SecurityXploded.com  
  
Exposing the Password Secrets of MSN/Windows Live Messenger
 
 
Exposing the Password Secrets of MSN/Live Messenger
 
 
 
See Also
 
 
 
Contents
 
 
Introduction
Windows Live Messenger (formerly MSN Messenger) is one of the leading messenger on the Windows platform. Earlier version was called as MSN Messenger, however since version 8 onwards it is renamed as 'Windows Live Messenger'.

You need to have Windows Live Account to access the Messenger services. This one Windows Live ID gets you into Hotmail, Messenger, Xbox LIVE and other Microsoft services.

msn password secrets

But once you forgot your MSN/Live Login password you will be completely blocked from accessing any of these services. However there is a last hope before marking an end to your hopeless attempts to get back the login password. It is possible to recover the MSN/Live account passwords if it is previously stored by the Messengers on your system.


In this article we will show what kind of storage/encryption mechanism used by MSN/Live Messenger and how to recover such stored passwords.
 
 
Internal Storage and Encryption Mechanism
Both MSN/Windows Live Messenger uses Windows built-in 'Credential Store' to securely store the login account passwords. Not only Windows uses it to store network authentication passwords, but also other applications such as Outlook, Remote Desktop, GMail Notifier etc uses the same mechanism for storing their login passwords. Windows also provides Credential Management API functions [Reference 2] to allows applications to seamlessly manage this 'Credential Store'.

Windows 'Credential Store' supports different type of password storage mechanisms. Each type uses different kind of encryption and requires different level of privileges for decryption.

Here are the main types
  • Generic Password
  • Domain Password
  • Domain Visible Password / .NET Passport
  • Certificates
For more technical details on each of these mechanisms and their decryption techniques, refer to the article 'Exposing the Secret of Decrypting Network Passwords' [Reference 1]

Though both MSN and Windows Live Messenger uses the same 'Credential Store' mechanism but they use different types to store the passwords. Here we will see how each of them uses Credential Store to store their secrets and how to recover the stored passwords from it.
 
 
 
Recovering Password from MSN Messenger
As mentioned MSN Messenger also uses 'Credential Store' to securely store the remembered passwords. These passwords are stored as type 'Domain Visible Password' aka '.Net Passport'. In this 'Domain Visible Password' type only password is encrypted and user name will be stored in clear text.


Here is the complete code sample for recovering and decrypting this type of passwords
 

void EnumerateDotNetPassportPassword()
{
DATA_BLOB DataIn;
DATA_BLOB DataOut;
DATA_BLOB OptionalEntropy;
tmpSalt[37];
char *strSalt={"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"};

char strCredentials[1024];
char strUsername[1024];
char strPassword[1024];

	//Create the entropy/salt required for decryption...
	for(int i=0; i< 37; i++)
		tmpSalt[i] = (short int)(strSalt[i] * 4);

	OptionalEntropy.pbData = (BYTE *)&tmpSalt;
	OptionalEntropy.cbData = 74;
	
	DWORD Count;
	PCREDENTIAL *Credential;

	//Now enumerate all http stored credentials....
	if(CredEnumerate(NULL,0,&Count,&Credential))
	{
	
		for(int i=0; i < Count ; i++)
		{
	
			if( Credential[i]->Type == CRED_TYPE_DOMAIN_VISIBLE_PASSWORD)
			{
			
				DataIn.pbData = (BYTE *)Credential[i]->CredentialBlob;
				DataIn.cbData = Credential[i]->CredentialBlobSize;
				
				sprintf_s(strUsername, 1024, "%S", Credential[i]->UserName);
				
				if(CryptUnprotectData(&DataIn, NULL, &OptionalEntropy, 
                   NULL,NULL,0,&DataOut))
				{
					//Decrypted data contains password in clear text
					sprintf_s(strPassword, 1024, "%S", DataOut.pbData);
					
					printf(".Net Passport Account details, 
					Username=%s, Password=%s", strUsername, strPassword);
				
				}
			
			}
		
		} // End of FOR loop

	  CredFree(Credential);
	
	}


} //End of function

 
The above code uses the CredEnumerate function to go through all the stored network password accounts for current user. Next it checks if the account type is CRED_TYPE_DOMAIN_VISIBLE_PASSWORD. If such an account is found then it decrypts the password data using the CryptUnprotectData [Reference 3] function. Upon successful decryption it contains the password in clear text.

As this mechanism is used by other applications also, we need to distinguish MSN stored passwords from other applications. It is not that diffcult, here we can just check if the name for each recovered credential entry (Credential->TargetName) matches with text '.Net Passport'.

Since it was earlier only MSN Messenger used this technique it also popularly called as '.Net Passport Method'
 
 
 
Recovering Password from Windows Live Messenger & Windows Live Mail
Windows Live Messenger uses 'Credential Store' to securely store the passwords. All versions of Live Messenger & Windows Live Mail (including latest 2011 edition) uses same storage and encryption mechanism to store the credentials.


Here is the sample code which shows how to decrypt the 'Windows Live' password
 
void DecryptWindowsLivePassword()
{
DWORD Count;
PCREDENTIAL *Credential;

char strPassword[1024];


//Now enumerate all http stored credentials....
if(CredEnumerate(NULL, 0, &Count, &Credential))
{
	printf("CredEnumerate found %d accounts", Count);
	
	for(unsigned int i=0; i< Count; i++)
	{
	
	    printf("Found account %d - %s ", Credential[i]->Type, 
                Credential[i]->TargetName);
	
		if( strstr(Credential[i]->TargetName, "WindowsLive:name=") ) 
		{
        
		printf("Found Windows Live account %d - %s ", Credential[i]->Type, 
               Credential[i]->TargetName);
		
		//convert password to ascii
		strPassword[0]=0;
        
		WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) Credential[i]->CredentialBlob, 
        Credential[i]->CredentialBlobSize/2, strPassword, 1024, NULL, NULL );
        
		strPassword[Credential[i]->CredentialBlobSize/2]=0;
		
		printf("Windows Live Account => Username: %s & Password: %s ", 
               Credential[i]->UserName, strPassword);
		
        }
	
	} //end of for loop
	
	CredFree(Credential);

}

} //End of function

	
 
The above code uses the CredEnumerate function to go through all the stored network password accounts for current user. Next it checks if the account type is CRED_TYPE_GENERIC. If generic type of account is found then it decrypts the user credential data using the CryptUnprotectData function which is part of 'Windows Crypto API Package' [Reference 3]. Upon successful decryption it contains both username and password in the clear text separated by semicolon.

Once we recover the stored credentials, we need to check if it belongs to Live Messenger. It stores the passwords with the target name as 'WindowsLive:name=<email_id>'. So by checking each recovered entry for 'WindowsLive' text we can get all the login passwords stored by Windows Live Messenger.
 
 
 
MSNLivePasswordDecryptor - Free Tool to Recover MSN/Live Passwords
MSNLivePasswordDecryptor is the FREE software to instantly recover MSN/Hotmail/Windows Live Messenger passwords stored by applications such as MSN, Windows Live Messenger, Hotmail, web browsers and other messengers.
 
MSNLivePasswordDecryptor Tool
 

It can be very handy tool for Penetration Testers as well as Forensic Investigators. It works on most of the Windows platforms starting from Windows XP to latest operating system, Windows 7.

For more details visit the home page of MSN Live Password Decryptor.

 
 
 
References
  1. Exposing the Secret of Decrypting Network Passwords
  2. Windows Credential Manager Functions
  3. Windows Cryptography Functions
 
 
See Also