Theoretical and Practical Aspects of Recovering Internet Explorer Passwords

    3
    0
    Recovering Internet Explorer Passwords

    1. The opening statement

    2. The different kinds of passwords that can be saved in Internet Explorer

    2.1. Internet Credentials

    2.2. AutoComplete data

    2.3. Passwords that are pre-filled automatically

    2.4. FTP passwords

    2.5 Passwords required for synchronization

    Identities and Passwords (Point 2.6)

    2.7. AutoForms data

    2.8. Password for the Content Advisor

    3. A quick rundown of the many apps that may recover your Internet Explorer password

    4. PIEPR – the first meeting or introduction

    5. Three instances taken from actual life

    5.1. Recovering the FTP credentials of the currently logged-in user

    5.2. Retrieving website passwords from an operating system that has been unloaded

    5.3. Recovering Passwords That Are Not Used Very Often

    6. Concluding remarks

    1. The opening statement

    It is quite unlikely that anybody would contest the claim that Internet Explorer is the most common web browser in use today. According to the data, around seventy percent of those who use the internet prefer to make use of just this one software.

    Although discussions regarding the benefits and drawbacks of this browser may go on indefinitely, there is no denying that it is the market leader in its sector; this is a proven fact. Internet Explorer comes with a number of pre-installed technologies that are intended to make life simpler for the typical user.

    One of them is called IntelliSense, and it is designed to take care of the mundane duties that need to be done, such as automatically completing the addresses of visited webpages, automatically filling out form fields, and users’ passwords, etc.

    The majority of websites available today need users to register before using the site, which requires users to create a user name and password. It is highly recommended that you use a password manager if you use more than a dozen of these types of websites.

    Internet Explorer is not an outlier among current web browsers in that it also includes a password manager as part of its arsenal of features. Indeed, if one is going to forget yet another password at some point in the not-too-distant future, what is the use of having to remember yet another password? It would be much simpler if you could have your browser take care of the mundane tasks of remembering and saving passwords for you. It’s not only practical but also really pleasant.

    This would be an absolutely ideal solution; but, if your Windows operating system were corrupted or was reinstalled in a manner that was not consistent with how it should have been done, you run the risk of losing the complete list of your valuable passwords.

    This is the price you have to pay for the ease and convenience. It is to everyone’s advantage that almost every website offers a button labeled “I forgot password” Nevertheless, using this button will not always relieve the headache that you are experiencing.

    Recovering Internet Explorer Passwords

    The issue of recovering a lost password is tackled in a different manner by every software developer. While others send all registered users a unique utility that enables managing the migration of private data, some of them officially recommend copying a couple of important files to another folder, while others pretend they are not seeing the problem while others send out the utility and send it to all registered users. However, supply is a direct result of demand, and at the moment, there is a significant amount of demand for password recovery applications.

    In this piece, we will make an attempt to categorize the many kinds of private data that may be saved in Internet Explorer, investigate certain applications that can be used to retrieve the data, and look at some real-world cases of retrieving lost Internet passwords.

    2. The many kinds of passwords that may be saved in Internet Explorer

    Internet Explorer has the potential to save the following varieties of passwords:

    — Internet Credentials

    — AutoComplete Data

    – Passwords That Complete Themselves

    – Passwords for the FTP

    – Passwords for synchronization for websites that have been cached

    — Identities Passwords

    — Information from AutoForms

    – Secret Code for the Content Advisor

    Let’s take a more in-depth look at each of the items that were mentioned.

    2.1. Credentials for use on websites pertaining to the internet

    The wininet.dll library is responsible for handling the logins and passwords that users need in order to access certain websites. Internet credentials refer to these logins and passwords. For instance, when you attempt to visit a secured section of a website, you could encounter a prompt like the one shown in figure 1 (http://www.passcape.com/images/ie01.png). This prompt asks for your user name and password.

    Your login credentials will be stored to your local computer if the “Remember my password” option that is shown in that prompt is chosen to utilize. This information was saved in the user’s PWL file in earlier versions of Windows 9a; however, starting with Windows 2000, it has been saved in the Protected Storage.

    2.2. AutoComplete Data

    AutoComplete data (passwords will be discussed subsequently) are also saved in the Protected Storage and appear as lists of HTML form field names and the matching user data. Passwords are also kept in the Protected Storage.

    For instance, if an HTML page has a dialog box for entering an e-mail address, once the user has finished entering his e-mail address, the Protected Storage will hold the name of the HTML field, the value of the address, and the time that the record was most recently viewed.

