Penetration Testing mailing list archives

Re: SQL passwords

From: Yannick Hamon <yannick.hamon () xmcopartners com>
Date: Tue, 27 Oct 2009 20:04:46 +0100

Hi,

1°) You can try the free software IMA "Identity ManagementAuditor" (beta release v0.2) :

http://www.xmcopartners.com/ima/

It supports SQL and Windows authentification for SQL SERVER2000/2005/2008.

It will retrieve MS SQL password hashs and then you have 2 choices :

* crack trivial passwords (login=password, null password or dictionnary)

* bruteforce cracking with the embedded external cracking tool (JohnThe Ripper).



2°) You can also try Cain&Abel (free)
http://www.oxid.it/cain.html

He can do the same with an OBDC driver. However, cain&abel supportdictionnary, bruteforce or rainbow tables cracking mode.



Best Regards,
--
Yannick Hamon - Xmco Partners
Consultant Sécurité / Tests d'intrusion
Web  : http://www.xmcopartners.com
11 bis rue de Beaujolais 75001 PARIS

Le 27 oct. 2009 à 14:38, pma111 a écrit :

Hi All,
Are there any penetration testing / commercial cracking tools on themarket,or freebies, where we could export the password hashes directly fromour SQLtables (sys.syslogins) and crack the passwords offline, so not toaffect our
live servers? Any pointers would be great.

Thanks
--
View this message in context: http://www.nabble.com/SQL-passwords-tp26077906p26077906.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance CertificationReview Board
Prove to peers and potential employers without a doubt that you canactually do a proper penetration test. IACRB CPT and CEPT certsrequire a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

SQL passwords pma111 (Oct 27)
- Re: SQL passwords Yannick Hamon (Oct 28)
- RE: SQL passwords Paul Melson (Oct 28)
- Re: SQL passwords Nikhil Wagholikar (Oct 28)
- Re: SQL passwords Wasim Halani (Oct 28)
- Re: SQL passwords Martin Rublik (Oct 28)
- <Possible follow-ups>
- RE: SQL passwords DUSTIN.TANNER (Oct 28)
- Re: SQL passwords Elizabeth Greene (Oct 28)
- RE: SQL passwords Security Email (Oct 28)