Re: Decode Outlook2003 POP3 password?

On 15 Oct 2005 in alt.2600, mach <Room303@xxxxxxxxxxxxxxxxxxxxxx> made
their contribution to mankind by stating in
news:051015f@xxxxxxxxxxxxxxxxxxxxxx:

> Benedikt Foster <netpilots@xxxxxxxxxxx> wrote:
>> Hello NG
>>
>> Does anybody know the algorithm or a free program
>> to decode the Outlook2003 passwords stored in the registry.
>>
>> To find here: HKEY_CURRENT_USER
>> Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging
>> Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
>
> Perhaps you can get some mileage out of an old POP3 crack reposted
> herein.
>
> http://groups.google.com/group/alt.hackers.malicious/msg/92da283e416b54
> 36
>
> Many people recover Outlook POP passwords from Win9X PC by using
> a second computer connected to the LAN as a bogus POP server. This
> article shows you how to recover Outlook passwords using only the
> Win9X PC. Although this article focuses on Outlook, the principles
> apply to most Win9X mail agents.
>
> Windows optionally stores Outlook POP passwords in the registry.
> Most people use this feature to save them from constantly entering
> their POP password whenever Outlook checks for new mail. Many
> organizations also enable this feature to keep employees ignorant
> of valid POP passwords.
>
> Information about the exact algorithms and formats used by Win9X to
> store passwords in its registry is hard to come by. Those that know
> usually want you to buy a cracking tool from them.
>
> Fortunately, Ankit Fadia figured out that you can exploit a weakness
> in the POP protocol to finesse Win9X into decrypting the password
> for you. ( http://hackingtruths.box.sk/morepasswd.htm ).
>
> The POP protocol sends user names and passwords in clear text. A
> session between a Outlook and a POP server looks similar to the
> following:
>
> +
> USER ankit
> +
> PASS abc
> +
>
> The server responds with +, while Outlook provides USER and PASS,
> with a clear text password following the word PASS.
>
> The POP protocol uses a clear text password because it assumes that
> only POP servers listen on port 110. Ankit's exploit relies upon
> setting up a bogus POP server on port 110 that displays passwords
> instead of sending mail. In order to utilize Ankit's exploit, you
> need to temporarily change the POP3 Server values in the Win9X PC's
> registry to point to your bogus POP server.
>
>
> Outlook Express uses registry values similar to the following:
>
> [HKEY_CURRENT_USER\Software\Microsoft\Internet Account
> Manager\Accounts\00000002] "Account Name"="username"
> "Connection Type"=dword:00000000
> "POP3 Server"="192.168.1.130"
> "POP3 User Name"="username"
> "POP3
> Password2"=hex:01,02,03,04,05,06,07,08,09,0a,0b,0c,0d,0e,0f,10,11,12,13
> ,\
> 14,15,16,17,18,19,1a,1b,1c,1d,1e,1f,20
> "POP3 Use Sicily"=dword:00000000
>
>
> Outlook uses registry values similar to the following:
>
> [HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Outlook\Internet
> Account
>
> Manager\Accounts\organization]
> "POP3 Server"="192.168.1.1"
> "POP3 User Name"="username"
> "POP3 Password2"=hex:01,02,03,04,05,06,07,08,09,0a,0b,0c,0d,0e,0f,10
> "POP3 Skip Account"=dword:00000000
> "Connection Type"=dword:00000000
> "Connection Flags"=dword:00000000
> "POP3 Port"=dword:0000006e
> "POP3 Secure Connection"=dword:00000000
> "POP3 Timeout"=dword:0000001e
> "Leave Mail On Server"=dword:00000000
>
>
> Some organizations "lock down" Win9X PCs by setting
> DisableRegistryTools to TRUE, which theoretically disables regedit.
> You can use the following program to circumvent "locked down"
> registries.
>
>
> #include <windows.h>
> #include <tchar.h>
>
> int main(int argc, char** argv)
> {
> DWORD dwLength, dwType, dwValue;
> HKEY hKey;
> dwType = REG_DWORD;
>
> if(RegOpenKey(HKEY_CURRENT_USER,
> _T("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
> ), &hKey) == ERROR_SUCCESS) {
>
> dwLength = sizeof(dwValue);
> dwValue = 0;
> RegSetValueEx(hKey, "DisableRegistryTools", 0, REG_DWORD,
> (PBYTE) &dwValue, dwLength);
> system("regedit");
> dwValue = 1;
> RegSetValueEx(hKey, "DisableRegistryTools", 0, REG_DWORD,
> (PBYTE) &dwValue, dwLength);
> RegCloseKey(hKey);
> }
> return 0;
> }
>
>
> Unfortunately, Ankit's exploit also generates network traffic.
> Some organizations abuse the privacy of their employees by using
> tools such as Raytheon's Silent Runner ( http://www.silentrunner.com/
> ) to archive all network packets. Such tools can embarrass a user
> who deploys a bogus POP server on a LAN.
>
> My improved method eliminates potential embarrassments by eliminating
> the need for a second computer. In fact, you may want to temporarily
> disconnect the network cable from the back of the PC to remove any
> possibility of remote spy programs recording your actions.
>
> With my method you run netcat on the Win9X PC to make it accept
> connections on the traditional POP port, 110. The following command
> places netcat into listen mode on port 110:
>
> nc -l -p 110
>
> You also need to use regedit to temporarily change the Win9X PC's
> Outlook POP3 Mail Server to localhost or 127.0.0.1. You can then
> invoke Outlook and it should attempt to connect to the POP3 Mail
> Server specified in the registry. For our purposes, it connects
> to the netcat process listening on port 110. Give it a second or
> two, then press a + key followed by Enter in the DOS window where
> you ran the netcat listening process. Netcat echos the + Enter
> to Outlook, which interprets a + Enter as an acknowledgement of a
> successful connection to a POP3 server.
>
> Outlook then sends a USER name, which netcat displays in the DOS
> window, and waits for the POP3 server to reply with an
> acknowledgement. You can send Outlook an acknowledgement by press +
> Enter again in the netcat DOS window. Outlook then sends PASS along
> with the USER's clear text password. Keep pressing + Enter to
> acknowledge each successive Outlook command until Outlook finally
> dies.
>
> Go ahead and give this a shot on your own Win9X PC. See if you can
> use Outlook and netcat to display the clear text version of your
> own Outlook password.
>
> --
> mach

well done sir :)

--
ThePsyko
Public Enemy #7
http://prozac.iscool.net
.

Loading