Skip to content

Latest commit

 

History

History
207 lines (126 loc) · 9.56 KB

LeakedCredentialsHardcodedCredentials.md

File metadata and controls

207 lines (126 loc) · 9.56 KB

Leaked Credentials (Hardcoded Credentials)

Back to Main

Table of Contents

Description

Hardcoded Credentials occurs when sensitive credentials, such as usernames, passwords, API keys, or cryptographic keys, are embedded directly into the source code or configuration files of an application. These credentials are often stored in plaintext, making them easily accessible to anyone who can view or obtain the source code of the application.

An adversary can leverage hardcoded credentials to escalate to elevated privileges.

Lab Setup

Manual Lab Setup (.NET App)

⚠️ If you are using Windows 10 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.

  1. Open a PowerShell with local Administrator privileges and run the following command to create a new folder:
mkdir "C:\Program Files\CustomDotNetApp\"
  1. Download the file CustomDotNetApp.exe to the 'C:\Program Files\CustomDotNetApp' directory.

  2. Install the new Service:

New-Service -Name "Custom Dot Net Service" -BinaryPathName "C:\Program Files\CustomDotNetApp\CustomDotNetApp.exe" -DisplayName "Custom .NET Service" -Description "My Custom .NET Service" -StartupType Automatic

Outcome:

Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp

  1. Verify the new service (services.msc):

Hardcoded-Creds-Manual-Lab-Set-Up-DotNetApp-Verify-Service

ℹ️ If you want to unistall the new service use the following command:

Remove-Service -Name "Custom Dot Net Service"

PowerShell Script Lab Setup (.NET App)

⚠️ If you are using Windows 10/11 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.

To set up the lab with the 'Hardcoded Credentials (.NET App)' scenario use the custom PowerShell script named HardcodedCredentialsDotNetApp.ps1.

Open a PowerShelll with local Administrator privileges and run the script:

.\HardcodedCredentialsDotNetApp.ps1

Outcome:

Hardcoded-Creds-Script-Lab-Set-Up-DotNetApp

ℹ️ If you want to unistall the new service use the following command:

Remove-Service -Name "Custom Dot Net Service"

Manual Lab Setup (Java App)

⚠️ If you are using Windows 10/11 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.

⚠️ In order to run this scenario, Java must be installed on the target workstation. You can download and install Java from the Official Oracle Website.

  1. Open a PowerShell with local Administrator privileges and run the following command to create a new folder:
mkdir "C:\Program Files\CustomJavaApp\"
  1. Download the file CustomJavaApp.jar to the 'C:\Program Files\CustomJavaApp' directory.

  2. Install the new Service:

New-Service -Name "Custom Java Service" -BinaryPathName "C:\Program Files\CustomJavaApp\CustomJavaApp.jar" -DisplayName "Custom Java Service" -Description "My Custom Java Service" -StartupType Automatic

Outcome:

Hardcoded-Creds-Manual-Lab-Set-Up-JavaApp

  1. Verify the new service (services.msc):

Hardcoded-Creds-Manual-Lab-Set-Up-JavaApp-Verify-Service

ℹ️ If you want to unistall the new service use the following command:

Remove-Service -Name "Custom Java Service"

PowerShell Script Lab Setup (Java App)

⚠️ If you are using Windows 10/11 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.

⚠️ In order to run this scenario, Java must be installed on the target workstation. You can download and install Java from the Official Oracle Website.

To set up the lab with the 'Hardcoded Credentials (Java App)' scenario use the custom PowerShell script named HardcodedCredentialsJavaApp.ps1.

Open a PowerShelll with local Administrator privileges and run the script:

.\HardcodedCredentialsJavaApp.ps1

Outcome:

Hardcoded-Creds-Script-Lab-Set-Up-JavaApp

ℹ️ If you want to unistall the new service use the following command:

Remove-Service -Name "Custom Java Service"

Enumeration

ℹ️ The binaries of most custom applications commonly exist in C:\Program Files\ or C:\Program Files (x86)\.

Enumeration (.NET App)

After locating the directory of a custom "corporate" binary, download it onto your attacking machine and open it in dnSpy.

Go to Assembly Explorer -> CustomDotNetApp (1.0.0.0) (Assembly) -> CustomDotNetApp.exe -> CustomDotNetApp (Namespace) -> Service1 (Class) -> Authenticate (Method).

Outcome:

Hardcoded-Creds-Enumeration-DotNetApp

Enumeration (Java App)

After locating the directory of a custom "corporate" binary, download it onto your attacking machine and open it in JD-GUI Java Decompiler.

Go to CustomJavaApp.class (Class file) -> CustomJavaApp (Class) -> authenticate (Method).

Outcome:

Hardcoded-Creds-Enumeration-JavaApp

Exploitation

Obtaining the hardcoded credentials can be accomplished through several methods, which you can then utilize to elevate privileges if these credentials are valid.

Some of the common services are:

  • Remote Desktop Protocol (RDP)
  • Windows Remote Management (WinRM) (If it is enabled)
  • Server Message Block (SMB)
  • Windows Management Instrumentation (WMI)
  • Virtual Network Computing (VNC) (If it is enabled)

To identify a valid authentication method, you can use NetExec.

This is an example of using the SMB service to authenticate against the workstation and execute a command:

nxc smb <ip> -u <username> -p '<password>' -x whoami

Outcome:

Hardcoded-Credentials-Exploitation

Mitigation

To enhance the security of the application, it's advisable to remove hardcoded credentials from the source code. If that's not feasible, strong cryptographic ciphers should be used to encrypt the credentials rather than storing them in plaintext.

Moreover, you can apply the above steps to harden your .NET/Java application against reverse engineering:

  • Obfuscate your code.
  • Utilize public/private key or asymmetric encryption to generate product licenses, ensuring exclusive control over license generation. Even if the application is cracked, the key generation algorithm remains unrecoverable, preventing unauthorized license generation.
  • Use a third-party packer to pack your executable into an encrypted Win32 wrapper application or write your custom packer.

References