Wireshark-bugs: [Wireshark-bugs] [Bug 1254] New: MSSQL / TDS parser should decode passwords
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1254
Summary: MSSQL / TDS parser should decode passwords
Product: Wireshark
Version: 0.99.4
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Enhancement
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: jhunter@xxxxxxxxxxx
Build Information:
Version 0.99.4
Copyright 1998-2006 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.10.4, with GLib 2.12.3, with libpcap 0.9.4, with libz
1.2.3, with libpcre 6.6, with Net-SNMP 5.3.1, without ADNS, without Lua, with
GnuTLS 1.4.1, with Gcrypt 1.2.3, with MIT Kerberos, without PortAudio, without
AirPcap.
Running on Linux 2.6.18-1.2849.fc6, with libpcap version 0.9.4.
Built using gcc 4.1.1 20061011 (Red Hat 4.1.1-30).
--
We found the TDS parser extremely useful this week when debugging a MS SQL
Server connection issue.
Unfortunately, it seems to be lacking one simple feature - the ability to
decode a password from the login packet (TDS 7 / SQL 2000). The password is
effectively plaintext (it's XORed and bit-swapped) - hopefully it should be
easy to add in a decoder to Wireshark?
I did search bugzilla for 'SQL', 'MSSQL' etc. but found no issues relating to
this. Am I missing something simple?
Assuming the functionality isn't present, we found a mailing list post that
explains the encoding scheme:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0056.html
To quote:
"Step 1: Password is converted into UNICODE
Additional Step 2: For each byte of the password, the four Most Significant
Bits (MSB)
are swapped with the four Least Significant Bits (LSB)
Step 3. This modified byte is then XORed with 0xA5. "
The decryption of the password is the reverse of the above.
i.e. the password "host" would be decoded as follows:
On-the-wire: 23 a5 53 a5 92 a5 e2 a5
XORed: 86 00 f6 00 37 00 47 00
Swapped: 86 00 6f 00 73 00 74 00
Text: h <0> o <0> s <0> t <0>
I can supply example packet traces if required.
Thanks!
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.