captain holly java blog

How to recover passwords from dbvisualizer

Posted in Uncategorized by mcgyver5 on April 12, 2015

There used to be a way (CTRL-right click, I believe) to reveal a database password in dbvisualizer.  I was trying to recover a forgotten password and realized that I might be able to see it by “attaching to an existing process” with Javasnoop.

Javasnoop has a thing called “Canary Mode”.  Canary Mode lets you enter a string have it distribute listeners all over the application whose process you’ve attached to.  These canaries will sing if they spot that string when the application runs. After running the app with the canaries posted, you end up with a list of methods that handled that string.  In this example, I put in a known password (“Secret1234”) and then tried logging into the database with that password.

canary mode screen

This puts canary listeners “all over” the jvm.

This took about 5 minutes to place all the “Canaries”.  Then, I clicked “connect” in DBVisualizer

dbvisualizer

Connect with known password.

And the canaries did their work:

Results after attempting to connect with known password

Results after attempting to connect with known password

Fortunately, only three methods of interest popped up.

Then you can use the hooking screen and enable the hook in one of the methods the canaries found and have it display the parameters (On execution –> print parameters –> to console).

plaintext password is seen before it is hashed and sent out.

plaintext password is seen before it is hashed and sent out.

Now I can continue logging into other databases with my stored credentials and recover the passwords as they are printed to the console.

This is a short explanation of Javasnoop and not a bug of dbvisualizer or java.  I’ve only connected to a local Java process after purposely disabling sandbox controls.  On the other hand, clients such as putty or winscp dissuade users from storing passwords.

Hint:  You can make this process much faster by limiting the packages where the canaries 
are placed to com.onseven.dbvis in the "Only put canaries in the following package" field inthe Start canary mode screen.

Note:  I noticed that the Javasnoop code has not been updated in some time and the Google Code repository suggested exporting the project to GitHub.  So, I did.  The code is now at https://github.com/mcgyver5/javasnoop  I kept all attribution to the original author and I hope this move is OK with them.

Tagged with: , ,

Slowloris vs tomcat

Posted in security, tomcat, Uncategorized by mcgyver5 on June 19, 2009

RSnake has been thinking about a denial of service attack against web servers that involves sending partial http packets to use up number of allowed clients. Sending carefully crafted partial packet causes the server to take A LONG TIME to work on the response to your request, using up its resources and becoming temporarily unavailable to other visitors. Apache HTTPD is mentioned as a server that is vulnerable. IIS is mentioned as one that is not. RSnake, being a realist and not an anti-microsoft evangelist, often says things that make the open source advocates uncomfortable. (“PHP is the bane of my existence” and “Whenever I assess a dot net application I know right off the bat that I’m going to find half the number of vulnerabilities”).

A few notes about Slowloris: It can’t effectively dos a box from windows because it works by creating hundreds of Sockets and Windows only allows a max of 130. It doesn’t crash anything, so it is a gentle tool(haha) It just happens to make web applications unavailable for as long as the attacker wishes. It does, by the way, send out hundreds of packets so it is detectable by the administrator.

To use Slowloris, first establish a timeout for the web server you are attacking:
./slowloris.pl -dns http://localhost -port 8080 -test

this should return some numbers to use for a timeout.

They don’t mention tomcat, so I spent most of the afternoon setting up a machine to see if this tool can DOS tomcat.

drum roll please….

slowloris test

slowloris test

clear that we’ll be using a 5 second timeout for TCP and a 30000 millisecond timeout for http.
then,
./slowloris.pl -dns localhost -port 8080 -timeout 30000 -num 500 -tcpto 5

the above opens 500 sockets and uses a tcp timeout of 5 seconds and looks like this:

slowloris execution

slowloris execution

now, try and connect to the benighted tomcat server.
hmmm. works fine. What gives?  I suspect that as this number of connections (500), I am still able to get a connection.  The first visit takes a really long time, but once I get through, I can use the site normally.  This matches the statement in the documentation that ”    “.  If I raise the number of connections….  It still takes a very long time to load the first page, but thereafter is just as easy to access the application.

When I run slowloris on the same server, however, tomcat is completely DOS-ED.    I’m impressed with the absolute unavailablity of tomcat in relation to the low level of traffic that slowloris generates.

ooooh.   I thought I was supposed to convert 30 seconds into milliseconds.  wrong!  setting the timeout this high  (30,000 seconds) is clearly too high.  When I set it down to 30, slowloris CRUSHED tomcat.  remotely or locally.  As you can see below, setting the timeout correctly allowed many more packets to be sent.

slowloris success

slowloris success

Tagged with: ,