Penetration Testing mailing list archives

Re: SQL passwords

From: Martin Rublik <martin.rublik () gmail com>
Date: Wed, 28 Oct 2009 11:09:21 +0100

pma111 wrote:

Hi All,

Are there any penetration testing / commercial cracking tools on the market,
or freebies, where we could export the password hashes directly from our SQL
tables (sys.syslogins) and crack the passwords offline, so not to affect our
live servers? Any pointers would be great.

Thanks



Cain & Abel is able to crack SQL passwords offline. It even dumps them from MS
SQL 2005 database using ODBC. For 2008 MS SQL you need to dump them manually. E.g.

SELECT

name AS UserName,
CAST([password] AS VARBINARY(MAX)) AS EncryptedPass,
CAST(SUBSTRING([password],2,2) AS VARBINARY(MAX)) AS Salt,
CAST(SUBSTRING([password],4,LEN([password])-3) AS VARBINARY(MAX)) AS MixCaseHash

FROM master.dbo.syslogins
WHERE [password] IS NOT NULL

and then use Cain. It looks like SQL server 2008 doesn't store uppercase hash
anymore so mixcase has to be enough for offline attacks.

Regards

Martin





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

SQL passwords pma111 (Oct 27)
- Re: SQL passwords Yannick Hamon (Oct 28)
- RE: SQL passwords Paul Melson (Oct 28)
- Re: SQL passwords Nikhil Wagholikar (Oct 28)
- Re: SQL passwords Wasim Halani (Oct 28)
- Re: SQL passwords Martin Rublik (Oct 28)
- <Possible follow-ups>
- RE: SQL passwords DUSTIN.TANNER (Oct 28)
- Re: SQL passwords Elizabeth Greene (Oct 28)
- RE: SQL passwords Security Email (Oct 28)