Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL passwords

From: Martin Rublik <martin.rublik () gmail com>
Date: Thu, 5 Nov 2009 10:52:53 +0100
Thanks Martin for the query, I used sys.sql_logins though for my 2005 hash
after some pointer from the oxid forums. I have selected a brute force
attack / mixcase hash, and used the larger charset. Any ideas on the worst
case how long it will take to crack the passwords? Weeks?


Well if you use 2005 SQL server it would be definitely faster to
attack an uppercase hash. The complexity will reduce significantly.
For example if you have n character password then there are 2^n
possibilities for mixcase password for every uppercase password.

As for the worst case it is quite simple, it depends on how many
characters you will use :), if you use Cain for password cracking it
will show you how much time is remaining.

Best regards

Martin Rublik

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: