1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Monitor connections or decrypt exe

Discussion in 'C, C++, C#' started by punkstar69, Jun 30, 2016.

  1. punkstar69

    punkstar69 Junior Member

    Joined:
    May 4, 2010
    Messages:
    177
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    IM
    Location:
    EU
    We are using a tomcart.exe that our web designers have sent us in order to connect to our website's database and be able to alter products etc.

    In our computers, we have set an odbc database and filled all necessary details ( ip port username etc ) but not a password. When tomcart.exe opens, it ''fills'' the password there, making the connection successful.

    I was wondering if we could find this password somehow, either by monitoring active odbc connections, either by 'keylogging' method (is it a key logging actually?), either by decoding this exe.
    We tried to go the ethical way with our web design company, however, the designer who included the password there gone AWOL, causing this password not able to be recovered.

    Please advise.
     
  2. RightFootFanatic

    RightFootFanatic Regular Member

    Joined:
    May 31, 2015
    Messages:
    348
    Likes Received:
    194
    Occupation:
    DevOps
    Location:
    Whimsyshire
    You could try and analyze the traffic during the connection with a tool like Wireshark (https://www.wireshark.org/).
    If the password is send in plain text / unencrypted you should be able to fish it out the traffic.

    Also check if the tool creates a folder under appdata. To open Appdata folder on Windows: Click Start button -> run -> %appdata% -> return
    Check in the new Explorer window if there's a folder with a name related to the tool. If so check files in folder if something contains a password.

    // edit
    If you're managing the database server, you should be able to change that passwort. At least the company should be able to do that...
     
  3. punkstar69

    punkstar69 Junior Member

    Joined:
    May 4, 2010
    Messages:
    177
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    IM
    Location:
    EU
    Unfortunately it doesnt create anything in Appdata, nor WireShark can sniff its pwd..
    Also, user cannot change the password, we tried so. Any other ways of capturing?
     
  4. b1acky

    b1acky Newbie

    Joined:
    Jun 17, 2015
    Messages:
    47
    Likes Received:
    13
    You can often reverse engineer software using disassemblers and decompilers tho this usually requires really good programming knowledge (since the code is not even remotely as readable as the original source code). Keylogging wont work since the pass is most likely hardcoded in the exe file. There is also chance that the app you are using is just accessing your database so you should be able to reset your db password at your hosting provider (bear in mind that resetting password will most likely prevent your exe file from working as the passwords wont match anymore).
     
  5. Gogol

    Gogol Jr. VIP Jr. VIP

    Joined:
    Sep 10, 2010
    Messages:
    3,476
    Likes Received:
    3,103
    Gender:
    Male
    You have a few options.
    Easiest would be to sniff the packets using either fiddler or wireshark. I have found out that fiddler is better when listening to a particular software on your machine. It can bind to a certain app if needed. You could also connect through fiddler proxy server and see what is happening in the log.

    The main problem with this conecpt however would be when the connection is secure. You will need to find another solution if the connection uses https, as you won't be able to install a fake certificate in the software itself.

    Debugging an app can be a PITA if you are new to it. May be try running it through ollydbg and search for referenced strings. If you are lucky, you will get your stuff in there.
     
  6. punkstar69

    punkstar69 Junior Member

    Joined:
    May 4, 2010
    Messages:
    177
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    IM
    Location:
    EU
    I did so. Also had packets sniffed with wireshark, but no luck at all.
    Im assuming the password is obstr, encoded etc
     
  7. Gogol

    Gogol Jr. VIP Jr. VIP

    Joined:
    Sep 10, 2010
    Messages:
    3,476
    Likes Received:
    3,103
    Gender:
    Male
  8. punkstar69

    punkstar69 Junior Member

    Joined:
    May 4, 2010
    Messages:
    177
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    IM
    Location:
    EU
  9. Gogol

    Gogol Jr. VIP Jr. VIP

    Joined:
    Sep 10, 2010
    Messages:
    3,476
    Likes Received:
    3,103
    Gender:
    Male
    ahh then your only option would be wireshark sorry.

    DId you try ollydbg -> search -> all referenced strings?
     
  10. punkstar69

    punkstar69 Junior Member

    Joined:
    May 4, 2010
    Messages:
    177
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    IM
    Location:
    EU
    Just did. Unfortunately, nothing.
     
  11. Gogol

    Gogol Jr. VIP Jr. VIP

    Joined:
    Sep 10, 2010
    Messages:
    3,476
    Likes Received:
    3,103
    Gender:
    Male
    if you pm me with the program I can have a look for free :)
     
  12. punkstar69

    punkstar69 Junior Member

    Joined:
    May 4, 2010
    Messages:
    177
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    IM
    Location:
    EU
    Lots of thanks in advance. Just pmed ya.
     
  13. Kabone

    Kabone Regular Member

    Joined:
    Apr 25, 2011
    Messages:
    201
    Likes Received:
    59
    Gender:
    Male
    Occupation:
    Bot Development
    Location:
    boise, Idaho
    What about IDA Pro? I may also be able to help if you need it :)
     
  14. punkstar69

    punkstar69 Junior Member

    Joined:
    May 4, 2010
    Messages:
    177
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    IM
    Location:
    EU
    I had a close friend of mine test IDA pro with no luck.
     
  15. Kabone

    Kabone Regular Member

    Joined:
    Apr 25, 2011
    Messages:
    201
    Likes Received:
    59
    Gender:
    Male
    Occupation:
    Bot Development
    Location:
    boise, Idaho
    Ahh okay well if Gogol can't help shoot me a msg. I am confident I can get in.
     
  16. TheVegan

    TheVegan Junior Member

    Joined:
    Mar 6, 2013
    Messages:
    179
    Likes Received:
    33
    Occupation:
    blackhat
    Location:
    Prague
    I'm not sure what this tomcart.exe is, but anyway if you got it from the designers (which is weird, seems like a developer thing?) but anyway, they should be able to give you the source of the .exe file there you can find any hard-coded values.. If not that could be suspicious if they don't want to show you the source...
     
  17. Kabone

    Kabone Regular Member

    Joined:
    Apr 25, 2011
    Messages:
    201
    Likes Received:
    59
    Gender:
    Male
    Occupation:
    Bot Development
    Location:
    boise, Idaho
    Did you see that they have went AWOL, hence why he can't get in..
     
  18. punkstar69

    punkstar69 Junior Member

    Joined:
    May 4, 2010
    Messages:
    177
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    IM
    Location:
    EU
    Exactly. Such an unprofessional move.. Anyway.
    The good thing is that we can still work on the database via this tool.
    The bad thing is that we have limited access. We cannot change passwords etc.

    Thanks for your will Kabone. I've already pmed Gogol & 've been crossing my fingers hehe. Will let you know.
     
    • Thanks Thanks x 1
  19. CakeLord

    CakeLord Newbie

    Joined:
    Jun 9, 2015
    Messages:
    10
    Likes Received:
    1
    sometime it can be as simple as dumping the memory after the program has performed it's actions and inspecting it with something like HxD, in any case if it's just entering the password then you could post it here and hope someone takes a look at it.