| |
| |
| Exposing the Google Password Secrets |
|
|
| |
| |
| |
|
|
|
| |
| |
|
|
| |
|
Google account is the single
centralized account used by all of the Google services such as
Gmail, Picasa, GTalk, iGoogle, Desktop Search and many more. Most
of the Google's desktop applications such as GTalk, Picasa etc
stored the Google account password for future use. Even most of the
browsers such as Internet Explorer, Firefox, Chrome store the login
passwords for visited websites in their secret store.
This research article throws light on the internal password storage
and encryption mechanisms used for storing the Google account
password by some of the prominent applications. Also it shows the
methods to decrypt the Google password for each of these applications. |
|
|
|
|
GTalk is the Google's instant
messenger application integrated with voice and video chat feature.
Like any of the Google application it uses the same Google account
password and stores it for subsequent logins in an encrypted format.
It stores the account information at following location in the
registry |
|
HKEY_CURRENT_USER\Software\Google\Google
Talk\Accounts
|
|
|
For each account, it creates seperate key with the account name under
this registry location as shown below. |
|
 |
| |
For each stored account, the encrypted password stored in the
registry value 'pw'.
GTalk encrypts the Google account password using
Windows Cryptography functions. Here are the step by step
instructions to decrypt this password. |
- Enumerate through the GTalk accounts registry key and get the
stored account name & encrypted password.
- Now get the currently logged on username & domain name of
the system.
- Create the hash of the username and then hash the domain
name on top of it to create entropy data of 16 bytes.
- Next hash the encrypted password with magic numbers.
- Finally pass this modified password and entropy data to
CryptUnprotectData function to decrypt the password.
|
| |
|
Picasa is the free photo editing software from Google. It
facilitates managing and uploading of photo albums to online Google
picasa store for sharing with the community. It uses the same Google
account for transfering pictures to online web account and stores this
password in encrypted format for subsequent logins.
Picasa stores the Google account login details at one of the following location in
the registry. However latest version of Picasa (3.6) still uses
picasa 2 registry location for storing the settings |
|
|
HKEY_CURRENT_USER\Software\Google\Picasa\Picasa2\Preferences
HKEY_CURRENT_USER\Software\Google\Picasa\Picasa3\Preferences |
| |
| The Google account name & encrypted password is stored in the registry
values 'GaiaUser' & 'GaiaPass' respectively as shown below. |
| |
 |
| |
Like Google Talk it also uses Windows Cryptography mechanism to
protect the password. Here are the different methods used by various
versions of Picasa to decrypt the password
|
|
|
Here are the basic steps to decrypt the Picasa stored password
for previous versions |
- Retrieve the stored username & encrypted password from above
registry location.
- Convert the account name to format 'gaia::<account name>' (for example
"gaia::securityxploded")
- Modify the encrypted password with crypto magical operations.
- Next derive the crypto key using the modified account name as
password.
- Finally decrypt the password using CryptDecrypt function by passing
the derived 'crypto key' and modified password.
|
|
| Here are simple steps to recover the Google
password from latest version of Picasa (Version 3.6) |
- Retrieve the stored username & encrypted password from above
registry location
- Convert the encrypted password from hex-string to
hex-binary format.
- Use the CryptUnprotectData function to decrypt the password in
clear text.
|
| |
|
Gmail Notifier is the standalone systray plugin which notifies user
about incoming mails in currently configured gmail account.
Based on Internet Explorer version, Gmail Notifier uses different method
to store the google account password. For IE version 7 or later, it uses
'Windows Credential Provider' for securely storing the password. Here
are simple steps to recover the password... |
- Enumerate through all the stored password in 'Windows Credentail
Provider' using CredEnumerate function.
- Select the entries which are associated with Google account by
checking if TargetName begins with text
'Microsoft_WinInet_www.google.com:443'
- For each of these discovered Google accounts, decrypt the password
using CryptUnprotectData function.
|
|
Here is the sample code illustrating this method. |
Credits : Thanks to SapporoWorks for original work
void DecryptGmailNotifierPassword()
{
DATA_BLOB DataIn;
DATA_BLOB DataOut;
DATA_BLOB OptionalEntropy;
tmpSalt[37];
char *strSalt={"abe2869f-9b47-4cd9-a358-c22904dba7f7"};
char strURL[1024];
char strCredentials[1024];
char strUsername[1024];
char strPassword[1024];
//Create the entropy/salt required for decryption...
