Friday, 6 July 2007

SourceSafe Password Decryption Part 1

In my previous article, I set myself the challenge of trying to decrypt the administrator password in SourceSafe. In the article, I worked out and demonstrated how passwords are "encrypted" in SourceSafe.

Following on from this, I'm going to spend some time trying to work out how they could be decrypted.

To start, refer to the encryption formula again:
Sum (char_position(char XOR 0x96))

Sadly, I never managed to finish my maths A-level, let alone a degree, so I am not a maths wizard by any means. Trying to figure out a way to reverse this using a simple formula is not proving easy. The best I could come up with was:
n = p1(c1 XOR 150) + p2(c2 XOR 150) + p3(c3 XOR 150)... up to p15(c15 XOR 150)
c = char, p = position, n = final result

Frankly, I have absolutely no idea how to get px or cx when you only have n. I don't even know if it can be reversed (I would guess not without either p or c). Any suggestions are most welcome!

So this means that I am not going to be able to decrypt the password - the only choice I have is to break the password.

Thinking again about the encryption routine, it is obvious that there are severe weaknesses in the encryption.

If we consider that all passwords shorter than 15 characters have filling characters from the string "BrianDavidHarry" appended to them before encryption.
If we encrypted the filling characters to calculate their values at each particular password length, we can remove this portion from the coded value of a password to ensure we are only left with the coded portion of the password that represents the actual password, thus:

Pw LengthCoded PortionCode Value
0BrianDavidHarry28304 (0x6E90)
1BrianDavidHarr28012 (0x6D6C)
2BrianDavidHar27657 (0x6C09)
3BrianDavidHa27074 (0x69C2)
4BrianDavidH25959 (0x6567)
5BrianDavid24997 (0x61A5)
6BrianDavi23493 (0x5BC5)
7BrianDav21539 (0x5423)
8BrianDa19826 (0x4D72)
9BrianD17521 (0x4471)
10Brian15561 (0x3CC9)
11Bria12783 (0x31EF)
12Bri9773 (0x262D)
13Br6388 (0x18F4)
14B3180 (0x0C6C)
150 (0x0000)

Consider our current administrator password "adad", which is coded to 0x6DAF (28079). For now, I will assume that I know the length of the password, but not the contents.

If I remove the filler coded portion of the password (which will be 25959 for a length 4 password), I am left with a value of 0x0848 (2120).

Double checking, I know that this is the correct value by working out how it would be encrypted:
PosChar CodeCode ValueTotal
165 (0x41) 'A'215 * 1215
268 (0x44) 'D'210 * 2 = 420635 (215 + 420)
365 (0x41) 'A'215 * 3 = 6451280 (635 + 645)
468 (0x44) 'D'210 * 4 = 8402120 (1280 + 840)

So I know that 2120 is the correct value of the password portion of the code, but I have no idea what the actual characters are in it.

This doesn't actually matter though. I am not trying to decipher the original password, just figure out what I need to type into the login screen in SourceSafe to make it appear that I am typing in that users password.
For example, consider what happens if I enter the code 'KSNB':
PosChar CodeCode ValueTotal
175 (0x4B) 'K'221 * 1221
283 (0x53) 'S'197 * 2 = 394615 (221 + 394)
378 (0x4E) 'N'216 * 3 = 6571280 (615 + 657)
466 (0x42) 'B'212 * 4 = 8482120 (1272 + 848)

No way! KSNB is the same password code as ADAD?!

Upon brining up SourceSafe Admin and tapping in KSNB I am very pleased to see that I am logged in as administrator.

I can even change the password for the admin user, using KSNB as the old password and whatever I feel like as the new one!

This is good news, because it means that if I obtain the coded portion of a password, I can work out a sequence of characters that will generate that code and it will code to the the same value as the real password.

However, how am I going to obtain the coded portion of a password when I don't know the length of the password?

Finding the length of the password is going to prove to be more troublesome, I'm sure...

1 comment:

HyewonLee said...

Before append "BrianDavidHarry", password is converted to a big letter. (aaaa→AAAA)