Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: SQL Server 7 question
From: wojtekd () aba krakow pl
Date: Wed, 11 Jul 2001 10:07:36 +0200
On Tue, Jul 10, 2001 at 06:13:22PM +0200, Talha, Sebastien wrote:

very cool, thanks.
Loks.



Hmmm....
Regarding previous post by Aaron C. Newman (aaron () newman-family com):

There's really no way to decrypt it - it's a one way hash.


I'm not sure if my post will help in your case.
Maybe MS-SQL7 uses different method of storing the password internaly
(for example one-way hash) an different for sending it via network?

Could somebody check it out ?

If you will use the decrypting  procedure from dsniff (or actualy from freetds)
with success, please report it to pen-test.


-----Original Message-----
From: wojtekd () aba krakow pl [mailto:wojtekd () aba krakow pl]
Sent: Tuesday, July 10, 2001 9:23 AM
To: pen-test () securityfocus com
Subject: Re: SQL Server 7 question


On Mon, Jul 09, 2001 at 04:34:57PM +0200, Talha, Sebastien wrote:

Hey All,

I've a user account + hashed password of an SQL Server 7 account and would
like to decrypt that password: do you know any tool or method to do so ???
thanks in advance.
loks




MS-SQL server 7 uses TDS (Tabular Data Stream) protocol as transport.
(This same protocol is used by Sybase).
TDS7 uses very weak way of securing the passwords.
For example dsniff-2.4 understands TDS7 traffic and could decrypt it.
You can find alghoritm for decrypting the passwords in dsniff source
file: decode_tds.c
Code responsile for decrypting SQL7 passwords is:

static void
tds7_decrypt(u_char *buf, int len)
{
        int i;
        
        for (i = 0; i < len; i++) {
                buf[i] = ((buf[i] << 4) | (buf[i] >> 4)) ^ 0x5a;
        }
        buf[i] = '\0';
}

So it's REALY simple ;)

More info about TDS protocol, you will find at: www.freetds.org



___
Wojtek Dworakowski - ABA, Security & Consulting
wojtekd () aba krakow pl - http://www.aba.krakow.pl/security
tel. +48 12 4158781, fax. +48 12 4158783

 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]