Wireshark-bugs: [Wireshark-bugs] [Bug 1254] New: MSSQL / TDS parser should decode passwords
Date: Fri, 1 Dec 2006 13:20:38 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1254

           Summary: MSSQL / TDS parser should decode passwords
           Product: Wireshark
           Version: 0.99.4
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: jhunter@xxxxxxxxxxx


Build Information:
Version 0.99.4

Copyright 1998-2006 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.4, with GLib 2.12.3, with libpcap 0.9.4, with libz
1.2.3, with libpcre 6.6, with Net-SNMP 5.3.1, without ADNS, without Lua, with
GnuTLS 1.4.1, with Gcrypt 1.2.3, with MIT Kerberos, without PortAudio, without
AirPcap.

Running on Linux 2.6.18-1.2849.fc6, with libpcap version 0.9.4.

Built using gcc 4.1.1 20061011 (Red Hat 4.1.1-30).
--
We found the TDS parser extremely useful this week when debugging a MS SQL
Server connection issue.

Unfortunately, it seems to be lacking one simple feature - the ability to
decode a password from the login packet (TDS 7 / SQL 2000). The password is
effectively plaintext (it's XORed and bit-swapped) - hopefully it should be
easy to add in a decoder to Wireshark?

I did search bugzilla for 'SQL', 'MSSQL' etc. but found no issues relating to
this. Am I missing something simple?

Assuming the functionality isn't present, we found a mailing list post that
explains the encoding scheme:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0056.html

To quote:
"Step 1: Password is converted into UNICODE
Additional Step 2: For each byte of the password, the four Most Significant
Bits (MSB)
are swapped with the four Least Significant Bits (LSB)
Step 3. This modified byte is then XORed with 0xA5. "

The decryption of the password is the reverse of the above.

i.e. the password "host" would be decoded as follows:

On-the-wire: 23 a5 53 a5 92 a5 e2 a5
XORed: 86 00 f6 00 37 00 47 00
Swapped: 86 00 6f 00 73 00 74 00
Text: h <0> o <0> s <0> t <0>

I can supply example packet traces if required.

Thanks!


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.