Description: In this video we will see how easy it is to retrieve passwords from applications which store them in memory without any form of encryption. A large number of applications can fall prey to this security vulnerability and get their user's passwords hacked - web browsers, email clients, instant messengers etc fall in this category. The main idea behind the hack is that while the application is running, we should be able to dump its entire memory to file, without having to stop or tamper with the application in any way. Pmdump makes this possible very easily by allowing us to select the running application whose memory we want to dump. <br><br>Please download a copy of the Pmdump programs and Strings program before continuing with this video. Also, we shall use the demo application MemPass.exe to show the vulnerability. The application is a very simple piece of code which takes the user input, clears the screen and pauses its execution. <br><br>We will first run MemPass.exe, input a password, then switch to Pmdump and dump the process memory into a file. Finally we will use the strings program to rerieve the password from this file. <br><br>I am pasting the sample code for MemPass.exe for your convinience:<br><br>-----------------------Code ---------------------------------------<br><br>#include <stdio.h><br>#include <stdlib.h><br><br>int main(int argc, char *argv[])<br>{<br> char buffer[50];<br> printf("Please enter your password:");<br> <br> scanf("%s", buffer);<br> system("CLS");<br> system("PAUSE"); <br> return 0;<br>}<br><br>--------------------------------Ends-----------------------------------<br><br>So how do we protect against such attacks? All sensitive information even while in RAM should be encrypted to make sure that an easy eavesdropping attack like the one described above does not succeed. <br><style type="text/css">body { background: #FFF; } </style>
Tags: tools ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.