Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 03-11-2009, 09:52 AM
ericb1 ericb1 is offline
Junior Member
 
Join Date: Mar 2009
Posts: 3
Default .net app passwords

Any help is appreciated. I administer a .net web application, and we have some employees who run queries and build reports, etc. off the data, which is stored in SQL2005.

I've noticed that some of them make local copies of some tables to work with locally, but the "account" table has all the users passwords stored in them. Now, they're stoed in an encrypted state, but from a security standpoint, I was wondering how bad this is. Is there any known way to reverse these passwords to reveal them?

I was going to disallow the storing of these passwords, but if it's not a real security risk, then I wasn't going to make a big deal out of it.

Any insights are appreciated, thanks!
Reply With Quote
  #2  
Old 03-11-2009, 10:21 AM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default

Quote:
Is there any known way to reverse these passwords to reveal them?
Yes it's according to how you encrypted the password and how secure the password is.

For example, I use a "standard" password with big,small,number, special character in length of 12 characters. I encrypted them with MD5 to a MD5 hash. It is pretty secure for revealing the password. But ...

The problem I see here is not what you concern about. But that is your authentication system. If the user can work locally with tblUser, then I have question: How do you authenticate the user? That means when I, an user, work locally and log into the system. Which table will be used to authenticate me? The local one or the online one?
If you use the local one, then you must think about "cookie faking". With "cookie faking" I can easily loginto an account of other user.
If you use the online one, I recommend you to remove the tblUser (which supports the authentication process) immediately from local database under any circumstance. It gives you a very,very big risk for your systems in future.
Your system will get bigger day after day. And if you do not do it right away, it'll be very complex to do it later.
__________________
My site: http://rongchaua.net

Last edited by rongchaua : 03-11-2009 at 10:26 AM.
Reply With Quote
  #3  
Old 03-11-2009, 10:51 AM
ericb1 ericb1 is offline
Junior Member
 
Join Date: Mar 2009
Posts: 3
Default

Thanks so much for the reply. What we do is that our production sql server makes a nightly backup of the production database to another server.

This 2nd server is where we run reports and queries from so as not to impact production performance. To access this server, there is an Active Directory user group that authenticates people into SQL server 2005.

Within this copy of the production database, is the tblUser with first name, last name, accountID, password, email address, etc. So there's only a handful of people who can access this server, and that is controlled, but these people have sql server installed on their own PC's, so they make local copies of the database, including tblUser. From here I lose control of who can access what.

This is where I was concerned with the passwords being exposed. If someone had the table, can they reverse the passwords to expose them, etc.

Thanks again.
Reply With Quote
  #4  
Old 03-11-2009, 11:35 AM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default

@ericb1:
Quote:
If someone had the table, can they reverse the passwords to expose them, etc.
As I answer you above. That can be. A hacker can reverse your encrypted password.
I do not know what kind of tblUser you are discussing. It is your custom table which is served only for authentication of that database Or that is the tblUser extracted from Active Directory.
If it is a custom table, you should tell us which algorithm you use to hash your Password. A MD5 hash is ok and a SHA hash is more better.
If it is a table which extracted from Active Directory, and then this is the way to crack the password: http://www.irongeek.com/i.php?page=security/cachecrack
__________________
My site: http://rongchaua.net

Last edited by rongchaua : 03-11-2009 at 11:37 AM.
Reply With Quote
  #5  
Old 03-11-2009, 12:15 PM
ericb1 ericb1 is offline
Junior Member
 
Join Date: Mar 2009
Posts: 3
Default

It is a custom database used only for authenticating users in the web application. (which is why I don't think people running queries against the database for reports need it).

However, I don't know how it's encrypted, MD5 or SHA, etc.

Thanks again!
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.