MacCetera LLC. Unique Business and Personal Macintosh Support for Southeastern Wisconsin, Creative Web Site Design and Hosting for the World

Marc's Notes: Comments, Ramblings, Rants & Tips

Recovering FTP Passwords from DreamWeaver with OxED

I don't do much software development these days. Ten years as a "senior software engineer" drained a lot out of that battery for me. I find that Mac troubleshooting and digging into day to day hardware and software stuff is a refreshing technical challenge. My creative side is satisfied by my work in the web world, with Photoshop and CSS, all brought together in the über tool, Dreamweaver.

This note is about Dreamweaver, and prying the encoded FTP password out of the settings (.ste) file for a site, specifically on a Mac.

The algorithm isn't difficult... in fact Macromedia should be ashamed of itself for the really grade-school encryption they used to obscure the password.

Where did I put that note?

I know that everyone dealing with multiple web sites should have a secret file somewhere that lists all the account authentication magic required to FTP in to a client's web space: IP, username, and password. The other side is we're all told to NOT write any passwords down. In reality that's not possible, and with the plethora of notes and junk here, it's not always easy to find the FTP password for a site that has been static for awhile.

I wrote a simple Codewarrior Console app to decode these a short time ago, but I first had to open the .ste to see the pw field, then paste it into my decoder to get the magic results. It would be cool if I could open the file in an editor, and by simply selecting the pw string, have the password revealed in all its human readable glory.

Enter OxED

I've been a longtime user of HexEdit, maintained by Lane Roathe. But not the software snob, I peek at other tools when I come across them. OxED is another Mac hex file editor. Both HexEdit and OxED have enough differences to warrant having both handy.

One perk OxED brought to the table with version 1.0.5 was a plug-in architecture. I snagged that as well, and popped into XCode to see what I could do with it. One use quickly came to mind... an inline decoder for the lamely encoded FTP passwords in Dreamweaver .ste files.

15 minutes in XCode

I opened the example OxED plug-in project in XCode, and literally in 15 minutes had built a working decoder. Here is a screen shot of how well this integrates into the data view portion of OxED.

It should have gone quicker, but I'm an old C master, who moved to C++ grudgingly because it's unsightly and bloated. Objective C still looks other-worldly to me.

The example .ste is real, but the server was local and is not online. Besides, "uranus" was a insecure password to use on my Uranus server anyway, so I'm giving away zero secrets here. Behold, Figure 1...

Figure 1. — OxED revealing the DWpass decode of the XML pw field: "757363717978" = "uranus" (no jokes please)

Rules of engagement

I'm not posting the source for the algorithm here, nor will you find a download link to the OxED plug-in.
I'm ashamed to admit that I really only changed about 5 lines of code, and renamed the sample plug-in. It is a dirty and quick hack.
I will e-mail my DWpass plug-in to any bona fide web developer — contact me with your request! And no, it doesn't phone home.
If you can figure out the encryption, you can do the decoding yourself with a pencil in a minute or two.

Marc, February 27, 2007

(1) The opinions expressed in Marc's Notes: Comments, Ramblings, Rants & Tips are exclusively those of Marc Wolfgram.
(2) Only one Macintosh™ computer was permanently harmed - link. (3) Any references to real people may be intentional.
(4) Don't try certain things while driving or at home without proper adult supervision. (5) Microsoft Windows—Just say NO!