Access
Dan Tobias (Talk | contribs) (→See Also) |
Dan Tobias (Talk | contribs) (→General Tools) |
||
Line 115: | Line 115: | ||
* [https://github.com/brianb/mdbtools Brian Bruns GutHub.com mdbtools] | * [https://github.com/brianb/mdbtools Brian Bruns GutHub.com mdbtools] | ||
+ | * [https://github.com/exponential-decay/MDBValidator MDBValidator: Tool to read and output the statistics of a Microsoft Access Database] | ||
== Password Tools == | == Password Tools == |
Revision as of 12:42, 6 May 2014
Access released by Microsoft also known as Jet DB is a standalone database that forms part of the Microsoft Office Suite of productivity tools. It was first released in 1992.
Access databases are composed of multiple page types. The length of these pages depends on the version of the Jet Database employed by the specific version of Microsoft Access. The first page of Access 95/97 and Access 2000/2003 databases is always a Database Definition Page.
Contents |
Microsoft Access 95/97 - Jet 3 Database
Microsoft Access 95/97 utilizes the Jet3 database engine. The page size of the Jet3 database engine is 2048 bytes.
Microsoft Access 2000/2002 - Jet 4 Database
Microsoft Access 2000/2003 utilizes the Jet 4 database engine. The page size of the Jet4 database engine is 4096 bytes.
Internal structure of the format
The Jet DB version can be found in the file header by reading the 4 byte little-endian integer at offset 0x13. Jet3 databases have a value of 0. Jet 4 databases have a value of 1.
The version and build number of Microsoft Access used to create the file is stored in the format. These two values are stored within a LVAL Data Page and deeper into that structure a LvProp column - part of the MSysObjects table. It is possible to extract this information from here alone, the complete MSysObject table definition is always the second page of the database (zero-based index).
The block of data at offset 0x18 running for 126 bytes (Jet 3) and 128+ bytes (Jet 4) represents RC4 encrypted data. It is thought this uses the key: 0x6b39dac7.
Database Password
Note: The information under this section should only be used by owners and custodians of databases where the password has been misplaced or lost and not for any illegal or illegitimate premises.
Among other techniques Jet Databases employ a simple database password. The password field is 0x42 bytes into the file. Jet 3 database password fields are 20 bytes in length, Jet 4 are 40 bytes in length.
Jet 3 Password
XOR-ing the byte string running from 0x42 to 0x56 in a non-password protected database with that of a password protected database will reveal the password in plain text.
Studying the Maxsoft tool under Password Tools will help users to understand how Access databases are protected.
Jet 4 Password
The Jet 4 password can be revealed similarly by XOR-ing the byte string running from 0x42 to 0x68. If after the XOR operation if you haven't an ASCII character, that is, you have a value greater than 0xFF you need to XOR that value again with a further key value (byte) at offset 0x54.
Studying the Maxsoft tool under Password Tools will help users to understand how Access databases are protected.
Jet DB and Access Build Numbers
The following table shows that the version of the Jet Database format remained fairly consistent between versions of Access:
Client Application Jet Engine Used Recommended Jet DB Format ------------------------- --------------- ------------------------- Access 2.0 Jet 2.0 Jet 2.0 Access 95 Jet 3.0 Jet 3.0 Access 97 Jet 3.5 Jet 3.0 Access 2000 Jet 4.0 Jet 4.0 Access 2002 Jet 4.0 Jet 4.0
The controller used to read and write the format by Access versions did change. The version of Access and its build number can help us to understand the version of the DLL used to interact with the format. The version and build number is embedded in the MDB objects (as described as part of its internal structure above) so can be easily extracted. Build numbers and DLL versions are described below (KB Article 248710 and KB Article 255275 and KB Article 291331):
Version File Version Patches -------------- ------------ ------- Access 95 7.0 Unknown Access 97 8.0.3512 n/a Access 97 SR-1 8.0.4122 n/a Access 97 SR-2 8.0.5903 SR-1 Access 2000 9.0.2720 Access 2000 9.0.3821 SR-1 Access 2000 9.0.4402 SR-1 Access 2000 9.0.6926 SP-3 Access 2002 10.0.2627.1 Access 2002 10.0.3409.0 SP-1 Access 2002 10.0.4302.0 SP-2 Access 2002 10.0.6501.0 SP-3
Access Version linked with MSJet35.dll (KB Article 248710):
Version DLL Version ------- ----------- Access 97 3.50.3428.0 Access 97 SR-1 3.50.3907.5 Access 97 SR-2 and Jet35Upd.exe (3rd rel) 3.51.2026.0
The following table from KB Article 178880 describes backward compatibility between Jet DB engines and MDB version:
---------------------------------------------- Jet Version 1.0 1.1 2.0 2.5 3.0 3.5 ---------------------------------------------- MDB Version ----------- 1.0 Y Y Y Y Y Y 1.1 N Y Y Y Y Y 2.0 N N Y Y Y Y 3.0 N N N N Y Y
Note: See the KB Article for information on all DLL updates.
Specifications
A formal specification from Microsoft has not been made available. The following links are attempts by third parties to reverse engineer and document the format:
Sample Files
General Tools
- Brian Bruns GutHub.com mdbtools
- MDBValidator: Tool to read and output the statistics of a Microsoft Access Database
Password Tools
- Planet Source Code - Access Database Password Viewer
- Planet Source Code - Maxsoft Access Password Viewer
References
- Wikipedia:Microsoft_Access
- Reverse engineered documentation used by mdbtools on GitHub
- Database definition and encryption key documentation
- EverythingAccess.com Jet MDB Security - Under The Hood
See Also
- Wikipedia:Microsoft_Jet_Database_Engine
- Developer resource discussing DLL versions and sample code to retrieve Access version
- Site collating version and build numbers from XP through to 2010
- Wikibooks Jet Database/Manipulation tools
- WebCheatSheet.com Microsoft Access Specifications and Limitations
- PC Welt Germany discussing vulnerabilities in Microsoft Money 99 which is built on Jet DB 3.0
- MDB Password View Tutorial
- PRONOM Google Group Discussion about the distinction between Access versions in the PRONOM registry
- ODBC Setup for Access and SQL Server