Re: [Fwd: R: Oulook password]

[BlueBoar () THIEVCO COM (Blue Boar)]

Thanks for tracking that down.  On mine (Win98) there's some other
interesting stuff there, too..  I see some hotmail login stuff (wife
uses Hotmail) and even a couple items for securityfocus.com.  I'm starting
to wonder if this is related to the password remembering feature in IE as
well.

The encoding alg. doesn't leap out at me, but I'll poke at it
a bit.

                                        BB

Gerardo wrote:
> > HKCU\software\microsoft\internet Account Manager\Accounts\0000000x
> > Outlook 4
>
> That´s not the encrypted password. If you take those numbers and any ascii table, translate it you´ll get someting 
> like this:
> 1-2- "G"-0-"e"-0-"r"-0-"a"-0-"r"-0-"d"-0-"o"-0-"2"-0-"7"-0-"D"-0-"0"-0-"4"-0-"3"-0-"A"-0-"0"-0-0
> Take out the zeroes and he first two bytes (ther are always the same two, I think the say which kind of account it 
> is) and you get:
> "Gerardo27D043A0"
> This is my account name (is the same for all the accounts) followed by 8 numbers, and they don´t change if you change 
> your pass so they are not the encrypted password either. May be some kind of index to somewhere else?
>
> Let´s search for it in the register, ok?... mmm... OOPS!!! there it is! In fact, there are all my other accounts too!
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System 
> Provider\*Default*\Data\220d5cc1-853a-11d0-84bc-00c04fd43f8f\417e2d75-84bd-11d0-84bb-00c04fd43f8f\Gerardo27D043A0
> There ares two values inside the key, and the first one (Behavior) doesn´t change with diferent accounts, so the 
> other one must the password. Voila! : )
>
> Happy password cracking!!!! =)