage that we just described. Imagine, user has entered auto-fill data on a webpage. If someone knows the HTML form field name, that person can create his own simplest HTML page with the same field name and open it from a local disk. To uncover the data entered in this field, such person will not even have to connect to the Internet and open the original WWW address.
2.3. AutoComplete Passwords In the new version, Internet Explorer 7, both AutoComplete passwords and data are encrypted completely different; the new encryption method is free from the shortcoming just described (if that can be classified as a shortcoming.) It is worth noticing that Internet Explorer allows users to manage auto-fill parameters manually, through the options menu (fig.2 http://www.passcape.com/images/ie02.png).
Starting with Microsoft Windows 2000, the operating system began to provide a Data Protection Application-Programming Interface (DPAPI) API. This is simply a pair of function calls that provide OS-level data protection services to user and system processes. By OS-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data through encryption. Since the data protection is part of the OS, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior. Overall, DPAPI is a very easy-to-use service that will benefit developers that must provide protection for sensitive application data, such as passwords and private keys.
2.5. Synchronization Passwords for cached websites
2.6. Identities passwords 2.7. AutoForms Data ===8<===========Begin of original text=========== saPasswords->RemoveAll(); //Check if autoform passwords are present in registry return FALSE;
DWORD dwRet, dwValue, dwSize=sizeof(dwValue); //problems computing the hash //Check the registry if ( dwRet==ERROR_SUCCESS ) m_dwLastError=E_NOTFOUND;
BYTE buf[0x10]; if ( HashData(cszUrl,buf,sizeof(buf)) ) return pRet;
if ( !cszData || !pBuf ) DoHash((LPBYTE)cszData,strlen(cszData),pBuf,dwBufSize);
//pre-init loop //actual hashing stuff The next, seventh generation of the browser, is most likely going to make this user's data storage mechanism its primary data storage method, declining the good old Protected Storage. Better to say, auto-fill data and passwords, from now on, are going to be stored here. What is so special and interesting in this mechanism that made MS decide to use it as primary? Well, first of all, it was the encryption idea, which isn't new at all but still simple and genius, to disgrace. The idea is to quit storing encryption keys and generate them whenever that would be necessary. The raw material for such keys would be HTML page's Web address. Let's see how this idea works in action. Here is IE7's simplified algorithm for saving auto-fill data and password fields: 1 Save Web page's address. We will use this address as the encryption key (EncryptionKey). It is very, very difficult to recover password without having the original Web page address. The decryption looks pretty much trivial: 1 When the original Web page is open, we take its address (EncryptionKey) and obtain the record key RecordKey = SHA(EncryptionKey).
2.8. Content Advisor password The actual Content Advisor password is not stored as plaintext. Instead, the system calculates its MD5 hash and stores it in Windows registry. On an attempt to access the restricted area, the password entered by user is also hashed, and the obtained hash is compared with the one stored in the registry. Take a look at PIEPR source code checking Content Advisor password: ===8<===========Begin of original text=========== //read the registry BYTE pKey[MD5_DIGESTSIZE], pCheck[MD5_DIGESTSIZE]; //Get one set by user //Check hashes The first thing you may think about is to try to pick the password by using the brute force or dictionary attack. However, there is a more elegant way to that. You can simply remove the hash from the registry. That's it; so simple... Well, it's better to rename it instead, so that if you ever need it, you can restore it back. Some programs also let users check Content Advisor password, "drag out" password hint, toggle password on/off, etc.
