Microsoft's Win95 stores your password in plaintext in the system registry.

Summary

Description:	Bill Stout notes several locations in the W95 registry where user's passwords are stored in plain text.
Author:	Bill Stout <stoutb@pios.com>
Compromise:	Find out a user's W95 password (which is often also their password on real machines)
Vulnerable Systems:	Microsoft Windoze 95
Date:	30 May 1997

Details


Date: Fri, 30 May 1997 00:41:40 +1000 (EST)
From: Peter Tonoly <anarchie@suburbia.net>
To: best-of-security@suburbia.net
Subject: BoS: [NTSEC] Plaintext passwords exist in registry (fwd'ed)


---------------------------------------------------------------
 From     : Bill Stout <stoutb@pios.com>
 Subj     : [NTSEC] Plaintext passwords exist in registry
 Date     : Wed, 28 May 1997 09:17:53 -0700
 Forward? : No
 Return   : stoutb@pios.com
 MsgID    : <2.2.32.19970528161753.00717450@vaxf.pios.com>
---------------------------------------------------------------
Most facinating what you find if you look. 

The registry does store some passwords in plain text.  The importance of the
passwords you do find depends on your installation.  I found 'password' and
'username' entries at the below locations, but not much software was
installed on these NT boxes.  Searching the NT registry for my password
string did not did not display anything, searching the W95 registry for my
specific password string found it in many places:

password locations:
hkey_local_machine\system\controlset001\services\gophersvc\parameters
                      ...\controlset002\"
                      ...\curentcontrolset\"
                                             ...\msftpsvc\parameters
                                             ...\w3svc\parameters\

username locations:
\hkey+local_machine\software\microsoft\windowsnt\currentversion\winlogon\
                ...\system\controlset001\services\bh\parameters
                      ...\controlset002\"
                      ...\curentcontrolset\"
                ...\services\gophersvc\parameters\anonymouseusername
                                              ...\logsqlusername
                         ...\msftpsvc\parameters\anonymoususername
                                             ...\logsqlusername
                         ...\w3svc\parameters\anonymoususername
                                             ...\logsqlusername

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: