Cracking Trillian Passwords
Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Cracking Trillian Passwords

  1. #1
    Senior Member
    Join Date
    Nov 2003
    Posts
    107

    Cracking Trillian Passwords

    --------------------------------------
    DISCLAIMER

    Everything found in this tutorial is to be used for educational purposes only and to shed light on the security risks of using trillian as your chat client. I do not advocate the stealing of login information for any purposes whatsoever. If you do something illegal, i accept no responsibility for anything you may damage and hold no accountability for the things you learned. If you do not agree to adhere to the above-mentioned terms, do not read this tutorial.

    ---------------------------------------

    Trillian, a popular multi-network chat client, has been around for quite some time. Unfortunately, the security for it is horrible. I've emailed them once or twice regarding this problem and have not gotten a response from them. I started cracking trillian's password security probably a few months ago and just looked up some stuff on the HD today and found the old project plus my password finding table. Well, i wrote a program in euphoria that helped to speed up the process of cracking trillian. It uses a modified form of sendkeys.ew (email me for a copy).

    Some background:
    First let's talk a little bit about how trillian encodes passwords. It stores the encrypted form in hex digits (it's in an ini file). From what i've gathered, the only things that are processed are the character and its location. Note that the encoded string is twice as long as your password. By observation, every two encoded digits represent a single character in the password.

    Well, now, how do we get at these encrypted passwords? They're stored in the appropriate ini files. The password for a trillian profile is stored in your trillian folder in the file \users\global\profiles.ini. In that file, you are presented with some information about the profiles including their encrypted password, profile name, and other things like autologin. Well, if you want to hijack a trillian account using that computer, all you need to do is simply set the Automatic Login variable to 1. You bypass the login altogether.

    Now, if they don't auto-login to anything else, you can tweak the entries in \users\%profile% in the aim.ini, yahoo.ini, and msn.ini. Now, say you didn't want to just access the account from the cheap autologin method, but want to get the password for it. Well, it's frighteningly easy to do.

    Steps for cracking:
    1) Create a blank account
    2) Give it a password of a single character repeated however many times you want
    3) Login and then record the encrypted password that's in profiles.ini
    4) Exit trillian
    5) Reload trillian, enter the old repeated character and click Edit
    6) Now, push the Clear button and enter another repeated character for your password
    7) Click the save button and type in the repeated character again to verify
    8) Repeat steps 3 through 7 until you've collected lists of all the characters you want

    Well, that was awful easy wasn't it? A bit time consuming if you don't make a program to help you with it, but still, very easy. So, let's say we wanted to crack a password using this list (i recommend using an editor like PFE or Emacs when doing this because they'll stay in the column they're in as you move down). We'd look at the first two digits in the encoded string and try to match them against the first two digits in one of the above strings. If you find a match, the character to the left of the string is the character that was encoded. Do this with the next two digits of your string and match them against the 3rd and 4th digits of the above strings of digits. Do this until you have processed every pair of digits and you'll have the password.

    Wow, that was really easy wasn't it? Kinda scary, huh?

    Problems:
    Well, poor security is always a problem, but, trillian, being the multi-network chat client that it is, stores passwords for all sorts of other services. Because of this, if a user was using trillian, someone could install a program to leech all of the login information stored in the computer and then relay it back to whoever wanted it. Accounts could be hijacked left and right. That's bad, very bad. So, if you love your privacy then either lock down trillian while you're not using it, or just don't use trillian at all. Trillian can be found at http://www.trillian.cc for anyone that is interested in checking this out for themselves.

    All tests were done on Trillian Basic and i am not aware of this vulnerability in Trillian Pro, but it's likely that it exists there as well. If anyone could verify this for me, mail me at code_x@phreaker.net

    [EDIT] Removed the character lists as they really gave no informative value compared to the rest of the article. One could regenerate the list using the steps above, but, after rethinking the post, I feel that generally the pre-made list would never be used by anyone with good intentions and that it was somewhat irresponsible to post it. In the future, i will refrain from writing actual solution tables in the post as they will generally tend more towards misuse than education.[/EDIT]

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    Well. Interesting tutorial. I am sure I already read the Trillian info somewhere else (and in many different places), but it is always interesting to develop the steps used to reach a target, and it's exactly what you have done.
    Life is boring. Play NetHack... --more--

  3. #3
    very informative but unfortunately very un-antionlinistic
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth. - Sherlock Holmes

    i am NOT a hacker :Ž

  4. #4
    Junior Member
    Join Date
    Dec 2003
    Posts
    2

    enlightend and scared

    hey flamingRain.
    thanx! i thought trill was pretty secure, guess not. so do you know of any IM that is more secure?

  5. #5
    Senior Member
    Join Date
    Nov 2003
    Posts
    107
    phsphate, sry, but trillian is the only IM i've tried breaking into. Back when i was first getting into pulling stuff apart on computers and making my own little crypto programs, i wanted to put my skills to the test. I decided trillian would be good because it looked like something easy and worthwhile. So, i started working my way through it until i had compiled some password parts lists. I still don't claim to have really "broken" the system as i cannot generate a trillian-compliant password with a program that i write as of now, but i'm looking into designing one just for a good cryptanalysis excercise.

    I haven't tried breaking into others, but here are a few things to check for in terms of security:

    1) Does it automatically store login data?
    2) Does it verify the information with stuff on the disk (real easy to test. If it returns false very fast, then it likely does. If it returns false slow, then it may not.)
    3) Does it encrypt outgoing traffic? (gotta protect against sniffers)

    Try cryptanalyzing anything you find. If you find distinct patterns, follow through and see for yourself how strong it is. After doing the work, i set trillian up in a lockdown mode (file is encrypted. when trillian loads, it's decrypted for trill to access. after loading, it's re-encrypted).

    Hopefully someone else can point to a more secure IM client.
    Is there a sum of an inifinite geometric series? Well, that all depends on what you consider a negligible amount.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    jetherson i could see how you got this idea. lately the group that have been vocal here would rather flame posts like this and then move on to take surveys of important things like...whats your favorite color underware.

    speaking for myself, the only person resonsible for network security in my company, this is exactly the stuff i want to see.

    thank you FlamingRain!! nice job.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Token drunken Irish guy
    Join Date
    Sep 2001
    Posts
    2,813
    How would this be un-AntiOnline-ish?

    You remember the old saying: Hackers Know the Weaknesses in your system, shouldnt you?

    Well, shouldnt we? The people that flame this kind of stuff usually havent a clue what they are on about and just post because they think other people will possie them for flaming a the evil hax0r's...

    Anyway, thats interesting, I'm going to have a look for myself now.

  8. #8
    Junior Member
    Join Date
    Jan 2004
    Posts
    19
    In order for them to get your password do they have to have access to your computer.

    Or is it possible for them to obtain the passwords remotly.

  9. #9
    Senior Member
    Join Date
    Nov 2003
    Posts
    107
    Mr.Fatal, if they can gain access to files on your computer then it can be done remotely. Generally, if i were to pick a way to get the passwords, i'd get into their computer and install a program that either:

    a) Is a leech and sucks out all the login information and realys it
    b) Transfers all the files to my computer so i can take my time from there.

    But hey, both those can be accomplished by trojans, why bother even having to gain access when you can get them to download a cheesy game :/.
    Is there a sum of an inifinite geometric series? Well, that all depends on what you consider a negligible amount.

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    100
    This is completely un-antionline-ish and most un-antionline-ish stuff is usually tutorials on specifically how to hack someones computer, yes it is a vunerability, but is it a good one hell no and they author didnt even find it out for himself. me being more of a hacker (white hat) than a security expert (though id love to be one) think this is the worst post i have ever seen. If u want to post a vunerability 1. make sure its yours 2. make sure it can comprimise security or at least you think it might with some work. dont just post some trillian/hotmail/whatever vunerability i speak for a lot of people saying that we dont need this.

    p.s. congrats to the guy who found the vunerability (next time hack something else)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides