Penetration Testing mailing list archives
Re: SQL passwords
From: Martin Rublik <martin.rublik () gmail com>
Date: Thu, 5 Nov 2009 10:52:53 +0100
Thanks Martin for the query, I used sys.sql_logins though for my 2005 hash after some pointer from the oxid forums. I have selected a brute force attack / mixcase hash, and used the larger charset. Any ideas on the worst case how long it will take to crack the passwords? Weeks?
Well if you use 2005 SQL server it would be definitely faster to attack an uppercase hash. The complexity will reduce significantly. For example if you have n character password then there are 2^n possibilities for mixcase password for every uppercase password. As for the worst case it is quite simple, it depends on how many characters you will use :), if you use Cain for password cracking it will show you how much time is remaining. Best regards Martin Rublik ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: SQL passwords jasonbriggs76 (Nov 02)
- <Possible follow-ups>
- Re: SQL passwords pma111 (Nov 04)
- Re: SQL passwords Martin Rublik (Nov 05)