Skype Password Recovery
Back in the old days when we only just started up we had no direction on where we should be going and what we should do. We had no analysis tools to find out what recovery tools are in demand and we had no research info on what recovery was possible.
Over a year ago we bought a skype password domain in the hope that we would develop and upload Skype Password Recovery tool to the site. This was a very careless move. Little did we know that… Skype produces a hash of the user password and uses that hash to authenticate/store the login info locally (hash is transferred over the secure channel to authenticate).
As Fabrice Desclaux and Kostya Kortchinsky tell us in their paper, Skype uses MD5 hash of “username\nskyper\npassword” to authenticate. The same hash is stored in the config.xml file (C:—Documents and settings— Windows Username — Application data — Skype — SkypeUsername — config.xml). In fact, this MD5 hash is then encrypted using AES and SHA-1 before being stored in the config.xml.
To put what the above means in simple words, there is no 100% guaranteed algorithm to decrypt Skype password. Bruteforce and dictionary attacks are the only methods. Both of them are timely and only have the potential with the password of up to 8 characters.
Related links:
Reference:
June 23rd, 2008 at 12:30 am
There are still some tools that could be produced easily to assist users in password recovery.
Skype has a web page for password recovery. It simply asks for the user name and email address. It’s obvious that the person has the user name, or there’s nothing to recover. But the user might not have the email address, and that’s a common problem.
Skype stores the email address that was used when the user registered. It’s in %app data%\skype\skypeusername\profilennnn.dbb. The skype user name would have to be plugged in, and I don’t know how to figure out the number, except there’s only one dbb file in that directory with a name starting with profile.
Searching that file for the email address, which is preceded by an @ sign and followed by x00. Of course, a person could find the file manually, open it with a text editor, and read it, but a tool would be almost trivial to write.
Once the user has the email address, assuming it’s valid and the email goes to the user, recovery is trivial.
The other thing is MD5 encoding. From what I read on this website. it should be trivial to write something to encode the password and end up with something that matches what is stored locally. Users often have an idea of what they might have used, such as words, letters, or numbers that they typically use. A user might be able to make a list of a dozen or so possible passwords, and a program could tell easily when they had a match.
Alternatively, rather than generating random passwords and using brute force, a user could supply parameters. If my name is John Smith and I work for Acme, have three children whose ages I sometimes use in passwords, and whose wife’s name is Agnes, I might want to be able to supply a dozen keywords, such as my name, kids names, etc. A program could try various combinations in different orders, with and without embedded numbers. I might know that I typically use numbers at the end, or that I want to limit numbers to 1 or 2 digits.
In a nutshell, a user might be able to come up with enough keywords and parameters to enable a relatively simple algorithm to find the password in less than a few seconds.
June 23rd, 2008 at 12:40 am
Sorry, I didn’t see the AES and SHA-1 part. It wouldn’t be trivial. But it would still be helpful for users who don’t remember what email address they used to have something along the lines of the first part.