VSSCrack is a command line tool designed to crack Microsoft Visual SourceSafe passwords. I've seen at least one site on the web charge $250 for this service. Now you can do it for free!

This tool has been languishing on my hard drive for several years now and I think it's time to let it loose considering that Visual SourceSafe it getting a little outdated and less and less people are using it these days.

When writing this program I was partly inspired by a section from the book The Art of Intrusion (Kevin D. Mitnick, William L. Simon). The chapter Your Intellectual Property Isn't Safe caught my attention. A section of this chapter refers to Visual SourceSafe -- Microsoft's source control system. The passage of text that caught my interest was this:

"He found that the company was using a project-management application called Visual SourceSafe and managed to get access to the external password file, which was apparently readable by any user who had access to the system. Attacking the password file with with public domain password cracking software, it took may [sic] like a week and a half, two weeks, and I had a different password for the man'".



Visual SourceSafe (VSS) has a very weak password management system. There is one file stored within the VSS directory structure on the VSS server called um.dat (usually in the data sub-directory). This file contains all user names together with a hash of their passwords. The hashing process is poorly designed and insecure, not just due to the size of the resultant hash (2 bytes!) but also due to the extremely simple algorithm used to generate it.

Such is the weak nature of the hashing algorithm that there are literally hundreds of easily obtained passwords that result in the same hash as the real password. In other words, the hashing algorithm used is extremely prone to collisions. So just bear in mind -- the passwords that this program produces are not necessarily (and in fact are probably NOT) the actual passwords initially created by the user, but will still give you the same level of access to VSS as if you had used the same original password.

As an example, using a largish word list, my own password hash produced nearly 600 equivalent matching passwords, none of which was the true original but any of them could have been used in place of it.

If you are looking for a word list that can be used with VSSCrack there are a number of them to be found on the web. Here is just one source:

http://wordlist.sourceforge.net/

This program takes each username and hash from the VSS file and for each word in a specified word list file it hashes the word and compares it to the VSS stored hash. If they match we have found the password -- it is the word from the word list file. For those passwords not cracked by a dictionary attack I added the ability to brute-force a viable password. The dictionary attack is almost instantaneous whilst the brute force attack takes no more than 5 or 10 seconds.

All this leads me to believe that the person claiming to have cracked the VSS password in "a week and a half, two weeks" using a "public domain password cracker" is either not telling the truth or someone is intentionally misleading people. To the best of my knowledge there is no other such public domain VSS password cracker and if there was it would certainly not take a week or two to crack the passwords. Even then, there is a high probability that the obtained password is not the actual password used to create the hash.


How to use it


Operation of the program is quite straightforward and the syntax is shown below. This syntax will be shown when you simply type VSSCrack or VSSCrack -?. Explanations of the various options are shown here.

-?
  • Shows the program syntax
-a
  • Shows all word matches for each user in the VSS file. Since the hashing algorithm used is very poor there can be multiple passwords for each user. If this option is not included it defaults to showing just the first matching hash password.
-b
  • Brute force attack only. Word list files won't be used. Instead the program attempts to brute-force each hash. Matching passwords can usually be found in a few seconds.
-o
  • Sends the output to the given file, overwriting any existing contents.
-O
  • Sends the output to the given file, appending to any existing contents.
-p
  • This specifies the path to the VSS username/password file, normally called um.dat. This can usually be found off the root of the VSS tree directory in the data sub-directory.
-r
  • Given a specific user name from the VSS file, this option will reset the password to the one provided.
-u
  • If you only want to try to find the password for a single user from the list in the VSS file use this option. By default the program will attempt to crack the passwords for every user.
-v
  • Verbose mode. Shows some additional information during processing.


Command line syntax


VSSCrack 1.00 - Robin Keir - 2007 - http://keir.net

VSSCrack [-?aboOpruv] [...]

-? - Shows this help text
-a - Show all matching word list passwords (default only shows first)
-b - Brute force attack only (don't use word list files)
-o - Output file (overwrite)
-O - Output file (append)
-p - Path to VSS password file (um.dat)
-r - Reset the user's password to the given value
-u - Only process this user
-v - Verbose mode


Any number of word list filenames can be specified and wildcards can be used to specify multiple files.

Examples:

VSSCrack -p um.dat wordlist.txt
VSSCrack -p um.dat -v C:\WordLists\*.txt
VSSCrack -p um.dat -u admin wordlist.txt
VSSCrack -p um.dat -u admin -a wordlist.txt -o results.txt
VSSCrack -p um.dat -b



Version 1.00
  • Initial release