by Jay Johansen | Apr 1, 2008
A few years back the organization I worked for decided they needed to make some upgrades to a database system they had. There was one little problem. It had been a couple of years since anyone had changed the database structure, and the guy who had done it had gotten another job. And no one knew what the administrator password to the database was. They tried to call him at his new job, but he'd left there also, and the folks there didn't know how to contact him.
So my boss came to me and asked me if I could find a way to hack in to the database. Yes, I was actually assigned by my boss to break our own organization's security. How often does an opportunity like that come along?
My first thought was that this would be pretty hopeless. I like to think I'm a smart guy but I'm no cryptography expert, and this was a commercial database package from a big company. They surely had good security. But I said I'd see what I could do. And I broke their security in one day.
I'll admit here that I did have one big advantage up front that most hackers wouldn't have: While no one knew the administrator password for the database management system, I did have administrative rights to the computer in general. On the other hand, I had to be careful what I tinkered with because I didn't want to bring the DBMS down and not be able to fix it.
So I did a little poking around and found where the DBMS kept its data files. One of these was named "system". I did a hex dump of this file and buried amidst all the unreadable binary data was what was pretty obviously the list of authorized users. I could clearly see names of people in the organization, text strings that looked like likely user names, a couple of other easily-identifiable pieces of information, and then a cryptic character string. This wasn't the user's password -- it wasn't going to be that easy -- but I wondered if this might not be an encrypted version of the user's password.
I found the entry for myself and noted the value of this string. Then I changed my password and checked again. Sure enough, it changed. So, I thought, maybe, just maybe, if I tinker with various passwords, I can figure out what the encryption formula is, and maybe be able to reverse it.
I tried putting in a one-letter password. The encrypted value was only one character long. Not the same letter, but only one. I tried putting in two letters, and sure enough the encrypted value was two letters. I quickly discovered that the encrypted value was always the same length as the clear (i.e. original) value.
A little more playing around and I discovered that if I changed the first letter of my password while keeping the rest the same, the last letter of the encrypted value changed, but all the other letters remained the same. If I changed the second letter in the original, the second from the end in the encrypted changed, and so on. So they were only encrypting one letter at a time, and then reversing the order in what seemed a pretty lame attempt to obscure this.
Well, from there it was just a downhill glide. I found the entry for the administrator account, and looked at that account's encrypted password. It was six characters, so I knew the clear password was six characters. I changed my own password to "aaaaaa". It didn't match -- hardly a shock -- so I tried "baaaaaa". Again no match. Then I tried "caaaaaa". Then "daaaaaa". Ah, now the last character of my encrypted password matched the last letter of the encrypted administrator password. Then I tried changing the second letter of my password until the second to last letter of mine matched the admin's. Etc. In a few minutes I had the password. (Which turned out to be "doobie", if you care.)
The glaring flaw in the encryption scheme was that they encrypted letter-by-letter. If they'd used a formula where changing one letter of the clear value changed characters throughout the encrypted value with no obvious pattern, breaking it would have been much more difficult.
I could crack the password one letter at a time. A password could include upper or lower case letters, digits, and a dozen or so punctuation symbols, for a total of maybe 70 or 80 possible characters in each position. Even given that I knew that the password was 6 characters, if they'd used an encryption scheme
I forget what the maximum length of a password was, but even if it was only six characters, that would be over 80^6 possible passwords, or 262 billion. (Really 80+80^2+80^3+80^4+80^5+80^6.)
© 2008 by Jay Johansen