Peter's Blog

Redefining the Impossible

Items filed under filezilla

Cracking passwords revisited

Submitted by Peter on Thu Oct 19 2006 08:57 about 1 year ago

I came across an interesting tool and immediately used it to solve a problem I had solved once before. The problem? I inherited a PC with filezilla installed and a load of ftp accounts set up with passwords I did not know. How to get the passwords?

The tool is the Microsoft User Mode Process Dumper. What is does is it dumps the memory image of a running process to disk where it can be inspected. I used this to dump a running image of filezilla. I ran the image through the 'strings' utility from cygwin to strip out everything but english looking strings and then opened the resulting file in vim. Search through this for the ftp account names and there in all their glory are the passwords. Easy. Took about two minutes, most of this figuring out the command line for userdump which is merely: 

userdump 1072

where 1072 was the process ID of filezilla from Task Manager.

This technique would work with any software that loaded all passwords into memory and held them in there in an unencrypted state. The beauty of this is the speed, no messing with debuggers, ploughing through hex memory dumps, get the command line to do the work.

Moral: security is not easy.

Filed under: filezilla windows

Add a comment

Cracking Filezilla Passwords

Submitted by Peter on Tue May 02 2006 09:06 over 2 years ago

Needed to recover a password from my FileZilla settings. It transpires that this is not very difficult. The passwords are not strongly encoded which some regard as a security flaw but the developers seem to acknowledge that if you want security, don't trust a computer. 

   1  #
   2  # Dump filezilla site manager, including account name, host, user and password.
   3  #
   4  import _winreg
   5  
   6  def DecodePassword( strPass):
   7      """Decode a filezilla password"""
   8      strKey = "FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"
   9  
  10      nPassLen = len(strPass) / 3
  11      nOffset = nPassLen % len(strKey)
  12  
  13      strDecodedPass = ""
  14  
  15      for i in range(nPassLen):
  16          c = int(strPass[i * 3:(i * 3) + 3])
  17          c2 = ord(strKey[(i + nOffset) % len(strKey)])
  18          c3 = chr((c ^ c2))
  19  
  20          strDecodedPass += c3
  21  
  22      return strDecodedPass
  23  
  24  #
  25  # Walk through registry, decoding site details.
  26  #
  27  oReg = _winreg.ConnectRegistry( None, _winreg.HKEY_CURRENT_USER)
  28  oLicenceKey = _winreg.OpenKey( oReg, r'SOFTWARE\FileZilla\Site Manager')
  29  
  30  nIndex = 0
  31  while 1:
  32      try:
  33          strSite = _winreg.EnumKey( oLicenceKey, nIndex)
  34      except EnvironmentError:
  35          break
  36  
  37      oSiteKey = _winreg.OpenKey( oLicenceKey, strSite)
  38      strHost = _winreg.QueryValueEx( oSiteKey, u'Host')[0].encode( 'ascii')
  39      strUser = _winreg.QueryValueEx( oSiteKey, u'User')[0].encode( 'ascii')
  40      strPassword = DecodePassword( _winreg.QueryValueEx( oSiteKey, u'Pass')[0].encode( 'ascii'))
  41  
  42      print strSite, strHost, strUser, strPassword
  43  
  44      nIndex += 1

Filed under: filezilla python

3 Comments

What security?

Submitted by Peter on Thu Dec 15 2005 17:02 over 2 years ago

I needed to migrate a load of filezilla ftp site details from another user's setup to mine. However, the passwords were all encrypted, what to do?

  • Go into registry
  • Go to \HKCU\Software\Filezilla\Site Manager
  • export the key to a .reg file
  • transfer .reg file to my login
  • login as me
  • import the .reg file into my registry.

Voila.

I still don't know what the passwords are but filezilla does and that's really all that matters.

Filed under: filezilla windows

2 Comments