RSS Feed
Twitter
Recovering Internet Explorer Passwords: Theory and Practice
1. Introduction
2. Types of passwords stored in Internet Explorer
2. 1. Internet Credentials
2. 2. AutoComplete data
2. 3. AutoComplete passwords
2. 4. FTP passwords
2. 5. Password Synchronization
2. 6. passwords identities
2. 7. Data AutoForm
2. 8. Content Advisor password
3. Brief overview of the recovery password Internet Explorer
4. PIEPR – the first contact
5. Three examples of real life
5. 1. Current User Recovery FTP passwords
5. 2. Password Recovery web site a downloadable operating system
5. 3. Retrieving stored passwords rare
6. Conclusion
1. Introduction
Nobody could question the fact that Internet Explorer is the most popular today. According to statistics, approximately 70% of Internet users prefer to use only this program. Arguments about its pros and cons can last forever, however, this browser is the leader in its industry, and it is a fact that needs no proof. Internet Explorer has several integrated technologies designed to make life easier for the average user. One of them – IntelliSense – is made to handle routine tasks such as automatic completion of web addresses visited, autofill form fields, passwords, users, etc.
Many Web sites now require registration, which means that the user must enter username and password. If you use more than a dozen of these sites, you may need a password manager. All modern browsers have built-in manager password in your arsenal, and Internet Explorer is not a stranger. In fact, why did you forget another password if you forget soon anyway? Much easier would be to have your browser does routine work of memory and storage of passwords for you. It is convenient and comfortable.
It would be totally perfect, however, if your operating system or reinstall Windows crashed how not to be reinstalled, you can easily lose all your valuable passwords list. It is the balance for the comfort and convenience. It is good to almost every website has an economy of “I forgot my password ‘button. However, this button is not always your head you.
Each software developer solves the problem of recovering the password of your own way. Some of them officially recommend copying a few important files to another folder, while others send all registered users a special utility that manages the migration of private data, and the claim third of them do not see the problem. However, demand creates supply, and recovery programs password are currently in high demand.
In this article we will try to classify types of private data stored on Internet Explorer, see the data recovery programs, and actual case studies of recovering lost Internet passwords.
2. Types of passwords stored in Internet Explorer
- Internet Explorer can store the types of passwords:
To access the Internet -
- AutoComplete data
- Passwords AutoComplete
- FTP Passwords
- The passwords for websites cached Synchronization
- Passwords identities
AutoForm data -
- Password Access Manager
Take a closer look at each item listed.
2. 1. Internet Credentials websites
powers of the Internet connections of users and passwords required to access certain websites, which are processed by the WinInet. dll. For example, when you try to enter the protected area of a website, you can see below the username and password system.
If the “Remember my password” is selected in this system, the user credentials are stored on your local computer. Earlier versions of Windows data stored in the 9th Users PWL file, Windows 2000 and later will be stored in protected storage.
2. 2. AutoComplete data
AutoComplete data (passwords will be discussed later) are also stored in Protected Storage, and appear as lists of names of HTML form field data and corresponding user. For example, if an HTML page containing an address input dialog-mail: user name once you’ve entered your e-mail storage has protected the name of the HTML tag, the address value, and time the file was last accessed.
The title of the HTML page and web site addresses are not stored. Is this good or bad? It is difficult to determine, more likely to be good than harm. Here are the obvious advantages: it saves space and speeds up browser performance. If you think the last note is insignificant, imagine how it must perform several additional checks in a multi-thousand (it is not as strange as it may seem to be) self-complete list.
Another obvious advantage is that the same data by name (and sometimes by theme) HTML form fields stored in one place, and common data are used for automatic loading of these pages. We will see that in this example. If an HTML page contains an auto-fill the area with the name “email”, and the user has entered their email address in this domain, IE will not have in stock, all around me, email = @ email . com ‘. From now on, if the user opens another site, which has a page with the same field name ‘email’, the user is suggested that auto-populate with the value shown on the first page (my @ e-mail. Com.) Thus, the browser functionality AI discovers something in itself.
The major drawback of this method of storing data outside of their party has been described. Imagine the user has entered data on a semi-automatic Web site. If anyone knows the name of the HTML form field, that person can create your own simple HTML page with the same field name and call it from a local disk. To find the data entered in this field, this person will not even need to connect to the Internet and open the original URL WWW.
