March 6, 2013 at 4:19 am
Michael Meierruth (3/6/2013)
paul.knibbs (3/6/2013)
SQLCharger (3/6/2013)
Guys,Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:
There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?
It's for finding those people who use the same password everywhere else...
And naughty people who want to steal/sell sensitive data, but do it with someone else's name in the audit log so some poor innocent bloke gets fired instead of the real criminal.
Ben
^ Thats me!
----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
March 6, 2013 at 5:04 am
And what's the point of what you're saying in your binary signature?
March 6, 2013 at 6:54 am
Michael Meierruth (3/6/2013)
And what's the point of what you're saying in your binary signature?
A yes/no answer will suffice:-P
Cheers,
JohnA
MCM: SQL2008
March 6, 2013 at 6:59 am
Michael Meierruth (3/6/2013)
And what's the point of what you're saying in your binary signature?
It's self-referential.
Ben
^ Thats me!
----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
March 6, 2013 at 7:32 am
Michael Meierruth (3/6/2013)
paul.knibbs (3/6/2013)
SQLCharger (3/6/2013)
Guys,Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:
There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?
It's for finding those people who use the same password everywhere else...
Or for escalating privileges, especially in a domain. Standard attack pattern:
1. Gain admin rights to a workstation or server.
2. Dump LSA Secrets. This gives you the password in plaintext for any services.
3. See what rights/group memberships those accounts have. They are now in your set of accounts to use for further compromise.
4. Dump the hashes from that system.
5. Use rainbow tables to gain the password from said hashes.
6. See what rights/group memberships those accounts have. They are also now in your set of accounts to use for further compromise.
7. If you've got a Domain Admin level at this point, you're set. You own the domain (and technically, the forest, meaning also every domain in said forest).
8. If you don't have an account with the level of privs that you want, spiderweb to other systems, trying the accounts you've captured and repeating steps 1-7.
3.
K. Brian Kelley
@kbriankelley
March 6, 2013 at 8:06 am
paul.knibbs (3/6/2013)
SQLCharger (3/6/2013)
Guys,Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:
There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database...
And this is why SQL Server Service accounts should be minimally privileged (i.e. NEVER ADMIN, either local or domain) - so someone breaking one sysadmin-level account on the SQL Server instance has a harder time getting into other machines.
Yes, oclHashcat-lite and/or oclHashcat-plus have settings for various forms of Windows and Active Directory passwords (as well as Oracle, Mac, Cisco, and other modes).
June 24, 2013 at 5:01 am
This is not working on my pc....
It got this and SQL_passwords.txt gets generated:
Enter YES in uppercase if you accept this EULA:
YES
Initializing hashcat v0.45 by atom with 8 threads and 32mb segment-size...
output-format=0: No such file or directory
_______________________________________________________________
To get quick answer follow this link:
http://www.sqlservercentral.com/articles/Best+Practices/61537/
June 27, 2013 at 5:30 pm
Very interesting topic.
I tried but I am getting only password.which have normal character like a to Z
If i add any special character I am not getting proper output and it's take too long time .
one more is I am getting output in ppt format.I don't where I did mistake
I am not getting EULA: option in Command Prompt..
I used below script :
hashcat-cli32.exe -a 3 --pw-min=4 --pw-max=12 -m 132 -p : -o "C:\hashcat-0.46\SQL_passwords.txt" -output-format=0 -n 2 "C:\hashcat-0.46\Hashes.txt" -1 ?l?u?d?s ?1?1?1?1?1?1?1?1?1?1?1?1
If i used below scipt I am getting error :
hashcat-cli32.exe -a 3 --pw-min=4 --pw-max=12 -m 131 -p : -o "C:\hashcat-0.46\SQL_passwords.txt" -output-format=0 -n 2 "C:\hashcat-0.46\Hashes.txt" -1 ?l?u?d?s ?1?1?1?1?1?1?1?1?1?1?1?1
Skipping line : (Line length exception)
No hashes Found.
