Recover a (forgotten) password in a process memory
Published:
Updated:
Today, I managed to forget a password but I had a Icedove (Thunderbird) process running containing the password.
The first thing to do is to take a core dump of the process:
# I don't want other people to read my core dump:
umask 022
# I don't want my core dump to be written on disk, let's go on a tmpfs:
cd /tmp
gcore -o core $(pgrep icedove)
The basic idea is to use use strings
to extract all the strings in the core dump and filter out as much entries as possible: you look start strings core | uniq | less
and add filters in the pipeline to remove as many entries as possible.
I ended up with something similar to this:
strings core.2169 |
# Remove some useless stuff:
grep -v ZZZ | grep -v /usr | grep -v /lib | grep -v /bin |
# Add constraints on the characters used in the password:
grep [0-9] | grep [a-z] | grep [A-Z] |
# Add constraints on the length of the password:
grep -Ev '.{20}' | grep -E '.{5}' |
# Let's look at what is left:
uniq | less
There were still, more than 36000 entries but I searched a password that I remembered and the forgotten password was a few line around the other one. 😊
Don't forget to remove (or shred
) the core file:
rm core