    The title of the HTML page and the URL of the website are not retained. What are your thoughts about that? It is not easy to determine, but it is more likely to be beneficial than harmful. The following are the obvious advantages: It reduces the amount of unused space and boosts the performance of the browser. If you believe that the final note is unimportant, try to envision how you would have to run many more inspections in an auto-fill list that had multiple thousand items (this is not as uncommon as it may appear to be).

    Another clear advantage is that the data for HTML form fields that are similar to one another in name (and often in topic) will be saved in the same location, and the data that is shared between these fields will be utilized for the automated completion of such pages. The following illustration will show us this.

    If a certain HTML page has an auto-fill form with the name ’email,’ and the user enters his email address into that field, Internet Explorer will place in the storage something that approximately translates to ’[email protected]

    The user will be prompted to auto-fill the field with the value that he input on the initial page ([email protected]) from this point forward, whenever the user enters another website that has a page with the same field name “email.” the user will be prompted to do so. As a result, the browser unearths certain innately existing AI capabilities inside itself.

    The primary benefit of this technique of data storage—which we have just gone over—also happens to be its most significant negative. Imagine that a user has filled out the auto-fill information on a website. If a person is aware of the name of an HTML form field, then that person is able to make the simplest possible HTML page on their own computer, give it the same field name, and open it from a local disk. A person in this situation will not even need to connect to the internet and view the original WWW URL in order to discover the data that was placed in this field.

    2.3. Passwords That Complete Themselves

    However, in the case of password data, as you may have anticipated, the data will not be filled in automatically. You will need to manually enter the passwords. Since the passwords for auto-complete are saved with the name of the web page, and because each password can only be used on a single HTML page in particular.

    Both the AutoComplete passwords and the data are encrypted in a totally different manner in the new version of Internet Explorer, which is version 7. The new encryption technique is free from the deficiency that was just explained (if that can be classified as a shortcoming.)

    It is important to point out that Internet Explorer users have the ability to manually control auto-fill settings by accessing the options menu (figure 2: http://www.passcape.com/images/ie02.png). This feature may be found in Internet Explorer.

    2.4. FTP passwords

    The storage method for FTP site passwords is pretty much always the same. It is important to be aware that starting with Windows XP, FTP passwords are also encrypted using DPAPI. This is something that should be noted.

    The login password is used in this kind of encryption. Because of this, it is now much more challenging to manually recover lost passwords, as one would also need to possess the user’s Master Key in addition to the account password and the SID.

    The Data Protection Application-Programming Interface (DPAPI) API became available in the operating system beginning with Microsoft Windows 2000 and has continued to be updated. This is only a pair of function calls that provide data protection services at the operating system level to user processes as well as system activities.

    We refer to a service as being “OS-level” when it is one that is offered by the operating system itself and does not call for any extra libraries to be installed. When we talk about data protection, we’re referring to a service that encrypts information in order to keep it private. Because data protection is integrated into the operating system, it is now possible for any program to encrypt data without the need for any specialized cryptographic code other than the function calls required by DPAPI.

    These calls are made to two straightforward routines that together provide a wide variety of customization options for DPAPI behavior. In general, the DPAPI service is quite simple to use, and it will be of great help to developers who are tasked with the responsibility of protecting sensitive application data such as passwords and private keys.

    The DPAPI is a password-based data protection service, which means that in order for it to offer protection, a password is required. The fact that the password that is supplied is the only factor in determining the level of security that is offered by DPAPI is, of course, a downside.

    In order to counteract this, DPAPI makes use of tried-and-true cryptographic procedures. These include the robust Triple-DES and AES algorithms, as well as robust keys, which will be discussed in more detail later on. It is only obvious that DPAPI would employ the user’s login password as a kind of protection given that its primary function is to provide security for users and that providing security involves the usage of a password.

    The DPAPI framework is not accountable for the storage of the secret information that it guards. Its only function is to encrypt and decrypt data for applications that request its assistance, such as the Windows Credential manager, the Private Key storage mechanism, or any other third-party programs.

    In order to get further information, go visit the Microsoft website.

    2.5 Passwords for synchronization on cached webpages

    Users are relieved of the responsibility of entering passwords for cached websites when synchronization passwords are used (sites set to be available offline.) These kinds of passwords are also saved in the Protected Storage section of Internet Explorer.

    Identities and Passwords (Point 2.6)

    Likewise, identities and passwords are secret. With the possible exception of Outlook Express, the identity-based access control technique is not widely implemented across Microsoft’s product line.

