lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <416A4105.2000609@ngssoftware.com>
From: chris at ngssoftware.com (Chris Anley)
Subject: mysql password cracking

Hey David,

Re: allowing users to see other user's hashes - it's dangerous; don't do 
it if you don't have to.

To precis what's in the paper (which I wrote btw), there's a few 
interesting points about mysql password hashes:

1) In versions prior to 4.1, the password hash can be used to 
authenticate directly with the database, so you don't need to crack it. 
In other words, knowledge of the *hash* is what the authentication 
protocol tests, not knowledge of the password. Admittedly you'd need to 
modify your mysql client to authenticate this way but that's not too hard.

2) In versions 4.1 or better (which are still Beta) MySQL uses SHA1 to 
hash the passwords, so the situation is a little better. You can still 
crack sha1 password hashes fairly easily though, depending on the 
password complexity and length. The hashing algorithm is to sha1 hash 
the password, then sha1 hash the resulting hash, in other words 
sha1(sha1(password)). Of course, if you're using 4.1 or better you're 
using beta software, against MySQL AB's recommendation.

3) If you use 4.1 ensure it's at least 4.1.3, because of the 
authentication bug detailed in the paper which (briefly) lets any user 
authenticate without needing to know the password.

If for some reason you have to have an untrusted user viewing another 
user's grants, you could do it safely a number of ways (assuming version 
4.0.x):

a) Write a UDF to do it (probably the best solution)
b) Write a batch script that periodically does the 'show grants', strips 
the password hashes out and then inserts the data into a table your user 
can see. Of course, the data won't be current, but that might be ok and 
you don't need to mess about with dangerous privs.
c) Grant the user select privilege (only) on mysql.db, mysql.host, 
tables_priv, user_priv and every column of 'mysql.user' apart from 
'password', and 'select' their privs out manually. This may be 
dangerous, so be careful.

Hope that helps... :o)

      -chris.

Willem Koenings wrote:
> hi,
> 
> 
>>I'm wondering how dangerous it is to allow a user on a 
>>mysql db to view the grants for another user. Could 
>>they take the encrypted password data and possibly 
>>crack it? If they can, how easy is it? 
> 
> 
> on certain condition it's quite easy, if you have
> a hash:
> 
> test.exe 57510426775c5b0f
> Hash: 57510426775c5b0f
> Trying length 3
> Trying length 4
> Trying length 5
> Found pass: guest
> 
> 
> some reading for you:
> 
> http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
> 
> all the best,
> 
> W.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