CODEWITHSUNDEEP
dbeaver
Git_gal
Git_gal

Reputation: 1969

Recover DB password stored in my DBeaver connection

I forgot the password of a dev instance (irresponsible.. yeah, I am working on it). I have the connection saved in my DBeaver with the password. I am still able to connect using that connection. DBeaver is not showing it in plain text. Is there anyway I can retrieve the password? Asking DBA to reset the password is the last resort. I tried to copy paste to a notepad, copying is disabled apparently.

Upvotes: 195

Views: 204703

Answers (9)

so-random-dude
so-random-dude

Reputation: 16545

For newer DBeaver ( 6.1.3+ )

The credential file is located ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json (I was on Mac). I put together a javascript function here https://www.bugdays.com/dbeaver-password-decrypter to decrypt it. Go there and select credentials-config.json file, bugdays will decrypt it and display it. Its purely within client side, there is no server uploading (However its a risky practice)

Pre- DBeaver 6.1.3

Follow these steps (My DBeaver version was 3.5.8 and it was on Mac OsX El Capitan)

  1. Locate the file in which DBeaver stores the connection details. For me, it was in this location ~/.dbeaver/General/.dbeaver-data-sources.xml. This file is hidden, so keep that in mind when you look for it.
  2. Locate your interested Datasource Definition node in that file.
  3. Decrypt the password: Unfortunately, everything is in plain text except password; Password is in some kind of Encrypted form. Decrypt it to plain-text using this tool.

Original Answer

I put together a quick and dirty Java program by copying core of DBeaver's method for decrypting the password. Once you have the Encrypted password string, just execute this program, it will convert the password to plain text and prints it

How to run it

On Line Number 13, just replace OwEKLE4jpQ== with whatever encrypted password you are finding in .dbeaver-data-sources.xml file for your interested datasource. Compile it and run it, it will print the plain-text password.

https://github.com/jaisonpjohn/dbeaver-password-retriever/blob/master/SimpleStringEncrypter.java

Apparently, this is a "Popular" mistake. So I have deployed an AWS lambda function with the aforementioned code. Use this at your own risk, you will never know whether I am logging your password or not

curl https://lmqm83ysii.execute-api.us-west-2.amazonaws.com/prod/dbeaver-password-decrypter \
-X POST --data "OwEKLE4jpQ=="

Even better, here is the UI: https://bugdays.com/dbeaver-password-decrypter. This goes without saying, use this at your own risk

Upvotes: 279

TalESid
TalESid

Reputation: 2524

This is the command to get the decrypted version of dbeaver credentials file on your desired destination path:

openssl aes-128-cbc -d \
-K babb4a9f774ab853c96c2d653dfe544a \
-iv 00000000000000000000000000000000 \
-in {path for the encrypted credentials file} > \
{your desired destination file}
  • {your desired destination file} e.g. ~/Desktop/dbeaver-credentials.json

You'll find dbeaver-credentials.json file on Desktop. But this file will have list of only usernames & passwords with some connection stanza (like mysql5-17be86ca5ea-294e2a427af47fc4). No db or server names will be there. You've to find the connection against the object id.

For Ubuntu snap package dbeaver-ce,

  • {path for the encrypted credentials file} = ~/snap/dbeaver-ce/current/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json

Upvotes: 15

Fiach Reid
Fiach Reid

Reputation: 7069

For Windows users (Tested Version 7.3.4, also tested 22.2.3)

Press File > Export > DBeaver > Project

Change the name of the export file to .zip, and unzip

Download OpenSSL, and copy \projects\General\.dbeaver\credentials-config.json into the same folder as the bin directory of openssl

Then run:

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "credentials-config.json"

If you have WSL installed, this command can also be run from a Linux install with openssl available (which openssl) from any directory within the Linux install (Tested with Ubuntu on WSL2 copied file to \\wsl$\Ubuntu\home\me\dbeaver\credentials).

It will output to the terminal as default, if you need it in a file add > chosen_filename.json to the command.

Upvotes: 82

lewis4u
lewis4u

Reputation: 15067

For Linux OS users, run this in Terminal:

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "path_to/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

Just replace the string "path_to/credentials-config.json" with your actual path to that file and you'll get something like this:

{"mysql8-17e009389a8-5fc414bd64e183f4":{"#connection":{"user":"root","password":"root"}},"mysql8-18099236fdf-3c3fc761c6fdde":{"#connection":{"user":"user.name","password":"your_secret_password"},"network/ssh_tunnel":{"user":"sql","jumpServer0.password":""}}}%

Upvotes: 14

rogerdpack
rogerdpack

Reputation: 66881

For DBeaver 6.1.3+ the creds are stored in a "json" file now with different encryption.

This seemed to do the job for me:

import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;

public class DecryptDbeaver {

  // from the DBeaver source 8/23/19 https://github.com/dbeaver/dbeaver/blob/57cec8ddfdbbf311261ebd0c7f957fdcd80a085f/plugins/org.jkiss.dbeaver.model/src/org/jkiss/dbeaver/model/impl/app/DefaultSecureStorage.java#L31
  private static final byte[] LOCAL_KEY_CACHE = new byte[] { -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74 };

  static String decrypt(byte[] contents) throws InvalidAlgorithmParameterException, InvalidKeyException, IOException, NoSuchPaddingException, NoSuchAlgorithmException {
    try (InputStream byteStream = new ByteArrayInputStream(contents)) {
      byte[] fileIv = new byte[16];
      byteStream.read(fileIv);
      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
      SecretKey aes = new SecretKeySpec(LOCAL_KEY_CACHE, "AES");
      cipher.init(Cipher.DECRYPT_MODE, aes, new IvParameterSpec(fileIv));
      try (CipherInputStream cipherIn = new CipherInputStream(byteStream, cipher)) {
        return inputStreamToString(cipherIn);
      }
    }
  }

  static String inputStreamToString(java.io.InputStream is) {
    java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
    return s.hasNext() ? s.next() : "";
  }

  public static void main(String[] args) throws Exception {
    if (args.length != 1) {
      System.err.println("syntax: param1: full path to your credentials-config.json file");
      System.exit(1);
    }
    System.out.println(decrypt(Files.readAllBytes(Paths.get(args[0]))));
  }

}

Pass it the path of your credentials-config.json file on local filesystem, for me it was

 Compile it
 $ javac DecryptDbeaver.java
 Now run it [adjusts the paths to target your credentials-config.json file]
 $ java DecryptDbeaver ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json
 Or if java 11+:
 $ java DecryptDbeaver.java ~/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json

It will output to the console the user+pass for connections.

{"postgres-jdbc-some-id":{"#connection":{"user":"your_user_name","password":"your_password"...

If you don't recognize which password goes to which DB based on username, you must cross link the id names it also outputs initially to the sibling data-sources.json file (which should already be present and unencrypted and contains database coordinates).

Upvotes: 84

geekyouth
geekyouth

Reputation: 350

Look at this:

docker run -d -p 18080:8080 --name crack-dbeaver-password-18080 geekyouth/crack-dbeaver-password

https://github.com/geekyouth/crack-dbeaver-password

Upvotes: 3

Madhu Uppu
Madhu Uppu

Reputation: 1

If you dont want all the saved connections

Just remove the --\DBeaverData\workspace6\General folder from the file system so that it can not ask any password again. and the workspace data will be lost.

You will loose all the custom settings and preferences.

Upvotes: -5

Tatsh
Tatsh

Reputation: 3730

This can be done with OpenSSL:

openssl aes-128-cbc -d \
  -K babb4a9f774ab853c96c2d653dfe544a \
  -iv 00000000000000000000000000000000 \
  -in credentials-config.json | \
  dd bs=1 skip=16 2>/dev/null

Example for macOS in one line:

openssl aes-128-cbc -d -K babb4a9f774ab853c96c2d653dfe544a -iv 00000000000000000000000000000000 -in "${HOME}/Library/DBeaverData/workspace6/General/.dbeaver/credentials-config.json" | dd bs=1 skip=16 2>/dev/null

For Linux, change the above path to ~/.local/share/DBeaverData/workspace6/General/.dbeaver/credentials-config.json.

The key is from the source and is converted to hexadecimal. This can be done in Python:

>>> import struct
>>> struct.pack('<16b', -70, -69, 74, -97, 119, 74, -72, 83, -55, 108, 45, 101, 61, -2, 84, 74).hex()
'babb4a9f774ab853c96c2d653dfe544a'

Edit: I've published the script for this here.

Upvotes: 293

kedar
kedar

Reputation: 51

if there is package declaration just compile javac -d . SimpleStringEncrypter.java it will put it in the correct directory structure under the current directory Then you can give java -cp . packagename.SimpleStringEncrypter and it will run. Basic java.

Anyway this program is fantastic and saved a lot of time for me.

Upvotes: 4

Related Questions