Home > CAPEC List > CAPEC-191: Read Sensitive Strings Within an Executable (Version 2.9)  

CAPEC-191: Read Sensitive Strings Within an Executable

Read Sensitive Strings Within an Executable
Definition in a New Window Definition in a New Window
Attack Pattern ID: 191
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker engages in activities to discover any sensitive strings are present within the compiled code of an executable, such as literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password.

When analyzing an executable the attacker may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.

+ Typical Severity


+ Resources Required

Access to a binary or executable such that it can be analyzed by various utilities. Binary analysis programs such as 'strings' or 'grep', or hex editors.

+ References
[R.191.1] [REF-6] "Wikipedia". Decompiler. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Decompiler>.
[R.191.2] [REF-6] "Wikipedia". Debugger. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Debugger>.
[R.191.3] [REF-6] "Wikipedia". Disassembler. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Disassembler>.
[R.191.4] ATT&CK Project. "Credentials in files (1081)". MITRE. <https://attack.mitre.org/wiki/Credentials_in_files>.
+ Other Notes

More sophisticated methods of searching for sensitive strings within a file involve disassembly or decompiling of the file. One could, for example, utilize disassembly methods on an ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed.

Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Disassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as "jar" are used to extract the compiled class files. Next, a java decompiler such as "DJ" is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2015-11-09Updated Description Summary, Other_Notes, References, Related_Attack_Patterns, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015