2. 3. Passwords AutoComplete
In the case of password data, however, as you guessed, the data are not automatically. Because passwords are stored with auto-complete the name of the site, and each password is linked to a specific HTML page.
In the new version, Internet Explorer 7, the two passwords and AutoComplete figures is completely different, the encryption method is free from the shortcomings described above (if it can be considered an anomaly .)
Note that Internet Explorer allows users to manage settings for AutoComplete manually via the menu options.
2. 4. FTP passwords
FTP passwords are stored more or less the same way. It is interesting to note that since Windows XP FTP passwords are also encrypted with DPAPI. This encryption method uses the password to logon. Naturally, this makes it much more difficult to recover lost or manually as we do now User Master Key, SID and password.
From Microsoft Windows 2000 operating system has begun to offer data protection application programming interface (DPAPI) API. This is just a couple of calls to functions that provide data service level operating system protection to the user and system processes. At the OS level, it refers to a service that is provided by the operating system itself and requires no additional libraries. For data protection, we mean a service that ensures data privacy through encryption. Given that data protection is part of the OS, each application can protect your data with no special code is not necessary cryptographic function calls to DPAPI. These calls are two simple functions with different options to modify DPAPI behavior. Overall, DPAPI is very easy to use service, which will benefit developers should provide protection for sensitive application data such as passwords and private keys.
DPAPI is a password-based data protection services, but requires a password to protect. The drawback, of course, is that any protection provided by DPAPI is based on the password provided. This is offset by DPAPI using proven cryptographic routines, especially the strong Triple-DES and AES algorithms and keys, high security, which we cover in detail later. Since DPAPI is focused on providing protection for users and requires a password for this protection, use logical protection username and password.
DPAPI is not responsible for the storage of confidential information it protects. Is solely responsible for encrypting and decrypting data for programs that use, such as Windows Credential Manager, the mechanism of private key storage, or any third party program.
Please visit the Microsoft Web site for more information.
2. 5. Password Synchronization for cached websites
Synchronizing passwords without having to enter passwords for websites cached (sites available offline.) Passwords of this type are also stored in Protected Storage of IE.
2. 6. passwords identities
This is the password identification. The management of access based on identity is not widely used in products from Microsoft, except, perhaps, Outlook Express.
2. 7. Data AutoForm
A special paragraph must be extended to the self-completion method, which is a hybrid form of data storage. This method stores the actual data in protected storage and management that the data belongs, is stored in the user folder. The URL written in the registry is not stored in clear text – is stored as a hash. Here is the algorithm for reading the data form AutoComplete in Internet Explorer 4 to 6:
=== 8RemoveAll ();
/ / Check if the passwords are present in the AutoForm register
if (EntryPresent (cszUrl))
(
/ / Read pstore AutoForm passwords
return PStoreReadAutoformPasswords (cszUrl, saPasswords)
)
return false;
)
/ / Check if the passwords are present AutoForm
BOOL CAutoformDecrypter: EntryPresent (LPCTSTR cszUrl)
(
assert (cszUrl)
dwRet DWORD dwValue, dwSize = sizeof (dwValue)
cszHash GetHash LPCTSTR = (cszUrl)
/ / The problems of calculating the hash value
if (! cszHash)
return false;
/ / Check the file
SHGetValue dwRet = (HKEY_CURRENT_USER, _T (“Software Microsoft Internet Explorer IntelliForms PWS), cszHash, NULL, & dwSize and dwValue);
delete ((LPTSTR) cszHash)
if (ERROR_SUCCESS == dwRet)
return true;
m_dwLastError = E_NOTFOUND;
return false;
)
/ / Retrieve URL given hash of the text and translate it into hexadecimal
LPCTSTR CAutoformDecrypter: GetHash (LPCTSTR cszUrl)
(
assert (cszUrl)
Byte buf [0x10];
LPTSTR Loan = NULL;
int i;
if (HashData (cszUrl, buf, sizeof (buf)))
(
/ / Assign a space
Loan = new TCHAR [sizeof (buf) * sizeof (TCHAR) + sizeof (TCHAR)];
if (PREF)
(
for (i = 0, I0)
PHash [DW] = (BYTE) ps;
/ / Hash real things
while (dwDataSize -> 0)
(
for (dw = dwHashSize; ps -> 0;)
(
/ / Swap M_pPermTable = table
[PHash DW] pHash = [m_pPermTable [PS] ^ pData [dwDataSize]];
)
)
)
=== 8
The next generation, the seventh of the browser is more likely going to make this mechanism of storing user data storage method of primary data, the decline of the old and Protected Storage. data rather than words, and automatically fill in passwords, now, will be stored here.
What is so special and interesting about this mechanism did MS decide not to use instant messaging? Well, first of all, the idea of encryption, which is not new at all, but simple and even genius, to misfortune. The idea is to stop and store the encryption keys are generated when deemed necessary. Raw materials for the keys would address the HTML page on the Web.
Let’s see how this idea into action. The following simplified algorithm for IE7 that are automatically stored data and fill in Password:
1 Save the Web page address. We will use this address as the encryption key (EncryptionKey).
2 get the key. RecordKey = SHA (EncryptionKey).
3 Calculate RecordKey control to ensure the integrity of the registry key (the actual data integrity is guaranteed by DPAPI). RecordKeyCrc = CRC (RecordKey).
4 Encrypt (password) with the encryption key EncryptedData = DPAPI_Encrypt (data EncryptionKey).
5 Store + + RecordKey RecordKeyCrc EncryptedData in the registry.
Discard EncryptionKey 6.
It’s very, very difficult to recover the password without having the original web address. Decryption seems pretty trivial:
1 When the original webpage is open, we have your address (EncryptionKey) and obtain the registration key RecordKey = SHA (EncryptionKey).
2 Examine the list of all registry keys trying to locate the RecordKey.
3 If the RecordKey found, decrypt the data stored with this key using the EncryptionKey. DPAPI_Decrypt Data = (EncryptedData, EncryptionKey).
Despite the apparent simplicity, this algorithm encryption web password is one of the strongest today. However, it has one big disadvantage (or advantage, depending on what is looking.) If you change or forget the address of the original Web page, it will be impossible to recover the password for it.
2. 8. Content Advisor password
And the last item on our list is the Administrator password. Content Advisor was initially designed as a tool to restrict access to certain websites. However, for some reason was despised by many users (no doubt you can disagree with that.) If you have activated again under Content Advisor, entered a password and then forgotten you will not be able to access most websites on the Internet. Fortunately (or unfortunately) This is easily corrected.
The actual content advisor password is not stored in clear text. Rather, the system computes the MD5 hash value and stores it in the Windows registry. In an attempt to access the restricted area, the password entered by the user is the hash and the hash is compared to that stored in the registry. Take a look at source control PIEPR Content Advisor password:
=== 8
CContentAdvisorDlg empty: CheckPassword ()
(
Registration CRegistry;
/ / Read the file
Register. HKLM SetKey (“SOFTWARE Microsoft Windows CurrentVersion Policies Notes”);
BYTE pkey [MD5_DIGESTSIZE] pCheck [MD5_DIGESTSIZE]
if (! register. GetBinaryData (“Key”, pkey, MD5_DIGESTSIZE))
(
MessageBox (MB_ERR, “Unable to read the password.”)
return;
)
/ / Get a user-defined
CString cs;
m_wndEditPassword. GetWindowText (cs)
MD5Init ();
MD5Update ((LPBYTE) LPCTSTR () cs, cs. GetLength () +1);
MD5Final (pCheck)
/ / Check hash
if (memcmp (pkey, pCheck, MD5_DIGESTSIZE) == 0)
MessageBox (MB_OK, “The password is correct!”);
more
MessageBox (MB_OK, “Incorrect password.”)
)
=== 8
The first thing I can think of is to try to choose the password using brute force or dictionary attack. However, there is a more elegant for that. You can simply delete the hash in the registry. It is equally simple. . . Well, it is best to rename the opposite, so if you need it, you can restore it. Some programs also allow users to check the Content Advisor password, “password hint stretch”, password toggle on / off, etc.
