Ever get to an authentication challenge in a client application and have that feeling of
being rooted? I know I have on several occasions.
Here is an example
of how I might try to bypass the authentication challenge.
First, you need strings.exe from Sysinternals. Strings.exe simply
parses a target file for ASCII or UNICODE strings of a variable length. The default
is 3 characters to make a string.
Russinovich has produced some downright awesome tools that are handy to have in any
toolkit. Download strings.exe and more
Anyway, if I
wanted to get a dump of all strings (greater than 3 characters) of my WinRAR executable,
I would run the following:
c:progra~1winrarwinrar.exe gt; c:winrar_strings.txt
I like to place
the output into a text file for easy searching. Additionally, I am generating historical
evidence of my testing as I explore various ideas which I find useful later on when
I write the report, etc.
Now, in the
context of an application’s authentication challenge, how is this useful?
- The “correct”
credentials are application based as opposed to Windows. Meaning, the credentials
are stored “by” the application (either hard coded somewhere or in a backend database
perhaps) vice in the local Windows database.
- By attempting
several logins we can gain enough knowledge to find our way around inside the strings.exe output.
I would start
by entering a username that seems likely to be “good” with blank password. In a real
world example, I received “Invalid Password, try again!”
Now, some sample
output from the same real world test (sanitized and quite shortened of course):
program cannot be run in DOS mode.
user name, try again!
attempt failed with invalid user name:
succeeded for user name:
Password, try again!
Do you see it?
Yep, right there at the end is the exact “string” we received in response to our authentication
challenge attempt. That is our landmark inside the strings.exe output.
Now, to get
a “good” password I would simply crawl the output file and look for either a hard
coded password or a database connection string which might get me to a “good” password”.
In the real
world example above, I ended up finding a database connection string which I then
used to load the database as “sa” and edited the application “admin” password to be
just one of many useful tools. It has value in a penetration test, malware analysis,
reverse engineering, just to name a few scenarios. It needs to be used in the right
context in order to produce meaningful results, however as we can see above it can
be quite powerful.
– Jason Pittman