for(int i=0; i< 37; i++)
tmpSalt[i] = (short int)(strSalt[i] * 4);
OptionalEntropy.pbData = (BYTE *)&tmpSalt;
OptionalEntropy.cbData = 74;
DWORD Count;
PCREDENTIAL *Credential;
//Now enumerate all http stored credentials....
if(CredEnumerate(NULL,0,&Count,&Credential))
{
for(int i=0;i<Count;i++)
{
if( (Credential[i]->Type == 1) &&
_strnicmp(Credential[i]->TargetName, "Microsoft_WinInet_www.google.com", strlen("Microsoft_WinInet_www.google.com"))
== 0 )
{
DataIn.pbData = (BYTE *)Credential[i]->CredentialBlob;
DataIn.cbData = Credential[i]->CredentialBlobSize;
if(CryptUnprotectData(&DataIn, NULL, &OptionalEntropy, NULL,NULL,0,&DataOut))
{
//Extract username & password from credentails (username:password)
sprintf_s(strCredentials, 1024, "%S", DataOut.pbData);
char *ptr = strchr(strCredentials, ':');
*ptr = '\0';
strcpy_s(strUsername, 1024, strCredentials);
ptr++;
strcpy_s(strPassword, 1024, ptr);
printf("Gmail Notifier Stored account details are,
Username=%s, Password=%s", strUsername, strPassword);
}
}
} // End of FOR loop
CredFree(Credential);
}
} //End of function
|
| |
| Gmail Notifier uses the 'Protected Storage' to store the Google account
password for IE version below 7. Here are simple steps to recover such a
password. |
- Use the 'Protected Storage' API functions to enumerate through the
stored website entries.
- Select the entries which are associated with Google by checking if
name contains text 'www.google.com'
- Then read the credentials fot this account using PStore functions and
parse them out.
|
This decryption method is clearly illustrated with code example at
below location,
'Exposing the Secrets of Internet Explorer'
Gmail notifier is no longer available as standalone application and its
now integrated with GTalk. |
| |
| |
|
| 'Desktop Search' is Google's solution to searching on the local
system. Additionally you can configure it to index & search your Gmail
account by setting up the options as shown below. |
| |
 |
| |
| Any such configured Google account is stored in the following
registry location. |
| |
| HKEY_CURRENT_USER\Software\Google\Google
Desktop\Mailboxes\Gmail |
| |
| The 'POP3_name' & 'POP3_credentials' registry values hold the
account name & encrypted password as shown below |
| |
 |
| |
| Here are steps to recover this password |
- Retrieve the Google account name & encrypted password from the above
mentioned registry location
- Next use the CryptUnprotectData function to uncover the password in
plain text.
|
| |
| |
Internet Explorer stores the sign-on login information for all
visited websites which will be used to automatically login to that site
thus preventing user from entering password everytime. Like other sites,
for Google account password information will also be saved.
Before version 7, Internet Explorer used 'Protected Storage' to store
these sign-on passwords. Since this is less secure and easy to decipher,
with version 7 onwards it uses 'Credential Provider' store & 'Windows
Cryptography' functions to securely store the passwords.
Here is the detailed research article which explains how to recover the
passwords from any IE version.
'Exposing the Secrets of Internet Explorer' |
| |
| |
|
Like Internet Explorer and other browsers, Google Chrome also stores
the login passwords for all visited websites based on user consent.
Chrome uses Sqlite database to store the account information in
encrypted format.
For more information on deciphering the website login passwords from
Chrome database read the below article...
'Exposing the Secrets of Google Chrome' |
| |
| |
|
| GooglePasswordDecryptor is
the FREE tool to instantly recover stored Google account passwords by
various Google applications as well as popular web browsers. Most of the
Google's desktop applications such as GTalk, Picassa etc store the
Google account passwords to prevent hassale of entering the password
everytime for the user. Even the web browsers store the sign-on
passwords including Google account passwords in an encrypted format.
GooglePasswordDecryptor automatically crawls through each of these
applications and recovers the encrypted Google account password.. |
| |
 |
| |
| It works on wide range of platforms starting from Windows 2000 to
latest operating system Windows 7. For more information and to download
this tool, visit the main page of
GooglePasswordDecryptor. |
| |
| |
|
|
|
| |
| |
| |
| |
| |
| |
HOME
TOOLS
ARTICLES
RESEARCH
DOWNLOAD
BLOG
ABOUT
CONTACT
