Penetration Testing mailing list archives

Re: SQL passwords

From: pma111 <pmaneedham () hotmail com>
Date: Tue, 3 Nov 2009 01:40:23 -0800 (PST)




Martin Rublik wrote:


pma111 wrote:

Hi All,

Are there any penetration testing / commercial cracking tools on the
market,
or freebies, where we could export the password hashes directly from our
SQL
tables (sys.syslogins) and crack the passwords offline, so not to affect
our
live servers? Any pointers would be great.

Thanks



Cain & Abel is able to crack SQL passwords offline. It even dumps them
from MS
SQL 2005 database using ODBC. For 2008 MS SQL you need to dump them
manually. E.g.

SELECT

name AS UserName,
CAST([password] AS VARBINARY(MAX)) AS EncryptedPass,
CAST(SUBSTRING([password],2,2) AS VARBINARY(MAX)) AS Salt,
CAST(SUBSTRING([password],4,LEN([password])-3) AS VARBINARY(MAX)) AS
MixCaseHash

FROM master.dbo.syslogins
WHERE [password] IS NOT NULL

and then use Cain. It looks like SQL server 2008 doesn't store uppercase
hash
anymore so mixcase has to be enough for offline attacks.

Regards

Martin





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


Thanks Martin for the query, I used sys.sql_logins though for my 2005 hash
after some pointer from the oxid forums. I have selected a brute force
attack / mixcase hash, and used the larger charset. Any ideas on the worst
case how long it will take to crack the passwords? Weeks? 

Regards

-- 
View this message in context: http://old.nabble.com/SQL-passwords-tp26077906p26160039.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Re: SQL passwords jasonbriggs76 (Nov 02)
- <Possible follow-ups>
- Re: SQL passwords pma111 (Nov 04)
  - Re: SQL passwords Martin Rublik (Nov 05)