On 14 October 2010 16:05, David Porcello <[email protected]> wrote: > Try this: > > SELECT password_hash FROM sys.sql_logins where name='sa'
That got it, thanks. I was looking in the wrong table. Robin > > Result is similar to previous, but "Uppercase_SHA1_hash" is no longer > included in 2005: > > 0x0100 5C7E511B 9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DF > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Robin Wood > Sent: Thursday, October 14, 2010 10:26 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] extracting password hashes from MSSQL 2005/8 > > On 14 October 2010 15:07, David Porcello <[email protected]> wrote: >> Robin, do they look like this? >> >> 0x01005C7E511B9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DFF1D0F4509ECABA9C52D13BB04678C81CF7663D34 >> >> If so, I've cracked these with Cain (Cracker -> MSSQL) by parsing as follows: >> >> Header(6_chars) Salt(8_chars) Case_Sensitive_SHA1_hash Uppercase_SHA1_hash >> >> 0x0100 5C7E511B 9FEE5B34C2C53FA51926895D1EDA9FC3AD6E76DF >> F1D0F4509ECABA9C52D13BB04678C81CF7663D34 >> >> These are also crackable by SQLBF: >> >> sqlbf -d <passlist.txt> -u <file containing usernames,binary values - 1 per >> line, comma separated> >> >> Hope this helps! >> d. > > It isn't cracking them that I'm stuck on it is the actual extraction > that is the problem. If you just do a select then all you get is a > line of empty square boxes implying it is trying to create an ASCII > character out of a value that isn't in the normal range. This seems > reasonable as the field type, from a quick check, was a varchar or > nvarchar. I need to be able to convert that varchar value from a > binary lump to the hex value you have abovel > > Robin > >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Robin Wood >> Sent: Thursday, October 14, 2010 9:39 AM >> To: PaulDotCom Mailing List >> Subject: [Pauldotcom] extracting password hashes from MSSQL 2005/8 >> >> Hi >> I don't have much time to google at the moment and a friend asked me >> about cracking MSSQL 2005/8 password hashes. I know that JTR can do >> them and the they are stored in master.dbo.syslogins but when I had a >> quick go at extracting them with a select they were stored as binary. >> Is there an easy way to pull them out into the form that JTR needs? >> >> I'll get round to looking at it at some point if no one knows but for >> now googling hasn't returned anything and no time to try to solve it >> myself. >> >> Robin >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> NOTICE: The information contained in this e-mail and any attachments is >> intended solely for the recipient(s) named above, and may be confidential >> and legally privileged. If you received this e-mail in error, please notify >> the sender immediately by return e-mail and delete the original message and >> any copy of it from your computer system. If you are not the intended >> recipient, you are hereby notified that any review, disclosure, >> retransmission, dissemination, distribution, copying, or other use of this >> e-mail, or any of its contents, is strictly prohibited. >> >> Although this e-mail and any attachments are believed to be free of any >> virus or other defects, it is the responsibility of the recipient to ensure >> that it is virus-free and no responsibility is accepted by the sender for >> any loss or damage arising if such a virus or defect exists. >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
