SQL Server Database Password Vulnerability & SQL logon password table & how MSSQLServer encrypts undisclosed encryption functions

SQL Server Database Password Vulnerability

Created:
Article attributes: original
Source: original
Article submitted: flashsky (flashsky1_at_sina.com)

I tracked the login process of the SQL Server database server and found that password computing is very fragile. The weak password of the SQL Server database reflects two aspects:
1. Password Encryption Algorithm for network login
2. Password Encryption Algorithm stored in the database.

The following sections describe:
1. Password Encryption Algorithm for network login
SQL server network encryption passwords have always been very fragile. There are many comparison tables written on the Internet, but no specific algorithm processing is available. In fact, you can trace the SQL
Server login process, it is easy to obtain its decryption algorithm: Okay, let's demonstrate the assembly process:
Log on to the TDS package 4126a4 and run it.
004de72e: generate a buffer of the corresponding size based on the received size field for the next copy.
004de748 copy the login information from the received TDS Buf offset 8
004de762: Call sub_54e4d0: process the new copy buffer for parameter check.
Process the information in the TDS package in sequence. The climate of each field should have the length of each region, and compare the length with the offset 0x24.
The following Assembly Code implements the network encryption and decryption algorithm:
. Text: 0065c880 mov Cl, [EDI]
. Text: 0065c882 mov DL, Cl
. Text: 0065c884 XOR Cl, 5
. Text: 0065c887 xor dl, 0afh
. Text: 0065c88a shr dl, 4
. Text: 0065c88d SHL cl, 4
. Text: 0065c890 or DL, Cl
. Text: 0065c892 mov [EDI], DL
. Text: 0065c894 Inc EDI
. Text: 0065c895 dec eax
. Text: 0065c896 jnz short loc_65c880
. Text: 0065c898 JMP loc_4de7e6
It is easy to replace it with the C code. It can be seen that its encryption is simple, and there is no difference with the text, you can embed this code in sniffer to decrypt the sniffing TDS login package. In fact, 0xa5 is not the demarcation symbol of the specific SQL server password field, the encryption algorithm will automatically encrypt the 0x0 value in the Two-byte form of ASC to 0xa5. However, if the dual-byte password is allowed, this is not the main reason for determining the demarcation.
Void sqlpasswd (char * ENP, char * DNP)
{
Int I;
Unsigned char A1;
Unsigned char A2;
For (I = 0; I <128; I ++)
{
If (ENP [I] = 0)
Break;
A1 = ENP [I] ^ 5;
A1 = A1 <4;
A2 = ENP [I] ^ 0xaf;
A2 = A2> 4;
DNP [I] = A1 | A2;
}
DNP [I] = 0;
DNP [I + 1] = 0;
Wprintf (L "passwd: % s/n", (const wchar_t *) DNP );
}

2. Password Encryption Algorithm stored in the database.
The encryption method for SQL Server passwords to database storage is also weird. The process is as follows:
After obtaining the password for network decryption
Call sqlsort_14 at 005f9d5a to implement a buffer for converting to uppercase passwords for saving.
Then, at 004def6d, call a function to retrieve the encrypted password in the database. The format is as follows:
2 bytes header 0x0100 (fixed)
4-byte hash and secret key
Hash1 of 20 bytes
Hash2 of 20 bytes
Example:
FX: 0x0100 1751857f dfdec4fb618d8d18eba5a27f615639f607cd46be dfdec4fb618d8d18eba5a27f615639f607cd46be
Fixed key hash1 hash2 supplement
Password: 123456

SQL first uses a 4-byte hash and secret key to buffer the two passwords. One is in upper case and the other is in lower case. The encryption process is as follows:
Cryptacquirecontextw (& hprov, null, L ("Microsoft base cryptographic provider V1.0"), 1, 0xf0000000 );
Cryptcreatehash (hprov, 0x8004, null, null, & hhash );
Cryptcreatehash (hprov, 0x8004, null, null, & hhash );
005f9dfe:
Crypthashdata (hhash, passwdbuf, 0x12, null); passwdbuf is a lower-case passwd buffer and then attaches a key.
{'1', '2' '3' '4' '5' '6', 0x17,0x51,0x85, 0x7f} is hash encrypted.
Crypthashdata (hhash, passwdbuf, 0x12, null); passwdbuf is an upper-case passwd buffer, and then attaches a key
005f9e3e:
Cryptgethashparam (hhash, 2, & passwdout, & outlen, 0); Retrieve the encrypted value of passwdbuf in lower case.
Cryptgethashparam (hhash, 2, & passwdout, & outlen, 0); obtain the encrypted value of passwdbuf in upper case.
These two values are the real password encryption fields in the database.

Why is the above method fragile? In fact, the actual encryption length is only 20 bytes.
The security of the 40-bit Hash Value Combined by hash1 of the lower-case password and hash1 of the upper-case password is not as safe as a 20-bit hash value. Because we all know the causal relationship between these two values,
More information is provided to the decrypted.
Like its algorithm, if hash1 = hash2, you can determine that the password is definitely not a letter, and only a password with digits and symbols is used, as shown in the hash of the 123456 password obtained above, the two hashes are completely equal.

That is, when a letter is used, it knows the supplemented key, algorithm, and the relationship between two encrypted strings. The solution should be greatly simplified.

Of course, I have not studied encryption algorithms, but I feel that this encryption method is really insecure.

[Post] SQL server password table

Most of the data transmitted by SQL server on port 1433 is in plain text, which includes IP addresses, connection usernames, success and failure messages.

In this way, it is easy to use the sniffer to sniff the SQL Server Information in this CIDR block. After obtaining the user name and IP address

Poor password. In fact, SQL password encryption is very fragile. I used it for half an hour yesterday and compiled a Password character comparison table.

When analyzing the SQL server encryption password, we also found a small bug in SQL Server-if you use ";" as a password

The password is invalid because the SQL server password table does not contain this character.

In this way, the password length will not match the actual length. When you connect to the 1433

The character cannot be identified by the system and thus the password is reported incorrectly.

Usage of the password table:

1. Open your sniff in a hexadecimal editor, and find the user name for SQL Server connection.

A 0x5a-1 is the first password. Each password is separated by 0x5a.

Table:

A 0xb3
B 0x83
C 0x93
D 0xe3
E 0xf3
F 0xc3
G 0xd3
H 0x23
I 0x33
J 0x03
K 0x13
L 0x63
M 0x73
N 0x43
O 0x53
P 0xa2
Q 0xb2
R 0x82
S 0x92
T 0xe2
U 0xf2
V 0xc2
W 0xd2
X 0x22
Y 0x32
Z 0x02
1 0xb6
2 0x86
3 0x96
4 0xe6
5 0xf6
6 0xc6
7 0xd6
8 0x26
9 0x36
0 0xa6
-0x77
= 0x76
/0x60
[0x10
] 0x70
'0xd7
, 0x67
. 0x47
/0x57
'0xa3
! 0xb7
@ 0xa1
#0x97
$0xe7
% 0xf7
^ 0x40
& 0xc7
* 0x07
(0x27
) 0x37
A 0xb1
B 0x81
C 0x91
D 0xe1
E 0xf1
F 0xc1
G 0xd1
H 0x21
I 0x31
J 0x01
K 0x11
L 0x61
M 0x71
N 0x41
O 0x51
P 0xa0
Q 0xb0
R 0x80
S 0x90
T 0xe0
U 0xf0
V 0xc0
W 0xd0
X 0x20
Y 0x30
Z 0x00
_ 0x50
+ 0x17
| 0x62
{0x12
} 0x72
: 0x06
"0x87
<0x66
> 0x46
? 0x56
~ 0x42
; Does not exist

The source cannot be identified above

Reposted to evil baboons

How MSSQLServer encrypts undisclosed encryption functions of passwords

If you are interested in MSSQL user information, you may find the Master. DBO. sysxlogins stores user passwords. However, if the password field is not null, It is a bunch of binary files that cannot be understood. How is this password encrypted?
In fact, you only need to take a closer look at Master. DBO. sp_addlogin and you will be able to see the code in the MSSQL Sp.
Let's take a look at how it works. Pay attention to this line of select @ passwd = pwdencrypt (@ passwd). After this, @ passwd will be encrypted. Let's also try it.
Declare @ clearpwd varchar (255)
Declare @ encryptedpwd varbinary (255)
Select @ clearpwd = 'test'
Select @ encryptedpwd = convert (varbinary (255), pwdencrypt (@ clearpwd ))
Select @ encryptedpwd
It looks good. It is indeed encrypted, but how can I restore it?

Oh, that's no problem. Password Encryption is one-way. You can use encrypted passwords to compare them.
Continue to look at the SP related to other users. You can find that the master. DBO. sp_password contains the password comparison content.
Pwdcompare (@ old, password, (case when xstatus & 2048 = 2048 then 1 else 0 end ))
Ignore xstatus. This is a status mask. Generally, we can use 0 directly.
Declare @ clearpwd varchar (255)
Declare @ encryptedpwd varbinary (255)
Select @ clearpwd = 'test'
Select @ encryptedpwd = convert (varbinary (255), pwdencrypt (@ clearpwd ))
Select pwdcompare (@ clearpwd, @ encryptedpwd, 0)
Select pwdcompare ('errorpassword', @ encryptedpwd, 0)
In this way, we can use these two functions to encrypt our own passwords. How is it good?

Allyesno: setup. ISS