QTP Hackers - How to decrypt encrypted (SetSecure'd) password

I will explain you how to decode an encoded password in QTP.
Using QuickTest Professional and this approach, you can hack email accounts published on Internet. Are you interested? :) So, continue reading this QTP tutorial for details.

I've just recorded a simple script, which signs into Gmail. It:

  1. Fills 'Username' in
  2. Fills 'Password' in
  3. Clicks 'Sign in' button

And the recorded QTP script is:

Browser("Gmail").Page("Gmail").WebEdit("Email").Set "someaccount"Browser("Gmail").Page("Gmail").WebEdit("Passwd").SetSecure "493844a99bee0e3ab952f2e867fd08e3"Browser("Gmail").Page("Gmail").WebButton("Sign in").Click

As you can see, QTP script is simple enough.
I've set "someaccount" to 'Username' editbox. But what about 'Password' editbox? What value have I filled in?

QTP encrypted the password using SetSecure method:

WebEdit("Passwd").SetSecure "493844a99bee0e3ab952f2e867fd08e3"
QTP Help: 
The SetSecure method is recorded when a password or other secure text is entered.
The text is encrypted while recording and decrypted during the test run.

How to know the initial text?

There is one trick. Apply SetSecure method to non-secured edit box!
Instead of this QTP code:
Browser("Gmail").Page("Gmail").WebEdit("Email").Set "someaccount"Browser("Gmail").Page("Gmail").WebEdit("Passwd").SetSecure "493844a99bee0e3ab952f2e867fd08e3"
I run this QTP script:
Browser("Gmail").Page("Gmail").WebEdit("Email").SetSecure "493844a99bee0e3ab952f2e867fd08e3"
And the result of this QTP script is:

Yes, "mypwd" was encrypted to "493844a99bee0e3ab952f2e867fd08e3". So, "mypwd" is the password I filled!
So, this is an easy way to decrypt an encrypted password in QTP.

By the way, there are two ways how to decrypt a password in QuickTest Professional:

  1. Using Crypt.Encrypt
    str = "Some Text"
    encrStr = Crypt.Encrypt(str)

    'encrStr' will contain an encrypted text.
  2. Using Password Encoder from 'Start/Programs/QuickTest Professional/Tools'

  • I explained two ways how to crypt a text in QTP
  • I shown an approach how to decrypt an encrypted text

Well, I promised to show how to hack email addresses... I remember!

I searched several QTP sites and forums for "SetSecure" function and found that some QTP engineers published their code snippets with encrypted passwords (for example, entrance into email accounts) :)

Now you know how to "read" (=steal) passwords in plain text.

Why do I tell that? 
Just to remind - be careful when you publish such private info on Internet.

No comments: