Re: ICQ Pass Cracker.

[robertw () WOJO COM (Robert Wojciechowski Jr.)]

> ----- Original Message -----
> From: WolF Knox [SMTP:wolfbh () BIGFOOT COM]
> Reply To:     wolfbh () bigfoot com [SMTP:wolfbh () bigfoot com]
> Sent: Wednesday, January 26, 2000, 13:38:02
> To:   VULN-DEV () SECURITYFOCUS COM
> Subject:      ICQ Pass Cracker.
> Importance:   High
>
> Hello all,
> One day i was doing absolutely nothing on the net and i though, hell,
> why not make a password crack for ICQ since it's only 8 chars? something
> like, you put that long-lost-UIN-with-fake-email in a field and the
> program will try all the possibles combinations to discover the
> password, of course, 8 chars is relatively small....the program would
> need to have some kind of pause/resume system, like you try today, you
> need to disconnect, you pause, go offline, later you come back and try
> again resuming since the point you stopped.
>
> I think it's a good ideia.

If you are talking about local password attacks, this is pretty easy.  I
think there are many password crackers out on the net if you search.

I don't know about the latest versions (99b), but I recall that ICQ stored
passwords in PLAINTEXT in the .dat file located in <ICQDIR>\db or
<ICQDIR>\db99b, etc.  I checked my .dat file, and found an old password in
there... plain text.  I can't seem to get rid of it, so I will just hex edit
it out.  It amazes me how lazy some programmers can be.

If you want to guess passwords remotely, it's going to take a while.  You
are much better off not using brute force, and using a dictionary based
attack.  Even then, if they notice you are doing that they might just lock
out the account, block you IP, etc for thousands upon thousands of password
attempts.

I hate ICQ.

Robert S. Wojciechowski Jr.
robertw () wojo com