September
19

FTP client programs invariably have the option to save username and passwords for accounts you enter into them. For many years I used WS_FTP for my file transfer needs. Now I use FileZilla, and it's an excellent program.

Once and a while, you need to give someone the password for an account. Your FileZilla installation knows how to connect, but you don't know the original password. Either an XML file, or the registry, is where FileZilla stores all those passwords. But they are stored encrypted. Well, very weakly encrypted. It is very easy to decrypt the passwords because each FileZilla program uses the same key.

I did a search for a method to decrypt the passwords. Usually I can find an online method to decrypt, such as an MD5 hash cracking tool, etc. I found two things: The first, a shareware desktop program (which I did not try). Installing a piece of software is really not convenient in comparison to an online form.

The second thing I found, an article about the security vulnerability of weak password encryption (found here: http://www.securiteam.com/windowsntfocus/5IP0A2KGVW.html, with information provided by Adrian Pastor).The code snippet from the open source application is conveniently included on that page.

Anyone with some basic programming skills and a bit of time could figure out how the password decryption works. Even I can do it, and with PHP no less. In less than 20 lines of code, I wrote the password decryptor. I added some web form fields to make it easy to use.

You can try it below. Just open the XML file on your computer (typically at C:\Program Files\FileZilla\FileZilla.xml) and copy the "Pass" value for one of your saved accounts (it's all numeric). For example, the encrypted password of '046044063056' decrypts as 'test'.

2