June 15, 2007

Strings for You and Me

By Skylor Phillips

Ever get to an authentication challenge in a client application and have that feeling of
being rooted? I know I have on several occasions.

Here is an example
of how I might try to bypass the authentication challenge.

First, you need strings.exe from Sysinternals. Strings.exe simply
parses a target file for ASCII or UNICODE strings of a variable length. The default
is 3 characters to make a string.
Mark
Russinovich has produced some downright awesome tools that are handy to have in any
toolkit. Download strings.exe and more
here:

(http://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx)

Anyway, if I
wanted to get a dump of all strings (greater than 3 characters) of my WinRAR executable,
I would run the following:

Strings
c:progra~1winrarwinrar.exe gt; c:winrar_strings.txt

I like to place
the output into a text file for easy searching. Additionally, I am generating historical
evidence of my testing as I explore various ideas which I find useful later on when
I write the report, etc.

Now, in the
context of an application’s authentication challenge, how is this useful?

The assumptions:

  1. The “correct”
    credentials are application based as opposed to Windows. Meaning, the credentials
    are stored “by” the application (either hard coded somewhere or in a backend database
    perhaps) vice in the local Windows database.
  • By attempting
    several logins we can gain enough knowledge to find our way around inside the strings.exe output.

Dig it.

I would start
by entering a username that seems likely to be “good” with blank password. In a real
world example, I received “Invalid Password, try again!”

Now, some sample
output from the same real world test (sanitized and quite shortened of course):

A
A-A:AGATAaA

@YA

 

A%A

@?A

@LA

@2A

!This
program cannot be run in DOS mode.

 

z
r

Rich

.text

`.data

lt;snipgt;

 

Invalid
user name, try again!

Login

Login
attempt failed with invalid user name:

 

Login
succeeded for user name:

 

Invalid
Password, try again!

Do you see it?
Yep, right there at the end is the exact “string” we received in response to our authentication
challenge attempt. That is our landmark inside the strings.exe output.

Now, to get
a “good” password I would simply crawl the output file and look for either a hard
coded password or a database connection string which might get me to a “good” password”.

In the real
world example above, I ended up finding a database connection string which I then
used to load the database as “sa” and edited the application “admin” password to be
blank.

Strings.exe is
just one of many useful tools. It has value in a penetration test, malware analysis,
reverse engineering, just to name a few scenarios. It needs to be used in the right
context in order to produce meaningful results, however as we can see above it can
be quite powerful.

– Jason Pittman