3. Brief Overview of Internet Explorer Password Recovery Programs Advanced Internet Explorer Password Recovery from the not unknown company, ElcomSoft - does not recognize AutoForm passwords and encrypted FTP passwords. Not to be excluded, the last version of the program may have learnt to do that. Simple, convenient user interface. The program can be upgraded online automatically. Internet Explorer Key from PassWare - similarly, does not recognize certain types of passwords. Sometimes the program halts with a critical error when reading some uncommon types of IE's URLs. Displays first two characters of passwords being recovered. The advantages worth noticing are the Spartan user interface and operating convenience. Internet Explorer Password from Thegrideon Software - not bad, but can recover just three types of Internet Explorer passwords (this is enough for the majority of cases.) Deals with FTP passwords properly. Version 1.1 has problems recovering AutoForm passwords. Has convenient user interface, which in some way reminds one from AIEPR. One can be totally overwhelmed with the beauty and helpfulness of the company's website. Internet Password Recovery Toolbox from Rixler Software - offers some greater functionality than the previously covered competitors. It can recover encrypted FTP passwords and delete selected resources. However, it has some programming errors. For example, some types of IE records cannot be deleted. The program comes with a great, detailed help file. ABF Password Recovery from ABF software - quite a good program with friendly user interface. The list of IE record types supported by the program is not long. Nevertheless, it deals with all of them properly. The program can be classified as a multi-functional one, since it can restore passwords for other programs also. The major drawback of all programs named here is the capability to recover passwords only for user currently logged on. Protected Storage provides applications with an interface to store user data that must be kept secure or free from modification. Units of data stored are called Items. The structure and content of the stored data is opaque to the Protected Storage system. Access to Items is subject to confirmation according to a user-defined Security Style, which specifies what confirmation is required to access the data, such as whether a password is required. In addition, access to Items is subject to an Access rule set. There is an Access rule for each Access Mode: for example, read/write. Access rule sets are composed of Access Clauses. Typically at application setup time, a mechanism is provided to allow a new application to request from the user access to Items that may have been created previously by another application. Protected Storage uses a very well thought through data encryption method, which uses master keys and strong algorithms, such as des, sha, and shahmac. Similar data encryption methods are now used in the majority of modern browsers; e.g. in Opera or FireFox. Microsoft, meanwhile, quietly but surely develops and tests new ones. When this article is written, in the pre-Beta version of Internet Explorer 7 Protected Storage was only used for storing FTP passwords. The analysis of this preliminary version suggests that Microsoft is preparing another 'surprise' in the form of new, interesting encryption algorithms. It is not known for sure, but most likely the new company's data protection technology InfoCard will be involved in the encryption of private data. Thus, with a great deal of confidence one can assert that with the release of Windows Vista and the 7th version of Internet Explorer passwords will be stored and encrypted with fundamentally new algorithms, and the Protected Storage interface, to all appearances, will become open for third-party developers. It is somewhat sad, for we think the true potential of Protected Storage was still not uncovered. And this is why we think so: 4. PIEPR - the First Acquaintance The program's wizard allows you to choose one of several operating modes: User's registry file name is ntuser.dat; its resides in the user's profile, which is normally %SYSTEMDRIVE%:\Documents and Settings\%USERNAME%, where %SYSTEMDRIVE% stands for the system disk with the operating system, and %USERNAME% is normally account name. For instance, path to registry file may look like this: C:\Documents and Settings\John\ntuser.dat If you have ever been a happy owner of Windows 9x/ME, after you upgrade your operating system to Windows NT, Protected Storage will providently save a copy of your old private data. As a result of that, Protected Storage may contain several user identifiers, so PIEPR will ask you to select the right one before it gets to the decryption of the data (fig.3 http://www.passcape.com/images/ie03.png). One of the listed SIDs will contain data left by the old Windows 9x/ME. That data is additionally encrypted with user's logon password, and PIEPR currently does not support the decryption of such data. If ntuser.dat contains encrypted passwords (e.g., FTP sites passwords), the program will need additional information in order to decrypt them (fig.4 http://www.passcape.com/images/ie04.png): Normally, the program finds the last two items in user's profile and fills that data automatically. However, if ntuser.dat was copied from another operating system, you will have to take care of that on your own. The easiest way to get the job done is to copy the entire folder with user's Master Key (there may be several of them) to the folder with ntuser.dat. Master Key resides in the following folder on your local computer: %SYSTEMDRIVE%:\Documents and Settings\%USERNAME%\Application Data\Microsoft\Protect\%UserSid%, where %SYSTEMDRIVE% stands for the system disk with the operating system, %USERNAME% - account name, %UserSid% - user's SID. For example, path to the folder with a master key may look as follows: C:\Documents and Settings\John\Application Data\Microsoft\Protect\S-1-5-21-1587165142-6173081522-185545743-1003. Let's make it clear that it is recommended to copy the entire folder S-1-5-21-1587165142-6173081522-185545743-1003, for it may contain several Master Keys. Then PIEPR will select the right key automatically. Windows marks some folders as hidden or system, so they are invisible in Windows Explorer. To make them visible, enable showing hidden and system objects in the view settings or use an alternative file manager. Once the folder with user's Master Key was copied to the folder with ntuser.dat, PIEPR will automatically find the required data, so you will only have to enter user's password for recovering FTP passwords. Content Advisor Asterisks passwords We have reviewed the basic Internet Explorer password recovery modes. There is also a number of additional features for viewing and editing cookies, cache, visited pages history, etc. We are not going to cover them in detail; instead, we are going to look at a few password recovery examples done with PIEPR.
