Cracking Trillian Passwords

[FlamingRain]

Modderfokker, i found the password security problems before i was ever aware of any other information regarding trillian vuln's online. Since this post, i have looked around and done a few googles and haven't seen articles with password security. Trillian has lots of vuln's regarding the way it handles data but i didn't find enything specifically on defeating the password protection mechanism. So, addressing your first point, i did find it myself, indepently of any other information that may or may not have been available at that time. And, addressing your second point, it can compromise security rather easily. If you were to write a leech program and someone was to download it (unsuspectingly), you could compromise their IM handles.

I agree that IM handle stealing really isn't a big issue, it doesn't cause loss of data, it doesn't cause computer downtime, it doesn't damage any equipment, but still, it can be a problem because of identity theft (not in the sense of taking someone's full identity). So, i feel my post has enough reason to justify its being here.

[Ennis]

This is completely un-antionline-ish and most un-antionline-ish stuff is usually tutorials on specifically how to hack someones computer, yes it is a vunerability, but is it a good one hell no and they author didnt even find it out for himself. me being more of a hacker (white hat) than a security expert (though id love to be one) think this is the worst post i have ever seen. If u want to post a vunerability 1. make sure its yours 2. make sure it can comprimise security or at least you think it might with some work. dont just post some trillian/hotmail/whatever vunerability i speak for a lot of people saying that we dont need this.

p.s. congrats to the guy who found the vunerability (next time hack something else)

How would this be un-AntiOnline-ish?

You remember the old saying: Hackers Know the Weaknesses in your system, shouldnt you?

Well, shouldnt we? The people that flame this kind of stuff usually havent a clue what they are on about and just post because they think other people will possie them for flaming a the evil hax0r's...

Anyway, thats interesting, I'm going to have a look for myself now.


Sometimes people have to repeat themselves.

[Modderfokker]

I have found out that that the author of this post did find the vunerability and the feeling of finding one by yourself is second to none.
But in response i will still defend saaying that even if a hacker did know this vunerability they have to get past your firewall (that u should have running) with a trojan sent to them (which they should have searched) and then still they have to have your ip (if not sent by trojan) and the average user (above noob) will be able to defend easily this attack.

Cheers flaimingrain at the vunerability, keep at finding more!

[FlamingRain]

I can't remember who asked about gaim, but it's less secure when it comes to passwords. If you choose for it to remember your password (which is default checked (grrr)) it stores it IN THE CLEAR. Under XP, the path is c:\Documents and Settings\<user>\application data\.gaim\accounts.xml and under 9x, it's under c:\windows\profiles\<user>\applicaiton data\.gaim\accounts.xml. If you don't have it remember your password, it doesn't store it at all.

Credit goes to my friend WingedPanther on one of my other forums for telling me the path in XP. Thanks WP!

[Cytoplast]

Personally, I think that FlamingRain did well here. I used Trillian for awhile. This shows us how to see how unsecure our login information is. Hopefully Trillian authors will actually pick up on info like this from their users and get their heads out of an undisclosed area.


Great job on proving this one out,

[FlamingRain]

Well, I've come up with a way to help solve this problem. I wanted to use trillian again (wingaim seemed unstable on my system. WinME, bleh). I was looking over the plans of my password generator and realized that if I built something that would simply change my password in that file automatically, I could use the autologin and be able to log in with a new password each time. Of course, you'd have to have a way to let the login servers know you were changing your password somehow too. I guess this would really only help programmers though seeing as there's no available software like that.

You can also run it in lock-down mode where you have a lead-in program that decrypts all the files, then loads trillian and after trillian closes, encrypts them all again. You don't need particularly strong encryption, just enough to keep someone from sending some automated bot.

It seems that trillian uses the functions held in crypto.dll perhaps some analysis of this would allow you to create a more secure version with the same function names. If I had the skill to attempt this, I surely would. But, the idea's out there for those who like trillian but want to be a bit safer with logon info.

[meloncholy]

**Modderfokker: But in response i will still defend saaying that even if a hacker did know this vunerability they have to get past your firewall (that u should have running) with a trojan sent to them (which they should have searched) and then still they have to have your ip (if not sent by trojan) and the average user (above noob) will be able to defend easily this attack.

Cheers flaimingrain at the vunerability, keep at finding more!**

Whats the point in talking about vulnerabilities then? Tightning up your firewall will probably prevent a good majority of vulnerabilies. Thats just stupid. The RPC DCOM was a huge vulnerability that is easily exploited that could be blocked by the use of a firewall or a simple patch. You obviously don't operate in the real world where the firewall is more or less a political thing and not really a security measure (Most managers accept the risk of an open port so they can continue to use whatever it is they use that needs every other port open!!) Any vulnerability is worth talking about.....If you really even care about security.

The answer should never be...ah, the firewall will stop it.

[Tronic]

Ok, could we stop for the attitude plz? Man...I heard about AntiOnline and there attitudes but geesh..whether it's "Anti-AntiOnline", or a "good hack", whats the point in debating about it? Information is information, you wouldn't know about this unless he said it i'm guessing, so instead of getting into a huge flamewar with the negative attitudes, lets see what we, as hackers, can do with this information....k?
-----------------------------------------------------------------------------

Very interesting, so I guess will rethink my idea's about going to Trillian lol.

I have two questions..does Trillian store the password in some sort of a temporary cache when your logged in?

Very interesting, so the only sort of encryption they perform with this password is converting...lets say....an 'a', to an 'f', and then into hex? Theres nothing else that goes on there? Interesting...

But man thats bad...i'm glad I don't use Trillian lmao.

[FlamingRain]

There might be a way to make trillian more secure by writing your own strong version of crypto.dll and then mod trillian to use it instead. But that's a lot more work than simply not using trillian. As for your first question Tronic, I imagine it does store it somewhere. As for your second question, yes, it looks like that's all that it does. I haven't really gone in depth on cracking the actual password scheme since simply doing a codebook attack against it worked just fine. At some point when I'm not busy, I'll sit down with the tables and figure out how it works and write a program that'll decrypt the passwords or generate new ones without having to have a codebook loaded or provided.

Right now I don't have much time as I'm starting up a computer club at my school and am devoting my energy to getting machines, organizing things, and writing some basic utilities for the machines. But, anyone else is welcome to compile the tables the same way I did ( my site will have to program I made and used up very soon ) and then try cracking it. Right now I have the computer club and 3 coding projects to deal with before I get around to cracking the encryption itself. Maybe if school gets any more boring and teachers get lax, I'll work on cracking during class.

[HDD]

That is an extremely good article and after having read this I'll think twice maybe even three time about using Trillian again!
Thanks!