    2.7. AutoForms Data

    The hybrid approach of data storage that is represented by the form auto-fill method has to be addressed in its own dedicated paragraph. This technique saves the actual data in the Protected Storage, but the user’s registry is used to keep track of the URL that the data are associated with. The URL that was entered into the registry is not saved as plaintext; rather, it is saved as a hash value. The following is the technique for reading data from auto-fill forms in Internet Explorer versions 4 through 6:

    The original text begins at: ===8======================================================

    Retrieve the autoform password based on the specified URL. BOOL CAutoformDecrypter::::::::::::::::::::: saPasswords->RemoveAll(); LoadPasswords(LPCTSTR cszUrl, CStringArray *saPasswords) assert(cszUrl && saPasswords); LoadPasswords(LPCTSTR cszUrl, CStringArray *saPasswords);

    / Determine if autoform passwords are stored in the registry.

    if the condition EntryPresent(cszUrl) is met

    / Read the passwords from the PStore autoform

    return the value of the function PStoreReadAutoformPasswords(cszUrl,saPasswords);

    return the value false;

    }

    / Determine whether autoform passwords are currently being used

    BOOL CAutoformDecrypter::EntryPresent is now present (LPCTSTR cszUrl)

    assert(cszUrl);

    DWORD dwRet, dwValue, dwSize=sizeof(dwValue);

    LPCTSTR cszHash is equivalent to GetHash(cszUrl);

    /issues with the computation of the hash

    if (!cszHash), then…

    return the value false;

    / Make sure to check the register.

    dwRet is calculated by using the following formula: SHGetValue(HKCU, T(“SoftwareMicrosoftInternet ExplorerIntelliFormsSPW”),cszHash,NULL,&dwValue,&dwSize);

    delete((LPTSTR)cszHash);

    if (dwRet==ERROR SUCCESS)

    return a true value;

    m dwLastError=E NOTFOUND;

    return the value false;

    / get the hash based on the content of the provided URL and convert it into hexadecimal format

    Get the hash value of the LPCTSTR CAutoformDecrypter object (LPCTSTR cszUrl)

    {

    assert(cszUrl);

    BYTE buf[0x10];

    LPTSTR pRet=NULL;

    int I

    if the condition is met, (HashData(cszUrl,buf,sizeof(buf)))

    /Allocate some space

    pRet is defined as a new TCHAR with the following parameters: sizeof(buf) * sizeof(TCHAR) + sizeof(TCHAR);

    if ( pRet)

    for (i=0; i0)

    pHash[dw]=(BYTE)dw;

    /the meat and potatoes of hashing

    so long as (dwDataSize!= 0)

    for (dw=dwHashSize; dw–>0;)

    /m pPermTable = permutation table

    pHash[dw]=m pPermTable[pHash[dw]^pData[dwDataSize]];

    End of the original text ===8======================================================== In the seventh generation of the browser, which is now in development, the data storage mechanism of the user will most likely replace the tried-and-true Protected Store as the main data storage technique.

    It would be more accurate to state that data for auto-fill and passwords are going to be kept here going forward. What is it about this process that is so unique and intriguing that the MS decided to adopt it as their main method? To begin, the encryption concept, which is not in the least bit novel but is, all things considered, straightforward and brilliant, was the source of the scandal.

    It is proposed that instead of maintaining encryption keys, they should be generated on demand rather than being kept in a central location. The Web address of an HTML page would serve as the primary component of such keys.

    Let’s put this concept to the test and see how it performs. The following is a simplified version of the method that Internet Explorer 7 uses to save auto-fill data and password fields:

    1 Make a note of the address of the website. This address will serve as the encryption key that we utilize (EncryptionKey).

    2. Acquire the Record Key. RecordKey is Equal to SHA (EncryptionKey).

    3 Determine the checksum for the record key in order to confirm the record key’s authenticity (the integrity of the actual data will be guaranteed by DPAPI.) RecordKeyCrc is same to CRC (RecordKey).

    4 Encrypt sensitive information (passwords) using the encryption key provided by the DPAPI Encrypt function (Data, EncryptionKey).

    5 Save the RecordKeyCrc and RecordKey together with the EncryptedData in the registry.

    6 Throw away the EncryptionKey. If you are unable to provide the URL of the original website, it would be quite challenging to retrieve the password. The decryption seems to be an extremely simple task:

    1 When the first web page is loaded, we copy its address (EncryptionKey) and use it to derive the record key, which is equal to the secure hash algorithm (EncryptionKey).

    2 Search the list of all record keys for the RecordKey by going through the list one record key at a time.

    3 If the RecordKey is located, use the EncryptionKey to decrypt any data that was saved in conjunction with this key. The value of Data is DPAPI Decrypt (EncryptedData, EncryptionKey).

    The Web password encryption mechanism in question is one of the most secure ones available today, despite its apparent lack of complexity. However, there is a significant disadvantage to it (or advantage, depending which way you look at it.) If you alter the URL of the original website or forget it altogether, it will be impossible to retrieve the password for that website.

    Recovering Internet Explorer Passwords

    2.8. Password for the Content Advisor And last, the password for the Content Advisor is the final thing on our list. The initial purpose of Content Advisor was to serve as a tool for limiting users’ access to certain websites. On the other hand, many people who used it did not like it for whatever reason (surely, you may disagree with this.)

    If you have previously activated Content Advisor, entered a password, and then later forgot the password, you will no longer be able to access the vast majority of websites that are available on the Internet. Fortunately (or unluckily), this is something that is simple to rectify. The real password for the Content Advisor is not saved in unencrypted form anywhere.

    Instead, the MD5 hash is computed by the system, and the result is stored in the Windows registry. When the user makes an attempt to enter the restricted area, the password that they have entered is hashed, and the resulting hash is compared to the one that is already saved in the registry. Take a look at the PIEPR source code verifying password for Content Advisor: Beginning of the original text:

    ===8==================================================== void Check the password using the CContentAdvisorDlg::CheckPassword() function by reading the registry using the registry. BYTE pKey[MD5 DIGESTSIZE], pCheck[MD5 DIGESTSIZE]; if (!registry.GetBinaryData(“Key”,pKey,MD5 DIGESTSIZE)) SetKey(HKLM, “SOFTWAREMicrosoftWindowsCurrentVersionpoliciesRatings”); SetKey(HKLM, “SOFTWAREMicrosoft /Get one set by the user CString cs; m wndEditPassword.GetWindowText(cs); MD5Init(); MD5Update((LPBYTE)(LPCTSTR)cs,cs.GetLength()+1); MD5Final(pCheck); /Check hashes MessageBox(MB OK), “The password is correct! “; otherwise MessageBox(MB OK), “Wrong password.”; if (memcmp(pKey,pCheck,MD5 DIGESTSIZE)==0), MessageBox(MB OK), “Wrong password.”; End of the original text

    ===8======================================================== You may first consider attempting to guess the password by using either a brute-force or dictionary attack.

    This may be the first thing that crosses your mind. Having said that, there is a more refined approach to taking. It is not necessary to keep the hash in the registry if you want to delete it. That’s it; it really is that easy… Instead of doing that, you should rename it so that you can easily get it again if you ever find that you need it. In certain applications, users are also able to verify the password for the Content Advisor, “drag out” a password hint, turn the password on and off, and so on.

    3. A Concise Overview of Internet Explorer Password Recovery Applications It is important to note that not all password recovery programs assume there are so many methods to recover passwords.

    This is something that should be taken into consideration. It is quite probable that this is due to the fact that some passwords (for example, synchronization passwords) are not often used in real life, and FTP passwords are not so easily ‘dragged out.’ The following is a brief overview of the commercial products that are the most popular for recovering passwords for the browser that is the most popular on the planet.

    The not-so-unknown business ElcomSoft produces a program called Advanced Internet Explorer Password Recovery, however it is unable to decipher encrypted FTP passwords or AutoForm passwords. It is not out of the question that the most recent version of the program has picked up the ability to do that.

    Simple, convenient user interface. The software is capable of receiving automatic updates when connected to the internet. Internet Explorer Key from PassWare is the same way in that it does not recognize particular varieties of passwords. When reading some unusual forms of URLs generated by Internet Explorer, the software may occasionally crash with a fatal error. This function displays the first two characters of any passwords that are being retrieved.

    The advantages that are worth mentioning are the streamlined user interface as well as the ease of operation. Internet Explorer Password from Thegrideon Software Is not terrible, but can recover only three kinds of Internet Explorer passwords (this is adequate for the majority of instances) (this is enough for the majority of cases.) Handles FTP credentials in the appropriate manner. There are several issues with retrieving AutoForm passwords in version 1.1. Has a user interface that is both easy to use and, in some ways, reminiscent to AIEPR.

    It is possible to be completely overawed by the website of the organization due to its attractiveness and usefulness. Internet Password Recovery Toolbox, which is offered by Rixler Software, has certain functionality that is superior than that of its rivals, which have been discussed earlier. It is able to decrypt FTP credentials that have been encrypted and remove resources of your choosing.

