feat(creds): Phase 2 — MySQL handshake hash + MSSQL Login7 plaintext

Closes the cred-coverage gap for two database services that had been
capturing only the username:

- MySQL — extends _handle_packet to read the auth-response after the
  null-terminated username. mysql_native_password puts a 1-byte
  length followed by 20 bytes: SHA1(password) XOR SHA1(salt +
  SHA1(SHA1(password))). Plaintext irrecoverable, lands as
  secret_kind="mysql_native_password" with the 20 hash bytes in
  secret_b64. Hash is canonical for "hashcat -m 11200" if an operator
  ever wants to crack offline.

- MSSQL — fixes a pre-existing bug AND adds password capture. The
  prior _parse_login7_username read offsets 36/38, which is actually
  ibHostName/cchHostName in the Login7 layout — username sat at
  40/42 and was never touched. Replaced with _parse_login7_creds()
  reading the correct offsets (40 username, 44 password). Login7
  password is XOR-then-nibble-swap obfuscated against 0xa5;
  _deobfuscate_login7_password reverses it. Plaintext-recoverable,
  lands as secret_kind="plaintext".

The pre-existing test_login7_auth_logged_and_closes only verified the
error response ships and the connection closes; it didn't validate
the parsed username, so the hostname-as-username bug was silent. New
tests cover both the deobfuscation algorithm directly and the full
ingester round-trip for both services.

Sync: copies the canonical syslog_bridge.py into mysql/ and mssql/
template build contexts so service_testing tests load the version
with classify_authorization + encode_secret available.

37 tests pass in the touched scope. Phases 3-7 still pending.

decnet/templates/mssql/server.py

@@ -6,6 +6,7 @@ a login failed error. Logs auth attempts as JSON.
 """
 
 import asyncio
+import base64
 import os
 import struct
 
@@ -142,26 +143,63 @@ class MSSQLProtocol(asyncio.Protocol):
             self._transport.write(_PRELOGIN_RESP)
             self._prelogin_done = True
         elif pkt_type == 0x10:  # Login7
-            username = self._parse_login7_username(payload)
-            _log("auth", src=self._peer[0], username=username)
+            username, password = self._parse_login7_creds(payload)
+            extra: dict = {}
+            if password:
+                pw_bytes = password.encode("utf-8")
+                extra = {
+                    "principal": username,
+                    "secret_kind": "plaintext",
+                    "secret_printable": password,
+                    "secret_b64": base64.b64encode(pw_bytes).decode("ascii"),
+                }
+            _log("auth", src=self._peer[0], username=username, **extra)
             self._transport.write(_tds_error_packet("Login failed for user."))
             self._transport.close()
         else:
             _log("unknown_packet", src=self._peer[0], pkt_type=hex(pkt_type))
             self._transport.close()
 
-    def _parse_login7_username(self, payload: bytes) -> str:
+    @staticmethod
+    def _deobfuscate_login7_password(blob: bytes) -> str:
+        """MS-TDS Login7 password obfuscation: each byte was rotated-right
+        4 bits then XOR'd with 0xa5. Inverse is XOR 0xa5 then rotate-left
+        4 bits (== nibble swap). Plaintext-recoverable.
+
+        After deobfuscation the bytes are UTF-16-LE encoded characters."""
+        out = bytearray(len(blob))
+        for i, b in enumerate(blob):
+            x = b ^ 0xa5
+            out[i] = ((x & 0x0f) << 4) | ((x & 0xf0) >> 4)
+        return bytes(out).decode("utf-16-le", errors="replace")
+
+    def _parse_login7_creds(self, payload: bytes) -> tuple[str, str]:
+        """Login7 offset table starts at payload offset 36:
+
+            36-37 ibHostName  38-39 cchHostName
+            40-41 ibUserName  42-43 cchUserName
+            44-45 ibPassword  46-47 cchPassword
+
+        Both lengths are CHARACTER counts; multiply by 2 for byte length.
+        The password field is XOR/swap-obfuscated — see
+        :meth:`_deobfuscate_login7_password`. Plaintext-recoverable.
+        """
         try:
-            # Login7 layout: fixed header 36 bytes, then offsets
-            # Username offset at bytes 36-37, length at 38-39
-            if len(payload) < 40:
-                return "<short_packet>"
-            offset = struct.unpack("<H", payload[36:38])[0]
-            length = struct.unpack("<H", payload[38:40])[0]
-            username = payload[offset:offset + length * 2].decode("utf-16-le", errors="replace")
-            return username
+            if len(payload) < 48:
+                return "<short_packet>", ""
+            user_off, user_len = struct.unpack("<HH", payload[40:44])
+            pw_off, pw_len = struct.unpack("<HH", payload[44:48])
+            username = payload[user_off:user_off + user_len * 2].decode(
+                "utf-16-le", errors="replace"
+            )
+            password = ""
+            if pw_len:
+                password = self._deobfuscate_login7_password(
+                    payload[pw_off:pw_off + pw_len * 2]
+                )
+            return username, password
         except Exception:
-            return "<parse_error>"
+            return "<parse_error>", ""
 
     def connection_lost(self, exc):
         _log("disconnect", src=self._peer[0] if self._peer else "?")

decnet/templates/mysql/server.py

@@ -7,6 +7,7 @@ attempts as JSON.
 """
 
 import asyncio
+import base64
 import itertools
 import os
 import struct
@@ -109,17 +110,38 @@ class MySQLProtocol(asyncio.Protocol):
     def _handle_packet(self, payload: bytes):
         if not payload:
             return
-        # Login packet: capability flags (4), max_packet (4), charset (1), reserved (23), username (NUL-terminated)
+        # Login packet: capability flags (4), max_packet (4), charset (1),
+        # reserved (23), username (NUL-terminated), auth-response.
+        # mysql_native_password puts a 1-byte length followed by exactly
+        # 20 bytes: SHA1(password) XOR SHA1(salt + SHA1(SHA1(password))) —
+        # plaintext is unrecoverable but the 20 bytes ARE a credential the
+        # attacker knew, so they land as secret_kind="mysql_native_password".
         username = "<unknown>"
+        auth_response = b""
         if len(payload) > 32:
             try:
                 username_start = 32
                 nul = payload.index(b"\x00", username_start)
                 username = payload[username_start:nul].decode(errors="replace")
+                # auth-response length byte + bytes
+                if len(payload) > nul + 1:
+                    resp_len = payload[nul + 1]
+                    if resp_len and len(payload) >= nul + 2 + resp_len:
+                        auth_response = payload[nul + 2:nul + 2 + resp_len]
             except (ValueError, IndexError):
                 username = "<parse_error>"
+
+            extra: dict = {}
+            if auth_response:
+                _b64 = base64.b64encode(auth_response).decode("ascii")
+                extra = {
+                    "principal": username,
+                    "secret_kind": "mysql_native_password",
+                    "secret_printable": auth_response.hex(),
+                    "secret_b64": _b64,
+                }
             _log("auth", src=self._peer[0], username=username,
-                 connection_id=self._conn_id)
+                 connection_id=self._conn_id, **extra)
         # Real mysqld includes client IP in the error text.
         src_ip = self._peer[0] if self._peer else "?"
         msg = f"Access denied for user '{username}'@'{src_ip}' (using password: YES)"