Using Python to authenticate against raw username, hash, salt in DB created by ASP.NET roles/membership

Question

We have a current application where user login credentials are stored in a SQL Server DB. These are, basically, stored as a plain text username, a password hash, and an associa

Answer 1

Two thoughts as to what could be going wrong.

First the code from the reflection has three paths:

• If passwordFormat is 0 it returns the password as is.
• If passwordFormat is 1 it creates the hash as your python code does.
• If passwordFormat is anything other than 0 or 1 it calls this.EncryptPassword()

How do you know you are hashing the password, and not encrypting the password with this.EncryptPassword()? You may need to reverse the EncryptPassword() member function and replicate that. That is unless you have some information which ensures that you are hashing the password and not encrypting it.

Second if it is indeed hashing the password you may want to see what the Encoding.Unicode.GetBytes() function returns for the string "password", as you may be getting something back like:

0x00 0x70 0x00 0x61 0x00 0x73 0x00 0x73 0x00 0x77 0x00 0x6F 0x00 0x72 0x00 0x64

instead of:

0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64

I hope this helps.