SQL Server password password control table
SQL Server transmits most of the data transmitted by 1433 ports, including IP addresses, connects to username, success, and failure messages
In this way, it is easy to use the sniffer to sniff the relevant information of SQL Server in this network segment. After getting the username and IP,
Difference, in fact, the password encryption of SQL is very fragile. Yesterday I used it for half an hour, and I organized a password character comparison table.
When analyzing the SQL Server encryption password, the SQL Server is discovered a unclear bug ---- if you use ";"
The password will result in failure, because SQL Server's password control table, does not have this character, when SQL Server encounters this password word
When the accordion, you will take the initiative to give up this character, so that the password length will not do with the actual length, when you connect 1433 next time
Waiting, this character cannot be identified by the system, thus reporting the password error.
The usage of password comparison:
1. Open your sniff to something with a 16-binding editor, then find the username of the SQL Server connection, starting from the username
The location of a 0x5a - 1 is the first place of the password, each password is separated by 0x5A, and the password transformation of the password is checked.
Chart:
A 0xB3
B 0x83
C 0x93
D 0xE3
e 0xf3
f 0xc3
G 0xD3
H 0x23
i 0x33
J 0x03
K 0x13
l 0x63
M 0x73
N 0x43
O 0x53
P 0xA2
Q 0xB2
R 0x82
S 0x92
T 0xE2
u 0xf2
V 0xc2
W 0xD2
x 0x22
Y 0x32
z 0x02
1 0xB6
2 0x86
3 0x96
4 0xe6
5 0xf6
6 0xc6
7 0xD6
8 0x26
9 0x36
0 0xA6
- 0x77
= 0x76
/ 0x60
[0x10
] 0x70
'0xD7
0x67
0x47
/ 0x57
`0xa3
0xB7
@ 0xa1
# 0x97
$ 0xe7
% 0xF7
^ 0x40
& 0xc7
* 0x07
(0x27
0x37
A 0xB1
B 0x81
C 0x91
D 0xe1
E 0xf1
F 0xc1
G 0xD1
H 0x21
I 0x31
J 0x01
K 0x11
L 0x61
M 0x71
N 0x41
O 0x51
P 0xA0
Q 0xB0
R 0x80
S 0x90
T 0xE0
U 0xF0
V 0xc0
W 0xD0
X 0x20
Y 0x30
Z 0x00
_ 0x50
0x17
| 0x62
{0x12
} 0x72
: 0x06 "0x87
<0x66
> 0x46
? 0x56
~ 0x42
; does not exist
