Tuesday, 27 December 2011

How to crack SQL Server's password Hashes

SQL Server uses an undeclared and undocumented function, pwdencrypt() to produce a hash of the user's password, which is stored in the sysxlogins table of the master database. I guess this is a common known thing which most of the people related to SQL knows. But i never met any article detailing this function. So here i am focusing on the details of this password hash so as to further get deeper with it.
So lets begin with how it looks like.

Using Query Analyzer, or the SQL tool of your choice, run the following query :


select password from master.dbo.sysxlogins where name='sa'


You should get something that looks similar to the following returned.

0x01008D504D65431D6F8AA7AED333590D7DB1863CBFC98186BFAE06EB6B327EFA
This is the hash of the 'sa' login's password on my machine.

Now there is a uniqueness in this password hashing function. It would give you two different password hashes for the same password if you put some difference in their time. Design for this password hash function is made something like if two people use same password then their hashes will be different, thus would misinterpret you that password is the same.

Now lets run a case scenario and then lets study it. Here I am gonna take AAAAAA as the password ad then lets take a Hash on it using :

Select pwndecrypt('AAAAAA')

Which produces hash

0x01008444930543174C59CC918D34B6A12C9CC9EF99C4769F819B43174C59CC918D34B6A12C9CC9EF99C4769F819B

The key point here is there are two password hashes here and these has been concatenated for some advanced security measure. However luck lies in the fact that we ca crack them separately as well.

This hash actually has 4 parts :
0x0100
84449305
43174C59CC918D34B6A12C9CC9EF99C4769F819B
43174C59CC918D34B6A12C9CC9EF99C4769F819B


As you can see 3 and 4 parts are identical [same] which proves that the password is always stored twice. One of them is normal case sensitive password [which is originally provided] and the other one is upper case version of the same password. This is seriously concerning as anyone attempting to attack the hash had got his work reduced by Half. Moreover, he do not have to give any "case perms [Random caps lock sequences]" rather he can simply use Upper characters which will reduce the keyspace required for the same.


Here I am attaching the link for a simple command line dictionary attack tool.

Click here to get the code.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...