captain holly java blog

How to recover passwords from dbvisualizer

Posted in Uncategorized by mcgyver5 on April 12, 2015

There used to be a way (CTRL-right click, I believe) to reveal a database password in dbvisualizer.  I was trying to recover a forgotten password and realized that I might be able to see it by “attaching to an existing process” with Javasnoop.

Javasnoop has a thing called “Canary Mode”.  Canary Mode lets you enter a string have it distribute listeners all over the application whose process you’ve attached to.  These canaries will sing if they spot that string when the application runs. After running the app with the canaries posted, you end up with a list of methods that handled that string.  In this example, I put in a known password (“Secret1234”) and then tried logging into the database with that password.

canary mode screen

This puts canary listeners “all over” the jvm.

This took about 5 minutes to place all the “Canaries”.  Then, I clicked “connect” in DBVisualizer

dbvisualizer

Connect with known password.

And the canaries did their work:

Results after attempting to connect with known password

Results after attempting to connect with known password

Fortunately, only three methods of interest popped up.

Then you can use the hooking screen and enable the hook in one of the methods the canaries found and have it display the parameters (On execution –> print parameters –> to console).

plaintext password is seen before it is hashed and sent out.

plaintext password is seen before it is hashed and sent out.

Now I can continue logging into other databases with my stored credentials and recover the passwords as they are printed to the console.

This is a short explanation of Javasnoop and not a bug of dbvisualizer or java.  I’ve only connected to a local Java process after purposely disabling sandbox controls.  On the other hand, clients such as putty or winscp dissuade users from storing passwords.

Hint:  You can make this process much faster by limiting the packages where the canaries 
are placed to com.onseven.dbvis in the "Only put canaries in the following package" field inthe Start canary mode screen.

Note:  I noticed that the Javasnoop code has not been updated in some time and the Google Code repository suggested exporting the project to GitHub.  So, I did.  The code is now at https://github.com/mcgyver5/javasnoop  I kept all attribution to the original author and I hope this move is OK with them.

Advertisements
Tagged with: , ,

2 Responses

Subscribe to comments with RSS.

  1. Toby said, on January 22, 2016 at 9:25 am

    Hi. I was able to show passwords by simply setting a Master Password (in preferences) and then ctrl-clicking on the password field and choosing Show Password

    • mcgyver5 said, on March 18, 2016 at 1:36 am

      that… also works. Thanks for sharing that.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: