Hardcoded Credentials occurs when sensitive credentials, such as usernames, passwords, API keys, or cryptographic keys, are embedded directly into the source code or configuration files of an application. These credentials are often stored in plaintext, making them easily accessible to anyone who can view or obtain the source code of the application.
An adversary can leverage hardcoded credentials to escalate to elevated privileges.
- Open a PowerShell with local Administrator privileges and run the following command to create a new folder:
mkdir "C:\Program Files\CustomDotNetApp\"
-
Download the file CustomDotNetApp.exe to the 'C:\Program Files\CustomDotNetApp' directory.
-
Install the new Service:
New-Service -Name "Custom Dot Net Service" -BinaryPathName "C:\Program Files\CustomDotNetApp\CustomDotNetApp.exe" -DisplayName "Custom .NET Service" -Description "My Custom .NET Service" -StartupType Automatic
Outcome:
- Verify the new service (services.msc):
ℹ️ If you want to unistall the new service use the following command:
Remove-Service -Name "Custom Dot Net Service"
To set up the lab with the 'Hardcoded Credentials (.NET App)' scenario use the custom PowerShell script named HardcodedCredentialsDotNetApp.ps1.
Open a PowerShelll with local Administrator privileges and run the script:
.\HardcodedCredentialsDotNetApp.ps1
Outcome:
ℹ️ If you want to unistall the new service use the following command:
Remove-Service -Name "Custom Dot Net Service"
- Open a PowerShell with local Administrator privileges and run the following command to create a new folder:
mkdir "C:\Program Files\CustomJavaApp\"
-
Download the file CustomJavaApp.jar to the 'C:\Program Files\CustomJavaApp' directory.
-
Install the new Service:
New-Service -Name "Custom Java Service" -BinaryPathName "C:\Program Files\CustomJavaApp\CustomJavaApp.jar" -DisplayName "Custom Java Service" -Description "My Custom Java Service" -StartupType Automatic
Outcome:
- Verify the new service (services.msc):
ℹ️ If you want to unistall the new service use the following command:
Remove-Service -Name "Custom Java Service"
To set up the lab with the 'Hardcoded Credentials (Java App)' scenario use the custom PowerShell script named HardcodedCredentialsJavaApp.ps1.
Open a PowerShelll with local Administrator privileges and run the script:
.\HardcodedCredentialsJavaApp.ps1
Outcome:
ℹ️ If you want to unistall the new service use the following command:
Remove-Service -Name "Custom Java Service"
ℹ️ The binaries of most custom applications commonly exist in C:\Program Files\ or C:\Program Files (x86)\.
After locating the directory of a custom "corporate" binary, download it onto your attacking machine and open it in dnSpy.
Go to Assembly Explorer -> CustomDotNetApp (1.0.0.0) (Assembly) -> CustomDotNetApp.exe -> CustomDotNetApp (Namespace) -> Service1 (Class) -> Authenticate (Method).
Outcome:
After locating the directory of a custom "corporate" binary, download it onto your attacking machine and open it in JD-GUI Java Decompiler.
Go to CustomJavaApp.class (Class file) -> CustomJavaApp (Class) -> authenticate (Method).
Outcome:
Obtaining the hardcoded credentials can be accomplished through several methods, which you can then utilize to elevate privileges if these credentials are valid.
Some of the common services are:
- Remote Desktop Protocol (RDP)
- Windows Remote Management (WinRM) (If it is enabled)
- Server Message Block (SMB)
- Windows Management Instrumentation (WMI)
- Virtual Network Computing (VNC) (If it is enabled)
To identify a valid authentication method, you can use NetExec.
This is an example of using the SMB service to authenticate against the workstation and execute a command:
nxc smb <ip> -u <username> -p '<password>' -x whoami
Outcome:
To enhance the security of the application, it's advisable to remove hardcoded credentials from the source code. If that's not feasible, strong cryptographic ciphers should be used to encrypt the credentials rather than storing them in plaintext.
Moreover, you can apply the above steps to harden your .NET/Java application against reverse engineering:
- Obfuscate your code.
- Utilize public/private key or asymmetric encryption to generate product licenses, ensuring exclusive control over license generation. Even if the application is cracked, the key generation algorithm remains unrecoverable, preventing unauthorized license generation.
- Use a third-party packer to pack your executable into an encrypted Win32 wrapper application or write your custom packer.