Read Sensitive Stings Within an Executable
Attack Pattern ID: 191 (Detailed Attack Pattern Completeness: Complete)Typical Severity: LowStatus: Draft
+ Description


An attacker engages in activities to discover any sensitive strings are present within the compiled code of an executable, such as literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password.

When analyzing an executable the attacker may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.

More sophisticated methods of searching for sensitve strings within a file involve dissassembly or decompiling of the file. One could, for example, utilize dissassembly methods on a ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed.

Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Dissassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as "jar" are used to extract the compiled class files. Next, a java decompiler such as "DJ" is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs.

+ Resources Required

Access to a binary or executable such that it can be analyzed by various utilities. Binary analysis programs such as 'strings' or 'grep', or hex editors. Decompilers such as "DJ" for java, or decompilers designed for specific languages. Debugging programs such as ollydbg, SoftICE, or dissassemblers such as IDA Pro.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
798Use of Hard-coded CredentialsTargeted
259Use of Hard-coded PasswordSecondary
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern190Reverse Engineer an Executable to Expose Assumed Hidden Functionality or Content 
Mechanism of Attack (primary)1000
+ References