Friday, September 28, 2012

Plain Text memory passwords

This vulnerability has been in market for a very long time, but what makes me write about this actually comes from my new project which is a simple desktop application developed in VB. Wont be talking much about this application but would be describing the attack [PTMP] with few web applications on the internet.

Memory is a vital component for any application be it a web app or a simple desktop app. And most of the time our loggin passwords are kept unencrypted in the process memory. This blog would discuss the most easy ways to extract plain text passwords from any application that is not encrypting user passwords before storing in the process memory.

More Insight!!

Take a simple web application which would prompt a user to enter his/her userId and password in its login page ( take for eg gmail )

So coming back! After the authentication phase the password is stored in the process memory which can be easily extracted using tools like userdump or memory viewers like WinHex.

Here is a small POC on PTMP:

Shtep bi shtepp!!

1) I closed all instances of my awsum firefox and opened up my firefox's pentesting profile which i have created ( prbly i wud write about how to create one in one of my future blogs ).

2) Navigated to the website {} and entered my login credentials

3) Now its time to dump the process for this i used userdump could be found at (
and listed all the running processes [ userdump.exe -p ]

This will list out all the running process on my system but what i am more intrested is a dump of my firefox.exe

The command to dump is "userdump firefox.exe" ( it is also allowed to give the particular PID of the process which is 5724 in this case )

4) Now after having the dump i extracted the readable strings from it using a tool from the Sysinternal suite called strings.exe ( strings.exe firefox.dmp > test.txt )

1 comment :