SecurityXploded by Nagareshwar Talekar

HOME TOOLS ARTICLES RESEARCH DOWNLOAD BLOG ABOUT

Book of the Month

Written by the experts this book is highly recommended for any one involved in the web security. Book of the month list.

Latest Stuff

Updated IEPasswordDecryptor

ChromePasswordDecryptor 1.6 with enhanced interface

Published article on remote thread execution using NtCreateThreadEx

NetworkPasswordDecryptor updated to fix Win7 problem

Article on retrieving windows default password

Top Tools

FirePasswordViewer

SpyDLLRemover

ChromePasswordDecryptor

GooglePasswordDecryptor

FirePassword

FireMaster

BHORemover

IEPasswordDecryptor

ProcNetMonitor

VistaUACMaker

Contents

About Google Account Password Recovery
Password Secrets of GTalk
Deciphering Password from Picasa Store
Gmail Notifier & Google Password
Revealing Gmail Password from Google Desktop Search
Recover Google Password from Internet Explorer
Recover Google Password from Chrome
Decrypting the Google Password using GooglePasswordDecryptor

About Google Account Password Recovery

Google account is the single centralized account used by all of the Google services such as Gmail, Picasa, GTalk, iGoogle, Desktop Search and many more. Most of the Google's desktop applications such as GTalk, Picasa etc stored the Google account password for future use. Even most of the browsers such as Internet Explorer, Firefox, Chrome store the login passwords for visited websites in their secret store.

This research article throws light on the internal password storage and encryption mechanisms used for storing the Google account password by some of the prominent applications. Also it shows the methods to decrypt the Google password for each of these applications.

Password Secrets of GTalk

GTalk is the Google's instant messenger application integrated with voice and video chat feature. Like any of the Google application it uses the same Google account password and stores it for subsequent logins in an encrypted format.

It stores the account information at following location in the registry

HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

For each account, it creates seperate key with the account name under this registry location as shown below.

For each stored account, the encrypted password stored in the registry value 'pw'.

GTalk encrypts the Google account password using Windows Cryptography functions. Here are the step by step instructions to decrypt this password.

Enumerate through the GTalk accounts registry key and get the stored account name & encrypted password.
Now get the currently logged on username & domain name of the system.
Create the hash of the username and then hash the domain name on top of it to create entropy data of 16 bytes.
Next hash the encrypted password with magic numbers.
Finally pass this modified password and entropy data to CryptUnprotectData function to decrypt the password.

Deciphering the Password from Picasa Store

Picasa is the free photo editing software from Google. It facilitates managing and uploading of photo albums to online Google picasa store for sharing with the community. It uses the same Google account for transfering pictures to online web account and stores this password in encrypted format for subsequent logins.

Picasa stores the Google account login details at following location in the registry.

HKEY_CURRENT_USER\Software\Google\Picasa\Picasa3\Preferences

For earlier version, Picasa2 registry key name is used instead of Picasa3.

The Google account name & encrypted password is stored in the registry values 'GaiaUser' & 'GaiaPass' respectively as shown below.

Like Google Talk it also uses Windows Cryptography functions to protect the password. Here are the basic steps to decrypt the Picasa stored password.

Retrieve the stored username & encrypted password from above registry location.
Convert the account name to format 'gaia::<account name>' (for example "gaia::securityxploded")
Modify the encrypted password with crypto magical operations.
Next derive the crypto key using the modified account name as password.
Finally decrypt the password using CryptDecrypt function by passing the derived 'crypto key' and modified password.

The above mentioned decryption mechanism applies to Picasa versions earlier than 3. With version 3 onwards, Picasa has changed its password encryption mechanism. Currently reversing is in progress to decipher the same.

Gmail Notifier & Google Password

Gmail Notifier is the standalone systray plugin which notifies user about incoming mails in currently configured gmail account.

Based on Internet Explorer version, Gmail Notifier uses different method to store the google account password. For IE version 7 or later, it uses 'Windows Credential Provider' for securely storing the password. Here are simple steps to recover the password...

Enumerate through all the stored password in 'Windows Credentail Provider' using CredEnumerate function.
Select the entries which are associated with Google account by checking if TargetName begins with text 'Microsoft_WinInet_www.google.com:443'
For each of these discovered Google accounts, decrypt the password using CryptUnprotectData function.

Here is the sample code illustrating this method.

