I would like to talk a bit about encryption mssql password transmitted over the network.

If I am not mistaken, the first on a weak encryption talking David Litchfield in his work Threat Profiling
Microsoft SQL Server

That's what he writes

Network Sniffing
When a user connects to an SQL Server and authenticates as an SQL login, as opposed to a
Windows NT/2000 user, their login name and password are sent across the network wire in what
is tantamount to clear text. The 'encryption ' scheme used to hide the password is a simple bitwise
XOR operation. The password is converted to a wide character format, or UNICODE, and each
byte XOR 'd with a constant fixed value of 0xA5. Of course, this is easy to work out because every
second byte of the 'encrypted ' password on the wire 0xA5 and we know that the password is in
UNICODE with every second byte being a NULL and when any number is XOR 'd with 0 (or
NULL) the result is the same: 0x41 xor 0x00 = 0x41, 0xA5 xor 0x00 = 0xA5.
This means that, provided one can run a network sniffer between the client and the SQL Server, it
is a trivial task to capture someone 's authentication details and unXOR it to get the original
password back out. Once this has been done then of course access to the SQL Server can be
gained. This is perhaps one of the reasons why Microsoft recommend using Windows NT/2000
based authentication as opposed to SQL logins; the latter is extremely weak.

For those who do not know burzhuyskogo translate:

Password converted to Unicode and Ksor with 0xA5

In fact, the algorithm a little bit different:

1) For each character change, senior and junior bits

2) The data obtained from Ksor 0xA5

In the words of all elementary, but unfortunately, when I was looking for a ready implementation of intercepting and decrypting the password, then nothing is found, and can not look for them?

therefore investigate themselves from the beginning.

as sniffera recommend to use the Packetyzer

First, it is convenient to work

Second, free and open source

In the third, fully understands the TDS protocol (it is we need to intercept the data)

first thing lovim package authorization, he called

TDS Login Packet

look structure package
Packetyzer in a convenient form shows the offset and length of all elements

We are interested Username and Password

So, we have received a user name and password kriptovany try to re-establish baseline data on the algorithm described above , only in reverse order

In php it would look something like this

Ksorim character 0xA5

[PHP]
$ t = decbin ($ simbol ^ 165);
>
[/ PHP]

Exchange of junior and senior bits of character for a decimal system of calculation

[PHP]
bindec (10000 * ($ t% 10000) + round ($ t / 10000));
>
[/ PHP]

For convenience, I wrote a small utility is available online here

enter into a hash entry, click the button to decipher, and get search.

remaining write using found us

Name: Admn

Password: Admin