3. Brief description of the programs Internet Explorer Password Recovery
It should be noted that all programs recovery password I suppose there are several ways to recover passwords. This is probably due to the fact that some passwords (eg synchronization of passwords) are not often used in real life, and FTP passwords are not as simple as “drag”. Here is a brief description of the recovery of the most popular commercial products passwords for most popular browser in the world:)
Advanced Internet Explorer Password Recovery Company is not a stranger, ElcomSoft – does not recognize the encrypted passwords and FTP passwords instantly. Unless excluded, the latest version of the program may have learned to do. Easy, intuitive user interface. The program can update online automatically.
Passware Internet Explorer Key – the same way, does not recognize some types of passwords. Sometimes the program stops with a critical error reading some rare types of URL in Internet Explorer. See the first two characters of passwords are recovered. The benefits are noted Spartan user interface and ease of operation.
Internet Explorer Password Thegrideon Software – not bad, but can recover only three types of passwords of Internet Explorer (which is sufficient for most cases.) Addressing the FTP passwords correctly. Version 1. 1 has problems recovering password instantly. It has a friendly user interface, which somehow reminds one of AIEPR. It can be totally enthralled by the beauty and usefulness of the website of the company.
Axiohm Internet Password Recovery Toolbox – offers some features that competitors mentioned. FTP can retrieve encrypted passwords and delete the selected resources. However, it has some bugs. For example, certain types of documents can not delete IE. The program comes with an extensive help file.
ABF Password Recovery ABF software – a good program with easy to use interface. The list of record types supported by the IE program is not long. However, it is all right. The program can be considered as a multi-functional, it can restore the passwords of other programs, too.
The major drawback of all the programs mentioned here is the ability to recover passwords for the user currently logged on.
As indicated above, the mass of Internet Explorer stored resources are stored in a special report called Protected Storage. Protected Storage has been developed specifically for the storage of personal data. Therefore, the functions to work with it (called PS API) are not documented. Protected Storage has been presented for the first time with the release of version 4 of Internet Explorer, which, moreover, contrary to the third version was written from scratch.
Protected Storage provides applications with a user interface to store the data you need to have insurance or without modification. The stored data units are called elements. The structure and content of information stored is opaque to the system protected storage. Access to articles is subject to confirmation, according to a style defined by the user of security, which specifies that the confirmation is required for access to data, for example, if a password is required. In addition, access to items is subject to an access rule defined. There is an access rule for each mode of access: for example, reading and writing. define the terms of access rule is composed of access. Normally, at the time of application installation is a mechanism to allow a new application to request user access to items that may have been created previously by another application.
The elements are uniquely identified by the combination of a key, type, subtype, and the name. The key is a constant that specifies whether the item is global to the computer or associated only with this user. The name is a string, usually chosen by the user. Type and subtype GUIDs are usually specified by the application. Additional information on the types and subtypes are retained in the system registry and include attributes such as display name of the user interface and suggestions. For the subtypes, the father of a fixed rate and is included in the register as an attribute. The elements of the group type is used for a common goal: for example, payment or identification. The group elements subtypes share a common data format.
So, until very recently, all recovery programs password Internet Explorer uses undocumented APIs. That is why a significant restriction has been applied to recovery work: PS API can only work with passwords of users are registered. When the system encrypts data stored in Protected Storage, in addition to everything else uses the SID of the user, without which it is literally impossible (given the current level of operation of computer calculations) to recover passwords stored.
Protected Storage uses a very well thought through data encryption method that uses master keys and strong algorithms such as DES, SHA and shahmac. Similar methods of data encryption are now used in most modern browsers, e g. Opera or Firefox. Microsoft, meanwhile, slowly but surely, developing and testing new. When this article was written in his pre-beta version of Internet Explorer 7 Protected Storage is only used to store FTP passwords.
The analysis of this preliminary version suggests that Microsoft is preparing a new surprise in the form of new encryption algorithms interesting. It is not known for certain, but the chances of data protection technologies company InfoCard involved in the encryption of private data.
So, with great confidence, we can say that with the release of Windows Vista and version 7 of Internet Explorer passwords are stored encrypted and fundamentally new algorithms, and Protected Storage Interface, apparently, will be open the developers.
