anti
0c1316f74c
Closes the cred-coverage gap for two database services that had been capturing only the username: - MySQL — extends _handle_packet to read the auth-response after the null-terminated username. mysql_native_password puts a 1-byte length followed by 20 bytes: SHA1(password) XOR SHA1(salt + SHA1(SHA1(password))). Plaintext irrecoverable, lands as secret_kind="mysql_native_password" with the 20 hash bytes in secret_b64. Hash is canonical for "hashcat -m 11200" if an operator ever wants to crack offline. - MSSQL — fixes a pre-existing bug AND adds password capture. The prior _parse_login7_username read offsets 36/38, which is actually ibHostName/cchHostName in the Login7 layout — username sat at 40/42 and was never touched. Replaced with _parse_login7_creds() reading the correct offsets (40 username, 44 password). Login7 password is XOR-then-nibble-swap obfuscated against 0xa5; _deobfuscate_login7_password reverses it. Plaintext-recoverable, lands as secret_kind="plaintext". The pre-existing test_login7_auth_logged_and_closes only verified the error response ships and the connection closes; it didn't validate the parsed username, so the hostname-as-username bug was silent. New tests cover both the deobfuscation algorithm directly and the full ingester round-trip for both services. Sync: copies the canonical syslog_bridge.py into mysql/ and mssql/ template build contexts so service_testing tests load the version with classify_authorization + encode_secret available. 37 tests pass in the touched scope. Phases 3-7 still pending.
16 KiB
16 KiB