AIM 6.x (early versions)

Login information

The early AIM6 (or Triton) versions 6.0, 6.1 .. only use SSL on their login - the rest of the connections are exactly the same as the 5.x oscar clients. The SSL is based on the CA's stored within windows (Run > certmgr.msc), and the passwords for these versions are sent plaintext!

Yes, you read right, the passwords are not encrypted at all - the developers must have thought sending them within an SSL connection was secure enough. The login server uses oscar wrapped in HTML/XML.


Saved password information

Also related, the passwords for these versions of AIM are stored in the registry encrypted - but not hashed in any way. That means it would be fairly trivial to make a password stealer to retrieve actual passwords from users - no cracking required! The path is:

HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords I haven't spent much time looking at the encryption itself, but it is definitely a block encryption, working on 8 byte blocks. Possibly DES or Blowfish. The whole thing is prefaced with 8 bytes which are not part of the password (could be the key I guess), and the whole shebang is then base64 encoded and placed in your registry for anyone to grab and decrypt.

You can also use your hashes from 5.x aim versions to sign on with AIM6 - it makes a new key in the registry with this path:

HKEY_CURRENT_USER\Software\America Online\AIM6\HashedPasswords

put a new string value in that section - it should have a name which is the same as the screenname you wish to sign on, the value should be the hash from your 5.x version of aim, usually found here:

HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\[Name of user]\Login\Password1

You also need to add a new DWORD with the same name in the following section:

HKEY_CURRENT_USER\Software\America Online\AIM6\Options

Last but not least alter the UserList value, found here:

HKEY_CURRENT_USER\Software\America Online\AIM6

It's in the format:

username1,username2,username3,

Note the trailing comma. For this login method they send the straight md5 of your password, no extra salting or anything like in previous AIM versions.


Stability

I would not recommend writing chat programs based on these versions of the protocol - they seem much more unstable than the 5.x versions - more susceptible to large/fast floods of data.


Documents