Penetration Testing mailing list archives

Re: SQL passwords

From: Wasim Halani <wasimhalani () gmail com>
Date: Wed, 28 Oct 2009 11:21:39 +0530

Hi,

Cain (http://www.oxid.it/) allows you to import accounts from a SQL
database and crack it offline.
You would have to make DSN connection to the SQL server.
Once that's done, goto the 'Cracker' tab of Cain and select 'MSSQL Hashes'
Add a new entry, and select the option to 'Dump hashes from database
server using ODBC'
Select the previously configured DSN connection, Cain would then
import your accounts and it's hashes. From here the standard Cain
options for cracking can be used.

Regards,
---
Wasim Halani
Security Analyst
Network Intelligence (India) Pvt. Ltd.
http://www.niiconsulting.com/

----------
To keep silent when you can say something wise and useful is as bad as
keeping on propagating foolish and unwise thoughts. -- Imam Ali
(p.b.u.h.)


On Tue, Oct 27, 2009 at 7:08 PM, pma111 <pmaneedham () hotmail com> wrote:


Hi All,

Are there any penetration testing / commercial cracking tools on the market,
or freebies, where we could export the password hashes directly from our SQL
tables (sys.syslogins) and crack the passwords offline, so not to affect our
live servers? Any pointers would be great.

Thanks
--
View this message in context: http://www.nabble.com/SQL-passwords-tp26077906p26077906.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

SQL passwords pma111 (Oct 27)
- Re: SQL passwords Yannick Hamon (Oct 28)
- RE: SQL passwords Paul Melson (Oct 28)
- Re: SQL passwords Nikhil Wagholikar (Oct 28)
- Re: SQL passwords Wasim Halani (Oct 28)
- Re: SQL passwords Martin Rublik (Oct 28)
- <Possible follow-ups>
- RE: SQL passwords DUSTIN.TANNER (Oct 28)
- Re: SQL passwords Elizabeth Greene (Oct 28)
- RE: SQL passwords Security Email (Oct 28)