How I Discovered the MaxDB Password Reset Procedure

Step 1: I fired up an excellent tool Process Monitor from SysInternals (Now Microsoft owned), opened up the database manager tool and reset my users password. I then reviewed all the events that had just happened, initially looking to see what files has been read from thus attempting to gain clues to how the change password operation might be working. Then later looking at what files had been written to ultimately hoping to see where the password might be saved.Matt Bartlett

Step 2: From analysis of the sdb.upc file I could see my users in plain text. I could be on to something interesting. Matt Bartlett

Step 3: After taking a backup of the upc file I changed the password once more and compared the two files. I could see clearly the only change made, this must be an encrypted version of the password.

Matt Bartlett

Step 4: Now I was interested in see if the password was being salted with perhaps with a user name, hostname or some other secret. Comparing the password hashes across different servers, different versions and different database names showed no difference at all. Handy… for us.Matt Bartlett

A quick check proves I can simply copy and paste hashes between password files to reset them. I tried simply setting the password hash to all zeros which works nicely but only for version 7.6 as later versions generate an error.

UK Cyber Security Challenge. Are you in…? Well you should be!

If you’re reading this then the chances are you have at least a mild interest in IT security. I’ve been competing in the UK Cyber Security Challenge this year and I urge you to get involved. So far it’s been a fantastic experience and really got my interest sparked in this area. This year there has been a variety of different of paths from secure network design, penetration testing (or hacking) and forensics. There’s been theory and hands on challenges for example where you’ve had the opportunity to try out your skills against the clock to hack into as many servers as possible to gain root and administrator access. If more considered approach is more your thing then the Linux forensic investigation competition was brilliant and my personal favourite, here you had to identify 24 different compromises and identify how they were pulled off and how you could defend against them. I’ve seen some really clever cunning exploits and learnt a ‘stack’ of new tricks.

The top man James Lyne from Sophos explains more

As this is my blog it’s just about ok to blow my own trumpet with my results so far…

Linux Forensic Challenge – 1st Place
Sophos and SANS Penetration Test – 1st Place
SAIC CyberNEXS Penetration Test – 1st Place

Not just because of the results so far, it really has been a worthwhile and rewarding experience.

The challenge will be back next year bigger and better than ever.

The Origin of Bartlett Remains Unimpressed

Those that have known me for some time know that wherever possible I like to get my catch phrase in “Bartlett Remains unimpressed”.

This is where it all began… Computing December 1999
Page 3 – Business Sites Open to Abuse

Matt BartlettMatt BartlettMatt Bartlett













INTERNET service provider Global Internet has admitted that it left user names and passwords for 200 business web sites in an easily accessible file – but has no plans to warn its customers, writes Steve Ranger. The file could be downloaded by any of Global lnternet’s customers whose sites were hosted on the same machine. The file was protected by simple encryption, which could easily be broken by tools available on the Internet, said Matt Bartlett, who found the file. ‘Anyone who’s used Linux or Unix usually knows this sort of thing, especially those involved in administration tasks,’ said Bartlett, an IT technician at Global Internet customer Wilts Wholesale Electrical. ‘Now we know about it, we’ll change our passwords. But what about the other companies?’ Peter Venmore, a director at Global Internet, blamed human error and said: ‘We have a dozen of these servers and they are set up correctly.’ Warning customers to change their passwords is ‘not necessarily required’, he said, because ordinary users will be unable to decrypt the file. He admitted, however:  If you want to throw a dictionary programme at it and the passwords are in plain text then you would be able to get access.’ Global Intemet is continuing its investigation, but Bartlett remains unimpressed. ‘All this is basic security, there is nothing clever involved,’ he said.

What clever devious way did I get hold of this password file?

‘get /etc/passwd’

ohh the days before shadow password files!

How I solved Part 1 of the GCHQ Challenge.

My Video for my solution to part 1 of the GCHQ challenge.

A video is worth 10,000 words but basically this is the process I followed.

Hand typed the hex shown on the webpage into a file.

Uploaded the file to Linux and ran to ‘file’ command to give me a clue.

Command ‘ndisasm’ passes the file as assembly. It is assembly.

Used IDA Disassembler together with the Bochs x86 Emulator to step through the code. There is a check routine that points to the fact we are missing data.

Analysis of the original image shows a hidden comment within the raw content. Looks like base 64 encoded as the string is all printable characters and ends with ‘==’. Converted to hex using this online tool and pasted back into the original file.

Back into IDA Disassembler ran the code and analysed the memory revealing the solution to part 1.

A Website is born…

Every website needs a little something, sometimes great content isn’t enough.

Have you noticed the header image on the front of this website is clickable, zoomable and browseable. Well at least one person has asked how its done and that’s good enough for me. Basically its like Microsofts SilverLight DeepZoom technology but using Flash.

Step 1: Downloaded a list of sap transactions from SE16N using table TSTC and saved these off as a text file.

Matt Bartlett

Matt Bartlett

Step 2: Wrote a little windows script host .vbs file to read the transaction text file and using the sendkeys function to inject those into the SAP GUI window for example ‘/oabaw’, then call Gadwin to screen capture the current active window and save as a jpg file, and finally send keys alt+f4 to close the transaction. Repeat this a few hundred times. Ending up with a folder looking like this.

Matt Bartlett

Matt Bartlett

Step 3: Using shape collage I created a high res static image of all the files. I then popped into see my favourite marketing department to borrow their copy of Photoshop and exported using the Zoomify option but…. using a replacement swf based on OpenZoom from Daniel Gasienica!

Matt Bartlett

Matt Bartlett

Step 4: Finally I made a slight modification to the header page in wordpress to serve up the flash instead of the regular image and we’re done!

Matt Bartlett

Matt Bartlett