    Nevertheless, there are a few bugs in the code. For instance, some kinds of IE entries cannot be removed from the index. The application has a very helpful and comprehensive help file. ABF Password Recovery, available from the ABF software, is an excellent tool that has an intuitive user interface. The application only supports a limited number of different kinds of Internet Explorer records. Nevertheless, it addresses each of them in an adequate manner.

    This software falls into the category of multi-functional applications since it may also be used to recover passwords for other types of software. The capacity to only recover passwords for the person who is presently logged in is the primary limitation shared by all of the tools that have been mentioned here. As was mentioned before, the majority of the resources that have been saved in Internet Explorer are held in a specialized storage area known as Protected Storage.

    Protected Storage was designed specifically for the purpose of storing sensitive information. Because of this, the functions for interacting with it, which are referred to as PS API, are not documented. Protected Storage was originally presented with the launch of Internet Explorer version 4, which, in contrast to the third version, was completely rewritten from the ground up. Applications can take advantage of the Protected Storage interface in order to store user data that either needs to be encrypted or cannot be altered in any way.

    Items is the term used for individual units of data that are saved. The Protected Storage system cannot see either the structure or the content of the data that has been saved. Access to Items is subject to confirmation according to a user-defined Security Style, which describes what confirmation is necessary to access the data, such as whether or not a password is required.

    For example, if a password is required, then access to the data would be subject to confirmation. In addition, access to the Items themselves is governed by a rule set called Access. There is an Access rule for each Access Mode: for example, read/write. Access Clauses are the building blocks of an access regulation set.

    Typically, during the process of setting up an application, a mechanism is given that enables a new program to seek from the user access to Items that may have been produced in the past by another application. This access may then be granted by the user. A Key, Type, Subtype, and Name are required in order to generate a one-of-a-kind identifier for an item.

    The Key is a constant that determines whether the Item in question is connected with simply this particular user or with the computer as a whole. The Name is a string that is, in most cases, selected by the user. Typically, the application is the one that decides on the GUIDs for Type and Subtype.

    The system registry stores additional information about Types and Subtypes. These details include properties such as Display Name and UI hints. When dealing with Subtypes, the parent Type is always used, and this information is saved in the system registry as a property. One example of a typical use for the Type group Items would be in the fields of payment or identification.

    The Items subtype group uses the same data format throughout the group. Consequently, up until a fairly recent point in time, each and every tool that could recover Internet Explorer passwords relied on those undocumented API. Because of this, a significant limitation was placed on the recovery efforts, and that limitation is as follows: The Password Service API can only operate with the passwords of users who are currently logged in.

    When the system encrypts data that is stored in Protected Storage, in addition to everything else, it uses the user’s SID. Without the user’s SID, it is literally impossible (considering the current level of computers’ ability to calculate), to recover stored passwords. Protected Storage employs a method of data encryption that has been given a great deal of careful consideration and which makes use of master keys and robust algorithms such as des, sha, and shahmac.

    These days, the majority of current browsers, such as Opera and Firefox, employ data encryption algorithms that are quite similar to one another. In the meanwhile, Microsoft is steadily but discreetly working on new ones and testing them.

    At the time that this article was written, the only thing that Protected Storage was employed for in the pre-Beta version of Internet Explorer 7 was the storage of FTP passwords. The examination of this early version reveals that Microsoft is planning another “surprise” in the shape of new and innovative encryption techniques.

    This is suggested by the fact that they are working on developing these algorithms. It is not known for certain, but it is quite possible that the data security technology known as InfoCard developed by the new business will be used in the encrypting of confidential information.

    Therefore, one can assert with a great deal of certainty that with the release of Windows Vista and the seventh version of Internet Explorer, passwords will be stored and encrypted with fundamentally new algorithms, and the Protected Storage interface, to all appearances, will become open for use by third-party developers.

    This is a statement that can be made with a great deal of confidence. We are of the opinion that Protected Storage has not been used to its full potential, and this makes us a little bit sad. And here is why we are of this opinion: – To begin, Protected Storage is built on a modular structure, which enables it to accept additional storage providers when they are plugged in. However, over the previous 10 years while Protected Storage existed, not a single new storage provider was founded.

    System The only storage provider that is utilized by default inside the operating system is Protected Storage. – Second, Protected Storage comes with its own own built-in access control system, which, for some inexplicable reason, is not used by Internet Explorer or any of the other Microsoft applications.

    – Third, the reasoning behind Microsoft’s decision to not use Protected Storage when storing AutoComplete data and passwords is not entirely transparent. Refrain from using it as a tried-and-true data storage system, and instead focus on finding an alternative.

    When a new encryption technique is being put into place, it would be more rationally shown to preserve Protected Storage at least for the purpose of keeping data. There were always significant reasons for it, without exception. As a result of this, it would be fascinating to hear the views of MS professionals about this topic. 4. The PIEPR, also known as the First Acquaintance Passcape Internet Explorer Password Recovery was developed for the sole purpose of getting around the restriction imposed by the PS API and making it possible to recover passwords directly from the binary files stored within the registry.

    In addition to that, it offers a number of advanced users a variety of additional features. The program’s wizard gives you the option to choose one of many different modes of operation, including: – Passwords for the currently logged in user may be retrieved automatically by using the protected PS API interface. With just one click of the mouse, you will be able to retrieve all of the passwords that are presently being kept in Internet Explorer for the current user. – Passwords may be retrieved manually even if PS API is not available.

    The power to retrieve passwords from your previous Windows account is the primary benefit offered by this procedure. You will be required to input the location of the user’s registry file for this particular reason. The technique employed in PIEPR makes it possible to read registry files, which is not ordinarily possible since registry files are generally inaccessible (provided you have the local administrative rights.)

    The name of the file that stores the user’s registry is ntuser.dat, and it can be found in the user’s profile, which is typically located at percent SYSTEMDRIVE percent:Documents and Settings percent USERNAME percent, where percent SYSTEMDRIVE percent refers to the disk that contains the operating system and percent USERNAME percent is the user’s account name.

    As an illustration, the path to the registry file might look something like this: Johnntuser.dat can be found in C:Documents and Settings. Protected Storage will automatically store a copy of your older private data once you update your operating system to Windows NT if you have ever been a satisfied user of Windows 9x or Windows ME. This service is provided free of charge.

    As a consequence of this, Protected Storage may include several user identities; thus, PIEPR will prompt you to choose the correct one before proceeding with the decryption of the data (see figure 3 at http://www.passcape.com/images/ie03.png for more information).

    The data that was left behind by the older version of Windows 9x/ME will be stored in one of the SIDs that are listed. These data are additionally encrypted with the user’s logon password; however, PIEPR does not currently support the decryption of such data at this time.

    In the event that ntuser.dat contains encrypted passwords (for example, passwords to FTP sites), the program will require additional information in order to decrypt those passwords (fig.4 http://www.passcape.com/images/ie04.png): – The login password for the user whose data are going to be encrypted – The whole directory path to the user’s MasterKey – User’s SID In a normal situation, the program searches for the most recent two items in the user’s profile and then automatically fills in that data.

    If, on the other hand, ntuser.dat was copied from a different operating system, you will be responsible for addressing this issue on your own. The task may be completed quickly and easily by copying the contents of the full folder that contains the user’s Master Key (there may be many copies of this folder) into the folder that contains ntuser.dat. On your local computer, the Master Key may be found in the folder named as follows: Documents and Settings make up a portion of the SYSTEMDRIVE percentage.

    percent UserSid percent, where percent SYSTEMDRIVE percent refers to the system disk that contains the operating system, percent USERNAME percent is the account name, and percent UserSid percent is the user’s SID. For instance, the path to the folder containing a master key may look something like this:

    Application data for Microsoft Protect may be found in the C:Documents and SettingsJohn folder. S-1-5-21-1587165142-6173081522-185545743-1003. Let it be known that it is strongly suggested to create a duplicate of the full folder labeled S-1-5-21-1587165142-6173081522-185545743-1003 since it has the potential to contain several Master Keys.

    After that, PIEPR will choose the appropriate key for you automatically. Because Windows designates some directories as hidden or system, the contents of such folders cannot be seen using the Windows Explorer file manager. Either change the settings for the view to include the ability to display hidden and system objects, or switch to a different file manager to see them.

    PIEPR will automatically discover the appropriate data after the folder containing the user’s Master Key has been transferred to the folder containing ntuser.dat. At this point, the only thing you will need to do in order to recover FTP passwords is input the user’s password. It has previously been mentioned that the passwords for Content Advisor are not maintained in plain text; rather, they are stored as hashes. Content Advisor passwords are hashed.

    Recovering Internet Explorer Passwords

    It is sufficient to simply erase the password in the Content Advisor password management window (the deleted password may be restored at any moment in the future) or alter the hash in order to unlock websites that have been locked using Content Advisor.

    Additionally, if there is a password clue for your account, PIEPR will provide it to you. The fourth mode of operation for PIEPR is called the asterisks password mode, and it enables users to recover Internet Explorer passwords that are disguised behind asterisks. Simply slide the magnifier over to the window with the **** password, and you will be able to retrieve the password.

    This utility makes it possible to recover passwords for other applications as well, such as Windows Explorer and several browsers that are based on IE or similar technologies. The fundamental Internet Explorer password recovery modes have been examined in detail. There are also a number of other capabilities, such as the ability to see and update cookies, cache, and the history of visited sites, among other things.

    We are not going to go over them in great detail; rather, we are going to take a look at some examples of password recovery that were performed using PIEPR. 5.1. Three Real-Life Examples. Example 1: Recovering the FTP password for the currently logged-in user Internet Explorer displays the log in box whenever the user attempts to access an FTP server (figure 5). http://www.passcape.com/images/ie05.png). If you have visited this website and checked the box labeled “Save password” in the authentication dialog, then the password has been saved in Protected Storage.

    Because of this, regaining access to it is an extremely simple process. After making sure that PIEPR is set to operate in the automatic mode, click the “Next” button. Find our resource in the new dialogue box that has appeared with the encrypted credentials (the site name must appear in the Resource Name column.) As we can see, the decryption of the password for the currently logged-in user shouldn’t present any unusual challenges.

    Oh, and in the event that the password is not detected for whatever reason, again check the settings for the auto-complete feature in Internet Explorer. It’s possible that you haven’t enabled the software to remember passwords in its settings. 5.2. Three Examples Taken From Real Life Example 2: We are going to have to retrieve the passwords for the website. It is not possible to boot into the operating system. This is a common scenario, but fortunately it won’t end in tragedy.

    After a failed attempt to reinstall Windows, users may often discover that they need to restore their passwords for Internet Explorer. In either scenario, we will own the user’s previous profile along with all of the files that were included inside it. This set is normally sufficient to complete the task at hand.

    In the event that Windows needs to be reinstalled, it will providently save the previously used profile under a new name. For example, if your account name was John, after renaming it may appear as John. WORK-72C39A18. Obtaining access to the files stored in the previous profile is the first and most important task that you must do.

    There are two approaches to taking care of this matter: – Hook up the older hard drive to the new operating system after installing the new operating system on a separate hard drive, such as Windows XP. – Produce a disk that can boot Windows NT. Online users have access to a wide variety of tools, each specializing in the creation of boot disks and USB flash drives. You could make use of something like WinPE or BartPE, for instance. Alternatively, a different one.

    Recovering Internet Explorer Passwords

    If your previous profile was saved on an NTFS portion of your hard drive, the NTFS file system will need to be supported by the boot disk in order to access it. Let’s go in the direction that’s first. As soon as we are able to access the previous profile, the next step will be to tell the computer to reveal hidden and system files. If we don’t do this, the files we require won’t be visible.

    Launch the Control Panel, navigate to the Folder Options menu, and after that, click on the View tab. On this tab, locate the option that reads “Show hidden files and folders,” and then make sure that it is selected. Remove the checkmark from the box labeled “Hide protected operating system files.”

    It is recommended that after all of the relevant passwords are retrieved, these parameters be reset to the way they were configured initially. Launch the program’s wizard in the manual mode, and then input the path to the registry file that was associated with the previous profile. In our particular instance, this is located in C:Documents and Settings.

    John.WORK-72C39A18ntuser.dat. Whereas John.WORK-72C39A18 is the name of the previous account. Simply press the “Next” button. This information should, in most cases, be adequate for retrieving lost passwords for Internet Explorer. However, if there is at least one encrypted FTP password, the program will ask for additional data, which is necessary for it to be able to recover the following types of passwords: – User’s password – The Master Key for the User – The User’s SID In a normal situation, the computer searches for the most recent two things in the user’s profile and then automatically fills in that data.

    In the event that this did not take place, you may still do this task manually by copying ntuser.dat and the folder containing the Master Key into a separate folder. It is essential to transfer the full folder since it can include many keys, and the software will choose the correct one on its own. After that, input the path to the ntuser.dat file that you have previously copied to a different folder. That sums it up well. Now we need to input the old account password, and the recovery will be accomplished.

    You are free to ignore the user’s password, Master Key, and SID entry dialogs if you have no interest in using an FTP password. 5.3. Three Examples Taken From Real Life Example 3: Recovering passwords that were stored in a less common location. The authentication popup pops up whenever one of our computers attempts to access a website for the first time.

