homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Security Awareness Training
    • Voucher Program
    • Private Training
    • Workforce Development
    • Skill Assessments
    • Hiring Opportunities
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • SANS Community
    • CyberTalent
    • Work Study
    • Instructor Development
    • Sponsorship Opportunities
    • COINS
  • About
    • About SANS
    • Why SANS?
    • Instructors
    • Cybersecurity Innovation Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press Room
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. Part 2: Quick and Useful Tricks for Analyzing Binaries for Pen Testers
Yori Kvitchko

Part 2: Quick and Useful Tricks for Analyzing Binaries for Pen Testers

May 16, 2013

[Editor's Note: In his previous blog post, Yori Kvitchko provided a bunch of tips penetration testers could use to analyze binary files, focusing on network communications. This time around, Yori looks at application data files, a hugely important source of information that could include passwords, hashes, or other sensitive stuff leaking out of an application. The techniques Yori describes here are some important building blocks for all pen testers to apply to the applications we analyze. -Ed.]

This blog post is the second in a series of three blog posts dedicated to quick and useful techniques for analyzing binaries. In my first post, I talked about how penetration testers and other analysts can find and isolate network traffic generated by a binary. This time we'll look at pillaging the various data files that binaries and applications leave lying around. Our focus will again be on the Windows side of things, as that's where we often find the juiciest applications to analyze, including client-side software and internal tools.

In Windows, application data files are often placed in the AppData folder. This folder, specific to each user, can be a gold mine of information about installed applications. Located in each users' home directory, AppData (Application Data on Windows XP) can be accessed using the %AppData% environment variable, as in "dir /a %AppData%" (I put in the /a after the dir command to show folders with any combination of attributes; sometimes items in the AppData directory have a hidden attribute, so we want to see all them with dir /a).

Here are some useful files to keep an eye out for:

  • History, Cache and Temporary Files - The prime example here is anything related to a web browser. Many applications take advantage of Internet Explorer for browser windows inside of the application, so IE cache and temporary files can prove insightful about the activities of the user and may hold sensitive, leaked information.
  • Configuration Files - Anything from IP addresses to passwords might turn up here.
  • Saved Data Files - If the application in question has a saved data file format, these saved data files can often contain useful information in the data as well as the meta-data.

To analyze these application files, as well as any files found in the application's main directory, we can employ a number of different techniques. First and foremost, our good friend, the strings command, proves to be just as useful in analyzing data files as it is on binary files. Be on the lookout for the same type of data we talked about in the first blog post, URLs and IP addresses especially. Strings is freely downloadable for Windows from Microsoft Sysinternals. It's also worthwhile noting that the Sysinternals strings looks for both ASCII and Unicode strings by default, returning sequences of three characters or more in length.

Once we have some files on our hands, and we've done some cursory analysis with strings, we've likely either encountered a cleartext ASCII file (XML is especially common!) or we have a binary data file on our hands. If that's the case, we have two easy-to-use sources of information to help us identify the type of file. The file extension itself (such as .asc, .xml, or .docx) and the Linux "file" command. The file command can also be downloaded for Windows from GnuWin32. We can use it as follows:

$ file data.ext

data.ext; gzip compressed data, from Unix, last modified: Mon Mar 11 14:35:58 2013

Let's take a look at some of the more common data file formats we run into and how to extract data from them.

  • zip/tar/gzip - Decompress with the zip program of your choice. These files usually contain another data file inside. Many data formats are actually zip files in disguise. It's always worth trying to rename a file to ".zip" and try to unzip it just to check.
  • plist - Property list files used by Mac OS X and iOS. These files are especially useful when analyzing a mobile app. You can use a tool like plist Editor (http://www.icopybot.com/plist-editor.htm) to view the contents of the file.
  • sqlite - Sqlite databases are sometimes used for local data storage (as in Firefox and many mobile applications). Use SQLiteSpy (http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index) or the Linux tool sqlite3 to view the contents of the database.
  • swf - Not exactly a data file format, but swftools (http://www.swftools.org/) does a great job of extracting images, sound, video, and even source code from SWF Flash files.
  • General Metadata - For general metadata, not specific to any file type, use ExifTool (http://www.sno.phy.queensu.ca/~phil/exiftool/) to see all metadata attached to a file. Images and documents are especially good sources for valuable metadata.
  • File System Images - Although not strictly a data file created by applications, we as security practitioners often have the need to work with file system images and some developers can occasionally get pretty crafty. Check out AccessData's FTK Imager (http://www.accessdata.com/support/product-downloads) for mounting all manner of file systems.

If the file format isn't in the above list, Google is a great resource for finding tools to analyze specific file types. If all else fails, see if a local installation of the application that created the file can be used to read it and extract its data. A great example of this would be copying a Firefox profile locally and importing into a local Firefox installation to view cookies and history.

In our next (and last) installment of this blog post series, we will look at some simple techniques for decompiling executables and DLLs to give us that last bit of insight we might need. After all, what could be more juicy when analyzing a binary than being able to peer right at the source? Until then... signing off —

-Yori Kvitchko
Counter Hack

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Penetration Testing and Ethical Hacking

Related Content

Blog
shutterstock_733632979_370x208.jpg
Penetration Testing and Ethical Hacking
February 18, 2021
Python Tasks: Counting IP Addresses
When scoping a penetration test, it's common that I'll receive a list of target IP addresses in use. Sometimes this is in the form of CIDR masks...
370x370_Joshua-Wright.jpg
Joshua Wright
read more
Blog
Penetration Testing and Ethical Hacking
February 4, 2021
Stack Canaries – Gingerly Sidestepping the Cage
Stack canaries or security cookies are tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. If an incorrect canary is detected during certain stages of the execution flow, such as right before a return (RET),...
370x370_Michiel-Lemmens.jpg
Michiel Lemmens
read more
Blog
SUMMIT_Free_SANS_2021_Summits_Teaser.jpg
Digital Forensics and Incident Response, Cyber Defense Essentials, Industrial Control Systems Security, Purple Team, Blue Team Operations, Penetration Testing and Ethical Hacking, Cloud Security, Security Management, Legal, and Audit
November 30, 2020
Good News: SANS Virtual Summits Will Be FREE for the Community in 2021
They’re virtual. They’re global. They’re free.
Emily Blades
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters
  • The Critical Security Controls
  • Focus Areas
  • Blue Team Operations
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2021 SANS™ Institute
  • Privacy Policy
  • Contact
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn