New to CAPEC? Start Here
Home > CAPEC List > CAPEC-191: Read Sensitive Constants Within an Executable (Version 3.9)  

CAPEC-191: Read Sensitive Constants Within an Executable

Attack Pattern ID: 191
Abstraction: Detailed
View customized information:
+ Description

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

+ Extended Description

One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.

Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants.

+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.167White Box Reverse Engineering
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Access to a binary or executable such that it can be analyzed by various utilities.
+ Resources Required
Binary analysis programs such as 'strings' or 'grep', or hex editors.
+ Notes


More sophisticated methods of searching for sensitive strings within a file involve disassembly or decompiling of the file. One could, for example, utilize disassembly methods on an ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed.

Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Disassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as "jar" are used to extract the compiled class files. Next, a java decompiler such as "DJ" is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1552.001Unsecured Credentials:Credentials in files
+ References
[REF-51] "Wikipedia". Decompiler. The Wikimedia Foundation, Inc. <>.
[REF-52] "Wikipedia". Debugger. The Wikimedia Foundation, Inc. <>.
[REF-53] "Wikipedia". Disassembler. The Wikimedia Foundation, Inc. <>.
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Other_Notes, References, Related_Attack_Patterns, Resources_Required
(Version 2.11)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Prerequisites, Description Summary, Resources_Required
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Description, Related_Attack_Patterns, Taxonomy_Mappings
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Extended_Description
Previous Entry Names
Change DatePrevious Entry Name
(Version 3.3)
Read Sensitive Strings Within an Executable
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 30, 2020