    However, neither the automated nor the manual mode of PIEPR are successful in recovering it. Internet Explorer’s ‘Save password’ option is set to be active by default. This password is something that needs to be recovered. Indeed, certain websites don’t permit browser to keep passwords in the auto-complete passwords list. Often, such websites are developed in JAVA or they employ other password storage mechanisms; e.g., they save passwords in cookies.

    A cookie is a very small piece of text that travels along with page requests and other information as it is transferred from a web server to a browser. When the user returns to the site, the Web application may access the information stored in the cookie since it includes the user’s login credentials.

    Cookies are a helpful tool that web applications may utilize to store information that is personal to individual users. When a person visits your website, for instance, you may use cookies to record the user’s preferences as well as other information about the user. When the user returns to your website at a later date, the program is able to recover the information it had previously stored since it had been saved. Cookies are put to use for a wide variety of tasks, all of which are directed toward assisting the website in remembering who you are.

    Cookies, in their most basic form, are a tool that helps websites store information about site users. A cookie also works as a type of calling card, offering relevant identification that helps an application know how to continue. But frequently cookies blamed for insufficient security and imprecise user identification.

    If the password field is filled with asterisks, the answer is clear: pick the ASTERISKS PASSWORDS operating mode and then open the magic magnifier dialog. Then, just move the magnifier over to the Internet Explorer window by dragging it there (figure 6; retrieved from http://www.passcape.com/images/ie06.png). The PIEPR window (figure 7: http://www.passcape.com/images/ie07.png) is where the password (or passwords, if the Internet Explorer window has several fields marked with asterisks) are supposed to be entered (see also: But things aren’t usually as cut and dry as that.

    It’s possible that the password field is blank, but it could also contain ***** in its contents. You probably already have it figured out by now, but the ASTERISKS PASSWORDS tool won’t be of any help in this scenario. It’s possible that the password is saved in the cookies on your computer. Let’s make an effort to find it. Choose the IE Cookie Explorer tool (fig.8 http://www.passcape.com/images/ie08.png). The popup that displays will list the websites that store cookies on your computer. To arrange the list of websites in alphabetical order, click on the header of the URL column. This will help us locate the correct website easier.

    Look over the list of websites, and choose the one that meets our requirements. The cookies that have been encrypted for this website are shown in the list that may be seen below (fig.9 http://www.passcape.com/images/ie09.png). The username and password are not secured in our system; instead, they are saved in plain text, as the image demonstrates. Cookies often include an encryption.

    In this scenario, it is quite unlikely that you would be successful in retrieving the password. Start a brand-new user profile if you really want to give yourself the best chance of regaining access to your old account. After that, you will be able to use a text editor to make a copy of the previous cookies and replace them with the new ones.

    However, this is something that should only be used in extreme circumstances; it is not recommended that you use it in everyday life. It is important to keep in mind that almost all sites and forms that need passwords also feature a button labeled “Forgot password.” Conclusion As this post indicates, recovering Internet Explorer passwords is a very straightforward process, which does not need any particular expertise or abilities. Nevertheless, despite the seeming ease, password encryption systems and algorithms are really well thought out and just as well executed.

    Even though the Protected Storage concept has been around for more than ten years, it is important not to forget that it has consistently been shown to be the most highly recommended solution by industry professionals and has been integrated into all three generations of this widely used browser. Microsoft is preparing fundamentally new strategies for protecting our private data, which will be implemented with the release of the next, 7th version of Internet Explorer.

    These new schemes will make use of improved encryption algorithms and eliminate shortages that are specific to Protected Storage. In particular, research conducted on early beta versions of Internet Explorer 7 has shown that autoform password encryption keys are no longer saved with data. This was discovered as a result of the research. They are not stored, period! This is a tiny know-how, which is to be valued at its genuine worth by both pros and end consumers, who, eventually, will advantages of it regardless.

    The most important point, however, is that the introduction of the new idea will do away with the most significant disadvantage that is exclusive to Protected Storage. This is the possibility of recovering passwords without being in possession of the extra information. It would be more accurate to state that this was enough for a prospective hacker to obtain physical access to the contents of a hard disk, allowing them to steal or destroy passwords and other confidential data belonging to users.

    The scenario is going to shift a little bit when Internet Explorer 7 is finally made available. In the meanwhile, all we can do is sit tight till Windows Vista and Internet Explorer 7 are released so that we can get a better look at the new encryption algorithms that will be used in the subsequent version of this widely used browser.