Credits : Thanks to SapporoWorks for original work

void DecryptGmailNotifierPassword()
{
DATA_BLOB DataIn;
DATA_BLOB DataOut;
DATA_BLOB OptionalEntropy;
tmpSalt[37];
char *strSalt={"abe2869f-9b47-4cd9-a358-c22904dba7f7"};

char strURL[1024];
char strCredentials[1024];
char strUsername[1024];
char strPassword[1024];

//Create the entropy/salt required for decryption...
for(int i=0; i< 37; i++)
    tmpSalt[i] = (short int)(strSalt[i] * 4);

OptionalEntropy.pbData = (BYTE *)&tmpSalt;
OptionalEntropy.cbData = 74;

DWORD Count;
PCREDENTIAL *Credential;

//Now enumerate all http stored credentials....
if(CredEnumerate(NULL,0,&Count,&Credential))
{
     for(int i=0;i<Count;i++)
     {
        if( (Credential[i]->Type == 1) &&
           _strnicmp(Credential[i]->TargetName, "Microsoft_WinInet_www.google.com", strlen("Microsoft_WinInet_www.google.com")) == 0 )
        {
           DataIn.pbData = (BYTE *)Credential[i]->CredentialBlob;
           DataIn.cbData = Credential[i]->CredentialBlobSize;

           if(CryptUnprotectData(&DataIn, NULL, &OptionalEntropy, NULL,NULL,0,&DataOut))
           {
              //Extract username & password from credentails (username:password)
              sprintf_s(strCredentials, 1024, "%S", DataOut.pbData);

              char *ptr = strchr(strCredentials, ':');
              *ptr = '\0';
              strcpy_s(strUsername, 1024, strCredentials);
              ptr++;
              strcpy_s(strPassword, 1024, ptr);

              printf("Gmail Notifier Stored account details are, Username=%s, Password=%s", strUsername, strPassword);

           }
        }
     } // End of FOR loop

     CredFree(Credential);
}

} //End of function

Gmail Notifier uses the 'Protected Storage' to store the Google account password for IE version below 7. Here are simple steps to recover such a password.

Use the 'Protected Storage' API functions to enumerate through the stored website entries.
Select the entries which are associated with Google by checking if name contains text 'www.google.com'
Then read the credentials fot this account using PStore functions and parse them out.

This decryption method is clearly illustrated with code example at below location,
'Exposing the Secrets of Internet Explorer'

Gmail notifier is no longer available as standalone application and its now integrated with GTalk.

Revealing Gmail Password from Google Desktop Search

'Desktop Search' is Google's solution to searching on the local system. Additionally you can configure it to index & search your Gmail account by setting up the options as shown below.

Any such configured Google account is stored in the following registry location.

HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes\Gmail

The 'POP3_name' & 'POP3_credentials' registry values hold the account name & encrypted password as shown below

Here are steps to recover this password

Retrieve the Google account name & encrypted password from the above mentioned registry location
Next use the CryptUnprotectData function to uncover the password in plain text.

Recover the Google Password from Internet Explorer

Internet Explorer stores the sign-on login information for all visited websites which will be used to automatically login to that site thus preventing user from entering password everytime. Like other sites, for Google account password information will also be saved.

Before version 7, Internet Explorer used 'Protected Storage' to store these sign-on passwords. Since this is less secure and easy to decipher, with version 7 onwards it uses 'Credential Provider' store & 'Windows Cryptography' functions to securely store the passwords.

Here is the detailed research article which explains how to recover the passwords from any IE version.
'Exposing the Secrets of Internet Explorer'

Recover the Google Password from Chrome

Like Internet Explorer and other browsers, Google Chrome also stores the login passwords for all visited websites based on user consent. Chrome uses Sqlite database to store the account information in encrypted format.

For more information on deciphering the website login passwords from Chrome database read the below article...
'Exposing the Secrets of Google Chrome'

Decrypting the Google Password using GooglePasswordDecryptor

GooglePasswordDecryptor is the free tool to recover stored Google account passwords by various applications. Most of the Google's desktop applications such as GTalk, Picasa etc store the account passwords in their private encrypted store to prevent hassale of entering the password everytime. GooglePasswordDecryptor helps in recovering such stored passwords from most of these application's private stores.

It can even show passwords from multiple accounts if you have used more than one Google account.It also comes with 'Export Feature' to save the recovered Google passwords to HTML or TEXT format for future use.