How to manage passwords in Java if you want to be hacked.

Posted on by

It is often believed that certain programming languages are safer than others, although, to some extent, this could be true, I would dare to say that this is only about the 10% of the time, the other 90% is due to poor software architecture and bad programmers.

Today I’m going to break a myth, a lot of newbie-programmers and old ones think that Java is safe and you can store info in the program memory and it will be safe (no joke, I have seen this in production in the software of big companies).

To start we will create a toy program TheAuthenticator

package com.donhk;
public class Authenticator {
    private final String userName;
    private final String password;
    Authenticator(String userName, char[] password) {
        this.userName = userName;
        this.password = new String(password);
    }
    public boolean authenticate() {
        //some complex authentication method
        return userName.compareTo("admin") == 0 && password.compareTo("joke") == 0;
    }
}

package com.donhk;
import java.io.Console;
import java.util.concurrent.TimeUnit;
public class Main {
    public static void main(String[] args) throws InterruptedException {
        final Console console = System.console();
        while (!Thread.currentThread().isInterrupted()) {
            final Authenticator authenticator = new Authenticator(
                    console.readLine("user: "),
                    console.readPassword("pass: ")
            );
            if (authenticator.authenticate()) {
                System.out.println("\u2764");
            } else {
                System.out.println("\uD83D\uDC94");
            }
            TimeUnit.MINUTES.sleep(5);
        }
    }
}

Next, we will create a jar to run it as it were an real application.

Once we can run the application it is time to learn about some tools available on the JDK

On each installation of the JDK besides the famous java and javac binaries that we use to run/compile java programs there is also jmap and jhat which can typically are used to debug your software but that also can be used to audit other people software.

In this example we can assume there are two persons involved person A which is running the app and person B (the attacker).

Person A start the application and logins within the service.

Now the attacker needs to identify the java’s app pid and execute jmap

Now it does not matter if the application stops running, we already got a snapshot of its memory, now can use jhat against the dump

Notice that I’m using jdk 8, why? the jhat utility was removed in Java 9, besides using an old version you can also audit the dump using visualVM

free song