5.1. Three Real-Life Examples. If you have opened this site and set the 'Save password' option in the authentication dialog, the password must be saved in Protected Storage, so recovering it is a pretty trivial job. Select the automatic operating mode in PIEPR and then click 'Next'. Locate our resource in the dialog with decrypted passwords that appears (the site name must appear in the Resource Name column.) As we see, the decryption of current user's password should not cause any special difficulties. Oh, if the password is not found for some reason - don't forget to check IE's Auto-Complete Settings. Possibly, you have simply not set the program to save passwords.
5.2. Three Real-Life Examples. In either case, we will have user's old profile with all files within it. This set is normally enough to get the job done. In the case with the reinstallation, Windows providently saves the old profile under a different name. For example, if your account name was John, after renaming it may look like John.WORK-72C39A18. The first and the foremost what you must do is to gain access to files in the old profile. There are two ways to doing this: Let's take the first route. Once we gain access to the old profile, we will need to let the system show hidden and system files. Otherwise, the files we need will be invisible. Open Control Panel, then click on Folder Options, and then select the View tab. On this tab, find the option 'Show hidden files and folders' and select it. Clear the option 'Hide protected operating system files'. When the necessary passwords are recovered, it's better to reset these options to the way they were set before. Open the program's wizard in the manual mode and enter path to the old profile's registry file. In our case, that is C:\Documents And Settings\ John.WORK-72C39A18\ntuser.dat. Where John.WORK-72C39A18 is the old account name. Click 'Next'. This data should normally be sufficient for recovering Internet Explorer passwords. However, if there is at least a single encrypted FTP password, the program will request additional data, without which it will not be able to recover such types of passwords: That's it. Now we need to enter the old account password, and the recovery will be completed. If you don't care for FTP password, you can skip the user's password, Master Key, and SID entry dialog.
5.3. Three Real-Life Examples. Indeed, some websites don't let browser to save passwords in the auto-complete passwords list. Often, such websites are written in JAVA or they use alternative password storage methods; e.g., they store passwords in cookies. A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the Web application can read whenever the user visits the site. Cookies provide a useful means in Web applications to store user-specific information. For example, when a user visits your site, you can use cookies to store user preferences or other information. When the user visits your Web site another time, the application can retrieve the information it stored earlier. Cookies are used for all sorts of purposes, all relating to helping the Web site remember you. In essence, cookies help Web sites store information about visitors. A cookie also acts as a kind of calling card, presenting pertinent identification that helps an application know how to proceed. But often cookies criticized for weak security and inaccurate user identification. If the password field is filled with asterisks, the solution is clear: select the ASTERISKS PASSWORDS operating mode and then open the magic magnifier dialog. Then simply drag the magnifier to the Internet Explorer window (fig.6 http://www.passcape.com/images/ie06.png). But it's not always that simple. The password field may be empty or that field may indeed contain *****. In this case, as you have guessed by now, the ASTERISKS PASSWORDS tool will be useless. We can suppose, the password is stored in cookies. Let's try to locate it. Choose the IE Cookie Explorer tool (fig.8 http://www.passcape.com/images/ie08.png). As the figure shows, in our case the login and password are not encrypted and are stored as plain text. Cookies are often encrypted. In this case, you are not likely to succeed recovering the password. The only thing you can try doing in order to recover the old account is to create a new account. Then you will be able to copy the old cookies in a text editor and replace them with the new ones. However, this is only good when the worst comes to the worst; it is not recommended to use it normally. Don't forget also that just about all pages and forms with passwords have the 'Forgot password' button.
Conclusion With the release of the next, 7th version of IE, Microsoft is preparing fundamentally new schemes for protecting our private data, where it uses improved encryption algorithms and eliminates shortages peculiar to Protected Storage. In particular, the analysis of the preliminary beta versions of Internet Explorer 7 has revealed that autoform password encryption keys are no longer stored along with data. They are not stored, period! This is a little know-how, which is to be estimated at its true worth by both professionals and end users, who, finally, will benefits of it anyway. But the main thing is, the release of the new concept will eliminate the major drawback peculiar to Protected Storage, which is the possibility to recover passwords without knowing the additional information. Better to say, was enough for a potential hacker to gain physical access to the contents of a hard drive, in order to steal or damage passwords and user's other private data. With the release of Internet Explorer 7, the situation will somewhat change. Meanwhile, we will only have to wait impatiently for the advent of Windows Vista and IE 7 to take a closer look at new encryption mechanisms used in the next generation of this popular browser. This document may be freely distributed or reproduced provided that the Like it? Share it!More by this author |