Users login

Create an account »


Users login

Home » Hacking News » Weak Password Encryption Scheme in MS SQL Server

Weak Password Encryption Scheme in MS SQL Server

by Nikola Strahija on November 3rd, 2002 MS SQL Server has two means of authenticating users. One uses Windows Authentication, and the other is the built-in SQL Authentication (which includes the 'sa' account). The passwords for the SQL Authentication are sent over the network using a very weak password encryption method. This was first mentioned in David Litchfield's paper "Threat Profiling Microsoft SQL Server".

In his paper, Mr. Litchfield states that the password is encrypted by
first converting it into UNICODE and then performing a simple XOR operation.
I quote directly from there:

"Network Sniffing
When a user connects to an SQL Server and authenticates as an SQL login, as
opposed to a Windows NT/2000 user, their login name and password are sent
across the network wire in what is tantamount to clear text. The
'encryption' scheme used to hide the password is a simple bitwise XOR
operation. The password is converted to a wide character format, or UNICODE,
and each byte XOR'd with a constant fixed value of 0xA5. Of course, this is
easy to work out because every second byte of the 'encrypted' password on
the wire 0xA5 and we know that the password is in UNICODE with every second
byte being a NULL and when any number is XOR'd with 0 (or NULL) the result
is the same: 0x41 xor 0x00 = 0x41, 0xA5 xor 0x00 = 0xA5."

However, there is a slight inaccuracy in this description which we detail
below. We have determined that the actual XORing method involves an
additional step.
Step 1: Password is converted into UNICODE
Additional Step 2: For each byte of the password, the four Most Significant
Bits (MSB)
are swapped with the four Least Significant Bits (LSB)
Step 3. This modified byte is then XORed with 0xA5.

In the case of the alternating UNICODE 0x00, swapping the 4 MSB with the 4
LSB does
not make a difference. But for the rest of the bytes, it does.

Vendor Response:
We did not contact the vendor, Microsoft as this is not exactly something
new. However, we did contact Mr. Litchfield informing him about the slight
modification to his original statement in his whitepaper. We did not receive
any response from him.

Suggested Workarounds:
There is nothing new to be done here, other than that which ought to be done
when hardening an MS SQL Server. Do NOT use the SQL Server Authentication.
This is strongly recommended by Microsoft.

This is more of an FYI Advisory. Just to keep things a bit more accurate.

Other Information:
This advisory is available online at
We have used this method in our free tool 'forceSQL' which guess SQL Server
Passwords using both Dictionary and Brute Force attacks. This is available
for free download at
You may read our Vulnerability Disclosure Policy at
Other advisories are at

K. K. Mookhey
Network Intelligence India Pvt. Ltd.
Tel: 91-22-2001530, 2006019
Email: [email protected]

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »