-
Notifications
You must be signed in to change notification settings - Fork 0
WindowsIEPassword
The IE password saver use the winreg
system.
The key
is picked up by the winreg.OpenKey
method.
winreg.OpenKey(
winreg.HKEY_CURRENT_USER,
'Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2'
)
The function keyring.QueryInfoKey
gives us information about the key.
winreg.QueryInfoKey(key)
The output is a tuple of 3 items:
Index | Signification |
---|---|
0 | An integer giving the number of sub keys this key has. |
1 | An integer giving the number of values this key has. |
2 | An integer giving when the key was last modified (if available) as 100's of nanoseconds since Jan 1, 1601. |
In our case, we are only interested in the second value (index=1) because it gives us the number of passwords registered. The first element (index=0) will always be 0, because it is not used for storing passwords, and the third and last element (index=2) only gives us the date on which the last password was saved/changed.
Now,we can use the winreg.EnumValue
function for get data about saved passwords.
winreg.EnumValue(key, x)
x
is the index of the value. It cannot exceed the value gived by winreg.QueryInfoKey
.
The output is a tuple of 3 items:
Index | Signification |
---|---|
0 | An string containing hashed url of the website. |
1 | The encrypted password, in the format of bytes. |
2 | An integer that identifies the type of the value data. (See the doc for more informations) |
For decrypt IE passwords, the last element is not interesting.
It is now necessary to explain how IE records its passwords. To do this, it uses two things. The password of course, but also the url of the website from which it comes. But, unfortunately for us, fortunately for security reasons, these urls are not stored, or at least not in a traceable way. In order to decrypt the passwords, we will have to test all the links in the browser's history. This means that if the user empties his history, we can no longer find the site from which the password came, except to test all the possibilities !
For get history from IE, use the same template. But here, the key is :
winreg.OpenKey(
winreg.HKEY_CURRENT_USER,
'Software\\Microsoft\\Internet Explorer\\TypedURLs'
)
You can get information with the same method. Here, the value is not encrypted.
winreg.EnumValue(hkey, x)[1]
Nice. Now, we can hash the url.
hashlib.sha1(url).hexdigest().lower()
If hashed value is same that string returned by winreg.EnumValue
, we have find the url. We have all informations for decrypt the password.
Soon