SQL passwords
|
View:
New views
12 Messages
—
Rating Filter:
Alert me
|
 |
SQL passwords
by pma111
::
Rate this Message:
Hi All,
Are there any penetration testing / commercial cracking tools on the market, or freebies, where we could export the password hashes directly from our SQL tables (sys.syslogins) and crack the passwords offline, so not to affect our live servers? Any pointers would be great. Thanks |
|
|
|
|
|
Re: SQL passwords
by Yannick HAMON
::
Rate this Message:
Hi,
1°) You can try the free software IMA "Identity Management Auditor" (beta release v0.2) : http://www.xmcopartners.com/ima/ It supports SQL and Windows authentification for SQL SERVER 2000/2005/2008. It will retrieve MS SQL password hashs and then you have 2 choices : * crack trivial passwords (login=password, null password or dictionnary) * bruteforce cracking with the embedded external cracking tool (John The Ripper). 2°) You can also try Cain&Abel (free) http://www.oxid.it/cain.html He can do the same with an OBDC driver. However, cain&abel support dictionnary, bruteforce or rainbow tables cracking mode. Best Regards, -- Yannick Hamon - Xmco Partners Consultant Sécurité / Tests d'intrusion Web : http://www.xmcopartners.com 11 bis rue de Beaujolais 75001 PARIS Le 27 oct. 2009 à 14:38, pma111 a écrit : > > Hi All, > > Are there any penetration testing / commercial cracking tools on the > market, > or freebies, where we could export the password hashes directly from > our SQL > tables (sys.syslogins) and crack the passwords offline, so not to > affect our > live servers? Any pointers would be great. > > Thanks > -- > View this message in context: http://www.nabble.com/SQL-passwords-tp26077906p26077906.html > Sent from the Penetration Testing mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification > Review Board > > Prove to peers and potential employers without a doubt that you can > actually do a proper penetration test. IACRB CPT and CEPT certs > require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
|
|
|
RE: SQL passwords
by Paul Melson-2
::
Rate this Message:
> Are there any penetration testing / commercial cracking tools on the
market, or > freebies, where we could export the password hashes directly from our SQL tables > (sys.syslogins) and crack the passwords offline, so not to affect our live servers? Any > pointers would be great. David Litchfield wrote a paper on this very topic which includes source for a cracker: http://www.ngssoftware.com/papers/cracking-sql-passwords.pdf If I'm not mistaken, you can also build John The Ripper with mssql05 support and use that to crack the hashes also. PaulM ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: SQL passwords
by Nikhil Wagholikar
::
Rate this Message:
Hello Pmaneedham,
One of the tools for offline SQL password hashes cracking, which comes to my mind quickly is 'Cain and Abel'. More Info: http://www.oxid.it/cain.html --- Nikhil Wagholikar Practice Lead | Security Assessments & Digital Forensics Network Intelligence India Pvt. Ltd. [NII Consulting] Web: http://www.niiconsulting.com/ Comprehensive Information Security Training http://iisecurity.in/courses/Training Calendar.html 2009/10/27 pma111 <pmaneedham@...> > > Hi All, > > Are there any penetration testing / commercial cracking tools on the market, > or freebies, where we could export the password hashes directly from our SQL > tables (sys.syslogins) and crack the passwords offline, so not to affect our > live servers? Any pointers would be great. > > Thanks > -- > View this message in context: http://www.nabble.com/SQL-passwords-tp26077906p26077906.html > Sent from the Penetration Testing mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
|
|
|
Re: SQL passwords
by Wasim Halani
::
Rate this Message:
Hi,
Cain (http://www.oxid.it/) allows you to import accounts from a SQL database and crack it offline. You would have to make DSN connection to the SQL server. Once that's done, goto the 'Cracker' tab of Cain and select 'MSSQL Hashes' Add a new entry, and select the option to 'Dump hashes from database server using ODBC' Select the previously configured DSN connection, Cain would then import your accounts and it's hashes. From here the standard Cain options for cracking can be used. Regards, --- Wasim Halani Security Analyst Network Intelligence (India) Pvt. Ltd. http://www.niiconsulting.com/ ---------- To keep silent when you can say something wise and useful is as bad as keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.) On Tue, Oct 27, 2009 at 7:08 PM, pma111 <pmaneedham@...> wrote: > > Hi All, > > Are there any penetration testing / commercial cracking tools on the market, > or freebies, where we could export the password hashes directly from our SQL > tables (sys.syslogins) and crack the passwords offline, so not to affect our > live servers? Any pointers would be great. > > Thanks > -- > View this message in context: http://www.nabble.com/SQL-passwords-tp26077906p26077906.html > Sent from the Penetration Testing mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: SQL passwords
by Martin Rublik
::
Rate this Message:
pma111 wrote:
> Hi All, > > Are there any penetration testing / commercial cracking tools on the market, > or freebies, where we could export the password hashes directly from our SQL > tables (sys.syslogins) and crack the passwords offline, so not to affect our > live servers? Any pointers would be great. > > Thanks Cain & Abel is able to crack SQL passwords offline. It even dumps them from MS SQL 2005 database using ODBC. For 2008 MS SQL you need to dump them manually. E.g. SELECT name AS UserName, CAST([password] AS VARBINARY(MAX)) AS EncryptedPass, CAST(SUBSTRING([password],2,2) AS VARBINARY(MAX)) AS Salt, CAST(SUBSTRING([password],4,LEN([password])-3) AS VARBINARY(MAX)) AS MixCaseHash FROM master.dbo.syslogins WHERE [password] IS NOT NULL and then use Cain. It looks like SQL server 2008 doesn't store uppercase hash anymore so mixcase has to be enough for offline attacks. Regards Martin ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: SQL passwords
by jasonbriggs76
::
Rate this Message:
According to your query secure auditor seems like a viable solution. it fetches hashes automatically for sql 2000, 2005 & 2008 which you can dictionary attack or brute force to crack.
http://www.secure-bytes.com/register.php JB
|
|
|
Re: SQL passwords
by pma111
::
Rate this Message:
Thanks Martin for the query, I used sys.sql_logins though for my 2005 hash after some pointer from the oxid forums. I have selected a brute force attack / mixcase hash, and used the larger charset. Any ideas on the worst case how long it will take to crack the passwords? Weeks? Regards |
|
|
Re: SQL passwords
by Martin Rublik
::
Rate this Message:
> Thanks Martin for the query, I used sys.sql_logins though for my 2005 hash
> after some pointer from the oxid forums. I have selected a brute force > attack / mixcase hash, and used the larger charset. Any ideas on the worst > case how long it will take to crack the passwords? Weeks? Well if you use 2005 SQL server it would be definitely faster to attack an uppercase hash. The complexity will reduce significantly. For example if you have n character password then there are 2^n possibilities for mixcase password for every uppercase password. As for the worst case it is quite simple, it depends on how many characters you will use :), if you use Cain for password cracking it will show you how much time is remaining. Best regards Martin Rublik ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
| Free embeddable forum powered by Nabble | Forum Help |
