Database Password Hashes Cracking

April 15, 2008

SQL Server 2000:-

SELECT password from master.dbo.sysxlogins where name='sa' 



0x0100- constant header

34767D5C- salt

0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash

2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash

crack the upper case hash in 'cain and abel' and then work the case sentive hash


SQL server 2005:-

SELECT password_hash FROM sys.sql_logins where name='sa'


0x0100- constant header


5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash

crack case sensitive hash in cain, try brute force and dictionary based attacks.


update:- following bernardo's comments:-

use function fn_varbintohexstr() to cast password in a hex string. 

e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins 



In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL's own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.


*mysql  < 4.1


mysql> SELECT PASSWORD('mypass');


| PASSWORD('mypass') |


| 6f8c114b58f2ce9e   |



*mysql >=4.1


mysql> SELECT PASSWORD('mypass');


| PASSWORD('mypass')                        |


| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |


Select user, password from mysql.user

The hashes can be cracked in 'cain and abel' 



Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table.  You need to be the database superuser to read this table (usually called "postgres" or "pgsql")

select usename, passwd from pg_shadow;

     usename      |  passwd                


testuser            | md5fabb6d7172aadfda4753bf0507ed4396

use mdcrack to crack these hashes:-

$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396


select name, password, spare4 from sys.user$

hashes could be cracked using 'cain and abel' or thc-orakelcrackert11g

More on Oracle later, i am a bit bored…. 

References/Copied from:-

Advert: Subscribe for testking 642-901 online training to ensure your success in 000-377 and 70-450 exam.


1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *