MySQL Protocol Client/Server Authenication - Token Generation for Authenication Packet from Client

Question

I am currently building a client without using any libraries just to understand the protocol really, and I am confused by an access denied reply when sending my computed Auth packet to the MySQL Server. The Mysql server is just a local server running on my computer for testing purposes. Here is the information I am sending:

The test password is 'peanut'.

Stage 1 Hash = b14ab480028768cb748fd97de56144a304eb8a1a

Stage 2 Hash = fd62797ed464c2843942a9167cc0521779d68862 - This is correct but without the * in the database.

Salt & Stage 2 Hash = rC8/$a?Vr\\W|.jN)~cVcfd62797ed464c2843942a9167cc0521779d68862

SHA1(Salt + Stage 2 Hash) XOR Stage 1 Hash = 4B19199ECEB929469EA89C0E942D8D5B9ACBE237

String Sent to Server For Authentication in hex:

\\x3A\\x00\\x00\\x01 - Standard Header (Payload length / Sequence nUmber)

\\x02\\x04\\x80\\x00 - Compatibility flags

\\x00\\x00\\x00\\x01 - Maximum packet size

\\x08 - Charset

\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 - 23 byte filler

\\x72\\x6F\\x6F\\x74\\x00 - username zero terminated

\\x14 - length of token (20 bytes)

\\x4B\\x19\\x19\\x9E\\xCE\\xB9\\x29\\x46\\x9E\\xA8\\x9C\\x0E\\x94\\x2D\\x8D\\x5B\\x9A\\xCB\\xE2\\x37 - token

When I send this string, the server just sends out the #28000 error that is access denied.

Could this be an access rights issue? A remote user trying to gain root access, is there something i need to enable?

I have changed the connection timeout settings wait_timeout / connect_timeout etc. and still no joy, these are set to 60 Secs.

I am not sure if I should be computing the SHA1(Salt + Stage 2 Hash) with an asterisk or not, as in the database it shows an * before the password. I have tried both ways and it still doesn't auth.

I am running out of ideas now, the only other thing I can think to do is to write another program which will process the client token as the Mysql Server would, but I thought I would double check here first.

I have been working on this for a while now and am stumped.

Any help greatly appreciated. I don't normally post on Forum's so its a new experience, sorry if I haven't followed etiquette.

Regards

James

Answer 1

Without looking into the protocol documentation myself it is hard to see any errors here. It could be anything from endianness to wrong padding, lengths and other calculations etc. The server rightfully does not provide more details as to why the login might have failed, because that would be leaking information to a potential attacker.

I suggest you grab the MySQL source code and look at how they do it in their command line application. See http://dev.mysql.com/doc/internals/en/guided-tour.html for some introduction and download links.

Apart from that, there is always the option of logging the network traffic with Wireshark to see what the stock mysql client sends and compare that to what you have. That might help to figure out padding etc. Note that if you are working on Windows there might be problems to capture traffic on localhost, because IIRC Windows shortcuts the traffic somehow, so it does not get past the network interface for Wireshark to see. In that case you might have to set up the MySQL server in a VM or on a different machine.