Try this: SELECT password_hash FROM sys.sql_logins where name='sa'
Result is similar to previous, but "Uppercase_SHA1_hash" is no longer included in 2005: 0x0100 5C7E511B 9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DF -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Robin Wood Sent: Thursday, October 14, 2010 10:26 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] extracting password hashes from MSSQL 2005/8 On 14 October 2010 15:07, David Porcello <[email protected]> wrote: > Robin, do they look like this? > > 0x01005C7E511B9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DFF1D0F4509ECABA9C52D13BB04678C81CF7663D34 > > If so, I've cracked these with Cain (Cracker -> MSSQL) by parsing as follows: > > Header(6_chars) Salt(8_chars) Case_Sensitive_SHA1_hash Uppercase_SHA1_hash > > 0x0100 5C7E511B 9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DF > F1D0F4509ECABA9C52D13BB04678C81CF7663D34 > > These are also crackable by SQLBF: > > sqlbf -d <passlist.txt> -u <file containing usernames,binary values - 1 per > line, comma separated> > > Hope this helps! > d. It isn't cracking them that I'm stuck on it is the actual extraction that is the problem. If you just do a select then all you get is a line of empty square boxes implying it is trying to create an ASCII character out of a value that isn't in the normal range. This seems reasonable as the field type, from a quick check, was a varchar or nvarchar. I need to be able to convert that varchar value from a binary lump to the hex value you have abovel Robin > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Robin Wood > Sent: Thursday, October 14, 2010 9:39 AM > To: PaulDotCom Mailing List > Subject: [Pauldotcom] extracting password hashes from MSSQL 2005/8 > > Hi > I don't have much time to google at the moment and a friend asked me > about cracking MSSQL 2005/8 password hashes. I know that JTR can do > them and the they are stored in master.dbo.syslogins but when I had a > quick go at extracting them with a select they were stored as binary. > Is there an easy way to pull them out into the form that JTR needs? > > I'll get round to looking at it at some point if no one knows but for > now googling hasn't returned anything and no time to try to solve it > myself. > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > NOTICE: The information contained in this e-mail and any attachments is > intended solely for the recipient(s) named above, and may be confidential and > legally privileged. If you received this e-mail in error, please notify the > sender immediately by return e-mail and delete the original message and any > copy of it from your computer system. If you are not the intended recipient, > you are hereby notified that any review, disclosure, retransmission, > dissemination, distribution, copying, or other use of this e-mail, or any of > its contents, is strictly prohibited. > > Although this e-mail and any attachments are believed to be free of any virus > or other defects, it is the responsibility of the recipient to ensure that it > is virus-free and no responsibility is accepted by the sender for any loss or > damage arising if such a virus or defect exists. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