OS Version : Windows Xp
SQL Server 2008
Thanks
Atchi
July 9, 2013 at 11:02 am
I tried to use this but I keep getting an error saying Skipping Line: #0 ( line length exception) .. I can not figure out how to get around this. any help?
January 9, 2014 at 5:45 pm
I'm frustrated trying to recover a sa password from a legacy database that no one knows. I've tried using Hashcat and oclHashcat following this article and the HashcatGUI. I keep getting the same error message "Line-length exception". Here's my command: oclHashcat64.exe -a 0 -m 100 -p : --session=09163410 --force -o "D:\Applications\HashCat\UnHashed_sa.txt" --outfile-format=3 -n 32 -u 250 --gpu-temp-abort=90 -r "D:\Applications\HashCat\oclHashcat\oclHashcat-1.01\rules\best64.rule" "D:\Applications\HashCat\Hashed\Hashed_sa.txt" "D:\Applications\HashCat\WordLists\dic-0294.txt" "D:\Applications\HashCat\WordLists\ALLUP&R.DIC"
Any suggestions on how to resolve this would be appreciated.
SQL DBA
CEA-IT
January 10, 2014 at 8:30 am
Brandon Forest (1/9/2014)
I'm frustrated trying to recover a sa password from a legacy database that no one knows. I've tried using Hashcat and oclHashcat following this article and the HashcatGUI. I keep getting the same error message "Line-length exception". Here's my command: oclHashcat64.exe -a 0 -m 100 -p : --session=09163410 --force -o "D:\Applications\HashCat\UnHashed_sa.txt" --outfile-format=3 -n 32 -u 250 --gpu-temp-abort=90 -r "D:\Applications\HashCat\oclHashcat\oclHashcat-1.01\rules\best64.rule" "D:\Applications\HashCat\Hashed\Hashed_sa.txt" "D:\Applications\HashCat\WordLists\dic-0294.txt" "D:\Applications\HashCat\WordLists\ALLUP&R.DIC"Any suggestions on how to resolve this would be appreciated.
SQL DBA
CEA-IT
First, create a user with a known password as a test case. Then look at the example (or the CPU Hashcat example) for the format, and vary it slightly if required. D:\Applications\HashCat\Hashed\Hashed_sa.txt
Maybe you need the leading 0xXXXX, maybe not, and maybe you need a : between salt and hashed password.
Make sure you're setting the right SQL server version - MS has slightly different versions for SQL Server 2000, 2005-2008R2, and 2012.
Also, if it's a legacy database, why do you care what the old "sa" password was? Start it in single user mode and just reset the sa password.
January 15, 2014 at 10:39 pm
Nadrek, suffice it to say that I have good business reasons to recover the original password. I've been a SQL DBA for 15 years and a IT pro for 25+. I don't do things just because I want to. I do things for a reason, which I'm disinclined to share with forum trolls. :w00t:
January 16, 2014 at 1:04 am
Brandon Forest (1/15/2014)
Nadrek, suffice it to say that I have good business reasons to recover the original password. I've been a SQL DBA for 15 years and a IT pro for 25+. I don't do things just because I want to. I do things for a reason, which I'm disinclined to share with forum trolls. :w00t:
Can you share these 'good business reasons'? I'm very curious how the type of password recovery divides the real world, i.e. in what percent of cases would it be sufficient to just reset the 'sa' password.
January 31, 2014 at 6:24 am
I have tried to run this and got error - --output-format=0 on this pert of the command.
regards
April 17, 2014 at 12:30 am
Geoff A (3/3/2013)
Comments posted to this topic are about the item How to recover a SQL Server login password.
If the password is related to an individual user account, you can ask your system administrator to reset a new password for you to login to the MS SQL Server. But if the SA is not available or the lost or forgotten password is related to system administrator account, you can reset a new password by using Windows Authentication.
Read this blog: How to Reset SQL Server Passwords Manually?[/url]
You will get some manual solutions in the blog by using which you can unlock your MS SQL Server.
Hope this blog would be helpful.
Thanks. 🙂
Viewing 15 posts - 31 through 45 (of 59 total)
You must be logged in to reply to this topic. Login to reply