Remove Ads

Share on Facebook Share on Twitter

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Locations of stored passwords
#1
1)[b][color=purple]Windows Network Passwords (XP/Vista/2003)[/color][/b]:
When you connect to the file system of another computer on your network (something like \\MyComp\MyFolder), Windows allows you to save the password. If you choose to save the password, the encrypted password is stored in a credential file.
The credential file is stored in the following locations:
[b][color=purple]- Windows XP/2003: [Windows Profile]\Application Data\Microsoft\Credentials\[User SID]\Credentials and [Windows Profile]\Local Settings\Application Data\Microsoft\Credentials\[User SID]\Credentials[/color] [/b]
[b][color=purple]- Windows Vista: [Windows Profile]\AppData\Roaming\Microsoft\Credentials\[Random ID] and [Windows Profile]\AppData\Local\Microsoft\Credentials\[Random ID][/color] [/b]
You can use http://www.nirsoft.net/utils/network_pas...overy.html to view all passwords stored in these [b]Credentials[/b] files.

2)[b][color=purple]Dialup/VPN Passwords (2000/XP/Vista/2003)[/color][/b]:
Dialup/VPN passwords are stored [b][color=purple]as LSA secrets under HKEY_LOCAL_MACHINE\Security\Policy\Secrets[/color][/b]. This key contains multiple sub-keys, and the sub-keys which store the dialup passwords contains one of the following strings: RasDefaultCredentials and RasDialParams.
[b][color=purple]This key is not accessible from RegEdit and other tools by default, but you can use one of the following methods to access this key:
1. Use at command to run RegEdit.exe as SYSTEM user: (doesn't work under Vista)
For Example:
at 16:14 /interactive regedit.exe
2. Change the permission of entire Security key. If you do that, it's recommeneded to return the permissions back to the original after you finish. [/color][/b]

3)[b][color=purple]Internet Explorer 4.00 - 6.00[/color][/b]:
The passwords are stored in a secret location in the Registry known as the [b][b]"Protected Storage"[/b][/b]. The base key of the Protected Storage is located under the following key: [b][color=purple]"HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider"[/color][/b]. In order to view the subkeys of this key in RegEdit, you must do the same process as explained for the LSA secrets.
Even when you browse the above key in the Registry Editor (RegEdit), you won't be able to watch the passwords, because they are encrypted. Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.
IE PassView and Protected Storage PassView utilities allow you to recover these passwords.

4)[b][color=purple]Internet Explorer 7.00 - 8.00[/color][/b]:
The new versions of Internet Explorer stores the passwords in 2 different locations. AutoComplete passwords are stored in the Registry under [b][color=purple]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.[/color][/b]
IE PassView can be used to recover these passwords.

5)[b][color=purple]Firefox[/color][/b]:
The passwords are stored in one of the following filenames: [b]signons.txt, signons2.txt, and signons3.txt [/b](depends on Firefox version) These password files are located inside the profile folder of Firefox, in [b][color=purple][Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords. [/color][/b]

6)[b][color=purple]Google Chrome[/color][/b] Web browser:
The passwords are stored in [b][color=purple][Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data[/color][/b] (This filename is SQLite database which contains encrypted passwords and other stuff)
[b][color=purple]XP - C:\Documents and Settings\Username\Local Settings\Application Data\Google\Chrome\User Data\Default
Vista - C:\Users\Username\Appdata\Local\Google\Chrome\User Data\Default[/color][/b]

7)[b][color=purple]Opera[/color][/b]:
The passwords are stored in [b][color=purple]wand.dat[/color][/b] filename, located under [b][color=purple][Windows Profile]\Application Data\Opera\Opera\profile[/color][/b]

8)[b][color=purple]Outlook Express (All Versions)[/color][/b]:
The POP3/SMTP/IMAP passwords Outlook Express are also stored in the [b][color=purple]Protected Storage, like the passwords of old versions of Internet Explorer. [/color][/b]

9)[b][color=purple]Outlook 98/2000[/color][/b]:
Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.

10)[b][color=purple]Outlook 2002-2008[/color][/b]:
All new versions of Outlook store the passwords in the same [b][color=purple]Registry key of the account settings[/color][/b].
The accounts are stored in the Registry under [b][color=purple]HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index][/color][/b]
If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.
http://www.nirsoft.net/utils/mailpv.html can be used to recover lost passwords of Outlook 2002-2008.

11)[b][color=purple]Windows Live Mail[/color][/b]:
All account settings, including the encrypted passwords, are stored in [b][color=purple][Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name][/color][/b] The account filename is an [b][color=purple]xml file with .oeaccount extension.[/color] [/b]
http://www.nirsoft.net/utils/mailpv.html can be used to recover lost passwords of Windows Live Mail.

12)[b][color=purple]ThunderBird[/color][/b]: The password file is located under[b] [color=purple][Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name][/color] [/b]You should search a filename with .s extension.

13)[b][color=purple]Google Talk[/color][/b]:
All account settings, including the encrypted passwords, are stored in the [b][color=purple]Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name][/color] [/b]

14)[b][color=purple]Google Desktop[/color][/b]:
Email passwords are stored in the [b][color=purple]Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name][/color] [/b]

15)[b][color=purple]MSN/Windows Messenger version 6.x and below[/color][/b]:
The passwords are stored in one of the following locations:
[b][color=purple]-Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
- Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
- In the Credentials file, with entry named as "Passport.Net\\*". (Only when the OS is XP or more) [/color][/b]

16)[b][color=purple]MSN Messenger version 7.x[/color][/b]:
The passwords are stored under [b][color=purple]HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name][/color] [/b]

17)[b][color=purple]Windows Live Messenger version 8.x/9.x[/color][/b]:
The passwords are stored in the[b][color=purple] Credentials file, with entry name begins with "WindowsLive:name="[/color][/b]. These passwords can be recovered by both Network Password Recovery and MessenPass utilities.

18)[b][color=purple]Yahoo Messenger 6.x[/color][/b]:
The password is stored in the [b][color=purple]Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager ("EOptions string" value)[/color] [/b]

19)[b][color=purple]Yahoo Messenger 7.5 or later[/color][/b]:
The password is stored in the [b][color=purple]Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager - "ETS" value.[/color][/b] The value stored in "ETS" value cannot be recovered back to the original password.

20)[b][color=purple]AIM Pro[/color][/b]:
The passwords are stored in the [b][color=purple]Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name][/color] [/b]

21)[b][color=purple]AIM 6.x[/color][/b]: The passwords are stored in the [b][color=purple]Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords[/color][/b] [/align]
[hr]
[align=justify]22)[b][color=purple]ICQ Lite 4.x/5.x/2003[/color][/b]:
The passwords are stored in the Registry, under [b][color=purple]HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number] (MainLocation value)[/color] [/b]

23)[b][color=purple]ICQ 6.x[/color][/b]:
The password hash is stored in [b][color=purple][Windows Profile]\Application Data\ICQ\[User Name]\Owner.mdb (Access Database)[/color] [/b](The password hash cannot be recovered back to the original password)

24)[b][color=purple]Digsby[/color][/b]:
The main password of Digsby is stored in [b][color=purple][Windows Profile]\Application Data\Digsby\digsby.dat[/color][/b] All other passwords are stored in Digsby servers.

25)[b][color=purple]PaltalkScene[/color][/b]: The passwords are stored in the [b][color=purple]Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name].[/color][/b]

26)[b][color=purple]Trillian[/color][/b]:
Note- These passwords may be stored/encrypted differently
Trillian Passwords are stored in[b][color=purple] .ini files the first character of the password is encrypted with XOR with the key 243 then the password is converted into hex. The file is based on what the password is for so if it was icq it would be icq.ini[/color] [/b](for new versions I think they are all stored in a file called accounts.ini or something similar if you open it up with notepad you will see all the data + the encrypted password). The files are stored in the following location:

[u]XP (old version):[/u]
[b] [color=purple]C:\Program Files\Trillian\users\[/color][/b]
[u]XP (new version):[/u]
[b][color=purple]C:\Documents and Settings\Username\Local Settings\Application Data\Trillian\user\global[/color][/b]
I am not sure on exact but it is somewhere their...

[u]Vista (old version):[/u]
[b][color=purple]C:\Program Files\Trillian\users\[/color][/b]

[u]Vista (new version):[/u]
[b][color=purple]C:\Users\Username\Appdata\Roaming\Trillian\user\global[/color][/b]

27) [b][color=purple]Windows Live Messenger version 8.x/9.x:[/color] [/b]
The passwords are stored in the [b][color=purple]Credentials file, with entry name begins with "WindowsLive:name=". They a set of Win API functions (Credential API's) to store its' security data (Credentials).[/color][/b] These functions store user information, such as names and passwords for the accounts (Windows Live ID credentials). Windows Live ID Credential records are controlled by the operating system for each user and for each session. They are attached to the "target name" and "type". If you are familiar with SQL you can think of target name and type as the primary key. Table below lists most frequently used fields in Windows Live ID Credential records.

28) [b][color=purple]No Ip[/color][/b] (easy to make in vb.net):
Passwords encoded with Base64 you can find the account information in the following locations
[b][color=purple]HKEY_LOCAL_MACHINESOFTWARE\Vitalwerks\DUC\", "Password"
HKEY_LOCAL_MACHINESOFTWARE\Vitalwerk\sDUC\", "Checked"
HKEY_LOCAL_MACHINESOFTWARE\Vitalwerks\DUC\", "Username
KEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC\", "ProxyUsername
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC\", "ProxyPassword"
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC\", "Hosts"[/color][/b]

29)[b][color=purple]Filezilla[/color][/b]:
Passwords are stored in a [b][color=purple].xml file located in Filezilla on appdata[/color][/b] their is sources for this

30) [b][color=purple]Safari[/color][/b]:
Safari stores password data [b][color=purple]via Keychain. /Applications/Utilities/Keychain Access (on Mac)[/color][/b]
[b][color=purple]On PC, All that data is stored in plist files at: CBig Grinocuments and Settings(UserName)Application DataApple ComputerSafari
I believe it is FormValues.plist[/color][/b]

31)[b][color=purple]Temporary Internet Files[/color] [/b]

[u]Windows 7 or Vista[/u]
[b][color=purple]C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\
C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\[/color]
[/b]
[u]Windows XP or 2000[/u]
[b][color=purple]C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\[/color]
[/b]
[u]Windows Me,98,95,NT[/u]
[b][color=purple]C:\Windows\Temporary Internet Files\
C:\Windows\Profiles\<username>\Temporary Internet Files\[/color][/b]
[/align]
Reply
#2
*Yoink* - Im making a password stealer for linux (must have physical access) so thanks for this, I wont need to look up the locations now Big Grin
Reply
#3
Glad that it helps you.
Reply
#4
Where are the credentials of os user accounts stored, one used for boot time login ? How do we reverse it to get the credentials ?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)