Webinar: Proactive Healthcare Cybersecurity for Today's Threat Landscape Register

Dark teal and black gradient

Blog

Penetration Testing

Strings for You and Me

June 15, 2007

By Tevora

Ever get to an authentication challenge in a client application and have that feeling of being rooted? I know I have on several occasions.

Here is an example of how I might try to bypass the authentication challenge.

First, you need strings.exe from Sysinternals. Strings.exe simply parses a target file for ASCII or UNICODE strings of a variable length. The default
is 3 characters to make a string. Mark Russinovich has produced some downright awesome tools that are handy to have in any toolkit. Download strings.exe and more here.

Anyway, if I wanted to get a dump of all strings (greater than 3 characters) of my WinRAR executable, I would run the following:

Strings
c:progra~1winrarwinrar.exe gt; c:winrar_strings.txt

I like to place the output into a text file for easy searching. Additionally, I am generating historical evidence of my testing as I explore various ideas which I find useful later on when I write the report, etc.

Now, in the context of an application’s authentication challenge, how is this useful?

The assumptions:

  1. The “correct” credentials are application based as opposed to Windows. Meaning, the credentials are stored “by” the application (either hard coded somewhere or in a backend database perhaps) vice in the local Windows database.
  • By attempting several logins we can gain enough knowledge to find our way around inside the strings.exe output.

Dig it.

I would start by entering a username that seems likely to be “good” with blank password. In a real world example, I received “Invalid Password, try again!”

Now, some sample output from the same real world test (sanitized and quite shortened of course):

A
A-A:AGATAaA

@YA

A%A

@?A

@LA

@2A

!This program cannot be run in DOS mode.

z
r

Rich

.text

`.data

lt;snipgt;

Invalid user name, try again!

Login

Login attempt failed with invalid user name:

Login succeeded for user name:

Invalid Password, try again!

Do you see it?

Yep, right there at the end is the exact “string” we received in response to our authentication challenge attempt. That is our landmark inside the strings.exe output.

Now, to get a “good” password I would simply crawl the output file and look for either a hard coded password or a database connection string which might get me to a “good” password”.

In the real world example above, I ended up finding a database connection string which I then used to load the database as “sa” and edited the application “admin” password to be blank.

Strings.exe is just one of many useful tools. It has value in a penetration test, malware analysis, reverse engineering, just to name a few scenarios. It needs to be used in the right context in order to produce meaningful results, however as we can see above it can be quite powerful.

About the Author

Tevora is a specialized management consultancy focused on cyber security, risk, and compliance services. Our combination of collaborative strategic planning and skillful execution make us a trusted partner to some of the most famous brands in the world.

Back to Resource Center

Explore More In-Depth Penetration Testing Resources

View Our Resources