Re: SQL Server 7 question

From: wojtekdat_private
Date: Wed Jul 11 2001 - 01:07:36 PDT

Next message: INA (V. Brahmanandam): "RVP (RezendeVous Protocol)"

Previous message: Erik Nodland: "RE: Re: spoofing 255.255.255.255 techniques"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 10, 2001 at 06:13:22PM +0200, Talha, Sebastien wrote:
> very cool, thanks.
> Loks.
>

Hmmm....
Regarding previous post by Aaron C. Newman (aaron@newman-family.com):
> There's really no way to decrypt it - it's a one way hash.

I'm not sure if my post will help in your case.
Maybe MS-SQL7 uses different method of storing the password internaly
(for example one-way hash) an different for sending it via network?

Could somebody check it out ?

If you will use the decrypting  procedure from dsniff (or actualy from freetds)
with success, please report it to pen-test.

> -----Original Message-----
> From: wojtekdat_private [mailto:wojtekdat_private]
> Sent: Tuesday, July 10, 2001 9:23 AM
> To: pen-testat_private
> Subject: Re: SQL Server 7 question
> 
> 
> On Mon, Jul 09, 2001 at 04:34:57PM +0200, Talha, Sebastien wrote:
> > Hey All,
> > 
> > I've a user account + hashed password of an SQL Server 7 account and would
> > like to decrypt that password: do you know any tool or method to do so ???
> > thanks in advance.
> > loks
> > 
> > 
> 
> MS-SQL server 7 uses TDS (Tabular Data Stream) protocol as transport.
> (This same protocol is used by Sybase).
> TDS7 uses very weak way of securing the passwords.
> For example dsniff-2.4 understands TDS7 traffic and could decrypt it.
> You can find alghoritm for decrypting the passwords in dsniff source
> file: decode_tds.c
> Code responsile for decrypting SQL7 passwords is:
> 
> static void
> tds7_decrypt(u_char *buf, int len)
> {
>         int i;
>         
>         for (i = 0; i < len; i++) {
>                 buf[i] = ((buf[i] << 4) | (buf[i] >> 4)) ^ 0x5a;
>         }
>         buf[i] = '\0';
> }
> 
> So it's REALY simple ;)
> 
> More info about TDS protocol, you will find at: www.freetds.org
>

___
Wojtek Dworakowski - ABA, Security & Consulting
wojtekdat_private - http://www.aba.krakow.pl/security
tel. +48 12 4158781, fax. +48 12 4158783

 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: INA (V. Brahmanandam): "RVP (RezendeVous Protocol)"
Previous message: Erik Nodland: "RE: Re: spoofing 255.255.255.255 techniques"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 15:52:58 PDT