December 23, 2003 at 11:14 am
I wonder if someone could help me retrieve a password for a certain login instead of reseting it. Thanks for your help!
December 23, 2003 at 12:12 pm
I hope not!
December 23, 2003 at 12:15 pm
http://www.nextgenss.com/sqlcrack.htm
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
December 23, 2003 at 11:07 pm
bKelly << While that tool works, it CAN NOT give you the actual password, only a password that will pass validation.
racosta << You are 100% correct, unfortunately, there ARE many ways to achieve this
wmp789 << There should be no general way of retrieving a password. To have one in any way, shape or form indicates a MAJOR security loophole. Unfortunately, there are times where an authorized person would like this information. Our CryptoVault line of products addresses this need WITHOUT compromising security!!!!
December 23, 2003 at 11:08 pm
Clarification: CryptoVault MUST be setup prior to this condition arising!
December 24, 2003 at 12:18 am
CPUWizard, what is your basis for saying the password cannot be retrieved?
There's a weakness in the way SQL Server passwords are stored. Next Generation Software has a whitepaper detailing this weakness. That's why care must be given in granting sysadmin rights, even on a development server.
Steve Jones' review: http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.asp
And, BTW, the less-efficient version of the program (command-line, too) cracks passwords just fine having complied and tested it myself. I've also seen this version in action.
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
December 24, 2003 at 6:51 am
The reason I stated that it "can not give you the actual password" is based on the fact that SQL server uses a hashing of the password. As a result, there are potentially multiple passwords (character sequences) which will generate the equivilant hash.
When a brute force attack occurs, it is just as likely that one of the alternates will be found as the actual password.
If this occurs, the returned value would NOT be that actual user password, but would be a character string that would function identically to the password.
I have been involved in computer security evaluations since the late 1970's, and this issue is not at all uncommon. The Digitial Equipment Corp VAX series of computers (running VMS) were particularily vunerable to this issue. It turned out that the hash was reversible to the point that a few simple (for a computer) calculations would yield a character sequence which would then hash into the target value. If one could obtain the file which had the hashed passwords, then it became a trivial exercise to be able to completely mimic any user of the system.
In conclusion, the programs mentioned WILL usually give you access to the target data within a short (relatively) period. The password it gives you is likely to be the actual user password, but even if it is not, there is no effect on functionallity at the SQL server level. And finally, ANY system which relies on this as the sole method of secuting a system is vunerable, and should not be placed into a production environment.
To all readers: Have a healthy and happy holiday celebration!!
December 24, 2003 at 8:54 am
You're speaking of the susceptibility to a birthday attack, and I'll agree with you here, but it is less likely with the SQL Server passwords. Reason being it's easy to find the salt for the SHA function and also because the password hash is actually two hashes, one simply being the uppercase version. But effectively, folks do gain access to the system, which is what the poster is after.
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply