PaulDotCom mailing list archives
Re: extracting password hashes from MSSQL 2005/8
From: David Porcello <DPorcello () vermontmutual com>
Date: Thu, 14 Oct 2010 11:05:50 -0400
Try this: SELECT password_hash FROM sys.sql_logins where name='sa' Result is similar to previous, but "Uppercase_SHA1_hash" is no longer included in 2005: 0x0100 5C7E511B 9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DF -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Robin Wood Sent: Thursday, October 14, 2010 10:26 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] extracting password hashes from MSSQL 2005/8 On 14 October 2010 15:07, David Porcello <DPorcello () vermontmutual com> wrote:
Robin, do they look like this? 0x01005C7E511B9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DFF1D0F4509ECABA9C52D13BB04678C81CF7663D34 If so, I've cracked these with Cain (Cracker -> MSSQL) by parsing as follows: Header(6_chars) Salt(8_chars) Case_Sensitive_SHA1_hash Uppercase_SHA1_hash 0x0100 5C7E511B 9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DF F1D0F4509ECABA9C52D13BB04678C81CF7663D34 These are also crackable by SQLBF: sqlbf -d <passlist.txt> -u <file containing usernames,binary values - 1 per line, comma separated> Hope this helps! d.
It isn't cracking them that I'm stuck on it is the actual extraction that is the problem. If you just do a select then all you get is a line of empty square boxes implying it is trying to create an ASCII character out of a value that isn't in the normal range. This seems reasonable as the field type, from a quick check, was a varchar or nvarchar. I need to be able to convert that varchar value from a binary lump to the hex value you have abovel Robin
-----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Robin Wood Sent: Thursday, October 14, 2010 9:39 AM To: PaulDotCom Mailing List Subject: [Pauldotcom] extracting password hashes from MSSQL 2005/8 Hi I don't have much time to google at the moment and a friend asked me about cracking MSSQL 2005/8 password hashes. I know that JTR can do them and the they are stored in master.dbo.syslogins but when I had a quick go at extracting them with a select they were stored as binary. Is there an easy way to pull them out into the form that JTR needs? I'll get round to looking at it at some point if no one knows but for now googling hasn't returned anything and no time to try to solve it myself. Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- extracting password hashes from MSSQL 2005/8 Robin Wood (Oct 14)
- Re: extracting password hashes from MSSQL 2005/8 David Porcello (Oct 14)
- Re: extracting password hashes from MSSQL 2005/8 Robin Wood (Oct 14)
- Re: extracting password hashes from MSSQL 2005/8 David Porcello (Oct 14)
- Re: extracting password hashes from MSSQL 2005/8 Robin Wood (Oct 14)
- Re: extracting password hashes from MSSQL 2005/8 Josh Little (Oct 15)
- Re: extracting password hashes from MSSQL 2005/8 Robin Wood (Oct 14)
- Re: extracting password hashes from MSSQL 2005/8 David Porcello (Oct 14)