It’s a bit sad, because we believe that the real potential for the discovery of protected storage. And so I think:
- Firstly, Protected Storage is based on the structure of modules, which allows you to connect other storage vendors in the. However, over the last 10 years, so there is no secure storage, a single storage provider start-ups. Protected Storage System is the storage vendor in the operating system, which is used by default.
- Secondly, has its own protected storage space integrated into the access management system which, for whatever reason, is not used in Internet Explorer and other MS products.
- Thirdly, it is not clear why Member States have decided to reject the Protected Storage to store data and passwords AutoComplete. storage of waste as proven data, not the mechanism for data encryption. Would be more logical to keep the storage showed less protection for storing data in the application of an encryption algorithm. Without exception, there were good reasons for this. Therefore, it would be interesting to hear the opinions of specialists in multiple sclerosis with respect to this issue.
4. PIEPR – the first contact
Passcape Internet Explorer Password Recovery has been specifically designed to circumvent the restriction of PS API and can recover passwords directly from binary registry files. It also has a number of additional features for advanced users.
Assistant program allows you to select the different modes:
- Automatic: the user passwords are being recovered by accessing the PS closed API. All current user passwords stored in Internet Explorer now be retrieved with a simple mouse click.
- Manual: The passwords are recovered without PS API. main advantage of this method is the ability to recover passwords from your old Windows account. You’ll need to specify the path to the log file of the user. Log files are generally not available for reading, however, the technology used in PIEPR can do (provided you have local administrative rights.)
Nickname log file is NTUSER. dat, and his residence in the user profile, which typically% systemdrive% Documents and Settings%% where% SystemDrive% is the system disk with the operating system, and% username% is usually the name of account. For example, the log file path might look like this: C: Documents and Settings NTUSER John. dat
If you have been a happy owner of Windows 9x/ME, after upgrading the operating system Windows NT, Protected Storage foresight saved a copy of your private information age. Accordingly, Protected Storage can contain multiple usernames, so PIEPR prompted to select the most appropriate before reaching decoding data.
One of the items in the list will contain data that leave the old Windows 9x. These data are also encrypted with a password of user login and PIEPR is not currently compatible with the decoding of data.
If NTUSER. dat file contains the encrypted passwords (eg passwords for FTP sites), the program will need additional information to decipher:
- Password for connection of the user whose data must be decrypted
- The full path to the user MasterKey
SID of the user -
Normally, the program finds the last two items in the user profile and automatically fill. However, if NTUSER. dat was copied from another operating system, you must watch. The best way to do the job is to copy the entire folder with the master key of the user (perhaps several of them) in the folder with NTUSER. dat. Master Key is in the following folder on the local computer:% SystemDrive% Documents and Settings% USERNAME% Application Data Protection Microsoft users%%, where% SystemDrive% is the system disk with the operating system,% USERNAME% – account name,%% of users – the user’s SID. For example, the path to the folder with a master key may be the following: C: Documents and Settings Application Data Protection Microsoft Juan S-1-5-21 1587165142-6173081522-185,545,743 1003. Make it clear that it is recommended to copy the entire folder S-1-5-21-1587165142-6173081522-185 545743-1003, which may contain multiple master keys. PIEPR then automatically select the correct key.
Windows brand and as some hidden system files, so they are invisible in Windows Explorer. To make them visible, enable show hidden and system objects in the display settings, or use an alternative file manager.
Once the folder with the master key of the user is copied to the folder with NTUSER. dat PIEPR automatically finds the necessary data, so you simply enter the password for recovering FTP password.
Content Advisor
Content Advisor passwords, as already mentioned, is not stored in clear text, but are stored as a hash. In managing the content advisor Password dialog box is sufficient to remove only (you can reset the password to remove at any time thereafter) or to change the hash value to unblock sites blocked by the Training Manager access. PIEPR index also display your password if it is available.
Asterisks Password
PIEPR fourth mode, which allows Internet Explorer to retrieve passwords hidden behind asterisks. To recover the password, just drag the magnifying glass window with a password ****. This tool allows you to recover passwords for other programs that use frames and E. EI g.
5. 1.
5. 2.
g.
That’s it.
5. 3.
g.
Conclusion
All rights reserved.
Posted in 
Tags: