Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: AIM saved password storing
From: Ill will <xillwillx () gmail com>
Date: Tue, 16 Nov 2004 11:15:38 -0500

yes basically you can export the encoded password in the registry and
use it onanother computer, all that you would need to then was make a
password change and hope that the person doesnt check their email in
the next 24 hours to block the attempt... the old aim 4.7 and below
used to take that encoded pass from the registry and pass it along to
oscore.dll in the aim directory which used a decrypt function to
change back to plain text before signing on ... aol was finally smart
enough to change their logon function with aim 4.8 and above


On Tue, 16 Nov 2004 08:13:07 -0500, Bort Vern <bortvern () gmail com> wrote:
This is exactly the kind of shenanigans that worked on old AOL
clients, haven't looked at it in about 5 or so years though.  I
wouldn't be surprised if you couldn't just export the registry for the
AOL client, change the password, then export again and do a diff
between the files to find the encoded password.  However, I wouldn't
install the AOL client long enough to try...




On Mon, 15 Nov 2004 19:00:09 -0500, ntx0f <ntx0f () seteuid com> wrote:

Anyone ever check out the way AIM stores passwords? The hash is in the
registry and reusable. I'm not sure there's a good way to save the passwords
but by copying the hash and making the proper registry keys you can use the
hash on any other computer. I had some code to do this that would retrieve
the hash and put it in a registry file or just a text file it could read
back but I dont feel like looking for it. Nothing too special just figured
I'd bring it up as I haven't seen this done anywhere.


--
_____________________
Serablue Inc., Nonprofit
http://www.serablue.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



-- 
- illwill
http://illmob.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]