Password checker automation

  • Adam Bean (1/30/2014)


    I was hoping to just find compilations of all known/bad passwords out there and continue to build out this table.

    The most current such list I'm aware of has billions of entries; you would probably want to be using Hashcat and at least one modern GPU if you're going to try to do that.

    If you want to start with known passwords, you can try starting with the following major leaks:

    Phpbb

    Rockyou

    Gawker

    Linkedin

    Gamigo

    Walla

    It only gets larger and more depressing from there.

  • Thanks Nadrek, I'll check that out later. For now I want to wrap up this current version and figure out how to resolve this damn duplicate ...

  • Create a two column WeakPasswords table; one with the weak password, the other with a comment on the source (or a reference to a lookup table, if you want to normalize it) with a unique key on the weak passwords

    Then put the username, reversed passwords, reversed username, etc. etc. into the weakpasswords table where it's not already there with a comment on the source.

    Then you have only the weakpasswords table in the query proper, with at most one entry each.

  • Nadrek,

    So you're saying to extract the hashes of the passwords (sys.sql_logins.password_hash which requires administrator privileges) and feed them into this oclHashcat. I presume that the way to calculate the hash from a string the way the various versions of SQL Server do is open knowledge. So what does oclHashcat do that is different from the PWDCOMPARE approach?

    It's obvious that the use of PWDCOMPARE has some performance problems. Thus it would be advantageous to calculate only once the hashes of all the passwords in the weak password dictionary and create an index on that hash. The other checks are more algorithmic (e.g. pwd like %loginname%) and will reqire a calculation of the hash. Of course, actually cracking the password (which seems to be oclHashcat's main objective) requires lots of computing power and highly efficient code. But that's another topic...

    So do people out there actually use olcHashcat to discover weak passwords?

  • Yes; for both the extraction script and examples of using HASHBYTES to construct the password hash (i.e. the algorithm SQL Server uses) see the end of http://www.sqlservercentral.com/Forums/Topic1530283-3411-1.aspx. Note that there is a random salt for each password, which is good practice. Note also that there's only one hashing iteration, which is bad practice - there should be thousands or hundreds of thousands of iterations.

    Hashcat (and oclhashcat, the GPU version) are more or less insanely faster than PWDCompare; oclhashcat on a single GPU can try billions (with a B) of guesses per second for SQL Server 2000-2008R2 passwords, and even for SQL2012 passwords, tens of millions per second.

    Additionally, they both support brute force (Try 0. Then 1. Then 2. .. then aaaa5 ... etc.), dictionary mode, rules-based dictionary mode, Markov chains, and combination modes.

    What you're doing now is a rules-based dictionary mode, where you have two rules:

    1) Try the password

    2) Try the REVERSE of the password.

    Hashcat and oclHashcat can efficiently run tens of thousands of rules against even large dictionaries. For example 10,000 rules times a billion base passwords 100 distinct salts (which should be unique per username) words is 1 quadrillion tests. At 2.5 billion guesses per second, that's less than 5 days to try every rule on every base password for every username.

  • That sounds pretty awesome Nadrek ... and way more effective. This SQL function is incredibly poor performing and obviously limiting. Do you have anything already built to leverage this oclHashcat? I haven't had time to dig into the site yet or play; however I'd assume we could just build a powershell wrapper to hit all destination servers and log the data centrally.

  • Adam, just out of curiosity, how many servers and logins are you dealing with?

  • Michael Meierruth (1/30/2014)


    Adam, just out of curiosity, how many servers and logins are you dealing with?

    Fluctuates daily; however based on current inventory ... 242 instances, 6,974 logins.

  • Adam Bean (1/30/2014)


    Michael Meierruth (1/30/2014)


    Adam, just out of curiosity, how many servers and logins are you dealing with?

    Fluctuates daily; however based on current inventory ... 242 instances, 6,974 logins.

    So I guess a lot of time is taken up by actually connecting to all these instances. But roughly 30 logins per instance is not that much.

    I ran some benchmarks with this pwdcompare function on my fairly fast notebook.

    select count(*),max(comp),min(comp)

    from

    (

    select top 1000000 pwdcompare(convert(varbinary(256),newid()),convert(varchar(36),newid())) comp

    from sys.syscolumns c1,sys.syscolumns c2

    ) t

    On SS2012 10 million calls take about 8 seconds.

    On SS2008R2 I had to lower the number of calls. Thus 1 million calls take about 67 seconds.

    On SS2005 I can reach 100,000 calls in 6 seconds. If I try 1 million I get a strange error and causes the service to crash.

    I no longer have access to a SS2000 instance.

    In any case, if you use a weak password dictionary of 10,000 entries (shown in your very interesting link) to be checked against 7,000 logins then we're talking about 56 seconds on SS2012.

    What version(s) of SS are we talking about in your case?

  • Adam Bean (1/30/2014)


    That sounds pretty awesome Nadrek ... and way more effective. This SQL function is incredibly poor performing and obviously limiting. Do you have anything already built to leverage this oclHashcat? I haven't had time to dig into the site yet or play; however I'd assume we could just build a powershell wrapper to hit all destination servers and log the data centrally.

    Thanks to Michael Meierruth, we know that SQL Server before 2012 must have a truly horrific implementation, and SQL 2012 is merely awful at ~1 million tests/sec. Even a single good GPU is easily four orders of magnitude faster below SQL 2012, and an order of magnitude or two faster for 2012 (and a CPU should be much faster as well).

    First, use multi-server SSMS window (or however you like to do it) to run a modification of http://www.sqlservercentral.com/Forums/Topic1530283-3411-1.aspx to get, by type:

    1) All SQL2000 hashes

    2) All SQL2005, SQL2008, and SQL2008R2 hashes

    3) All SQL2012 hashes

    Personally, I drop the results in Excel, and then pull the Excel hashes (just the hash) per version category into text files.

    The text filenames are then fed into batch files that call Hashcat, starting with very fast checks and moving up to checks that takes days to run.

    The Hashcat forums are very helpful

    Poor example of using the CPU version (a few versions out of date)

    rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..

    rem After that, try rules based dictionary attacks, many large rules for small lists, small rules for large lists.

    rem If you have more time and/or processing power, put larger pw sizes earlier.

    rem If you have less, put larger pw sizes later.

    rem since we're removing hashes from the file as we crack them, let's start fresh for each run.

    copy /y SQL2005to2008R2Many.hash.orig SQL2005to2008R2Many.hash

    rem First: Extremely Low sizes, brute force with full hex set!

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?d?l?u?s?D?F?R?h --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash ?1

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?d?l?u?s?D?F?R?h --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash ?1?1

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?d?l?u?s?D?F?R?h --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash ?1?1?1

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?d?l?u?s?D?F?R?h --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash ?1?1?1?1

    rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?d?l?u?s?D?F?R?h --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1

    rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbol

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    hashcat-cli64.exe --attack-mode=3 -m 131 --pw-min=6 --pw-max=6 --remove -1 ?d?l?u?s --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1?1

    rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.

    rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    hashcat-cli64.exe --attack-mode=3 -m 131 --pw-min=7 --pw-max=7 --remove -1 ?d?l?u?s -2 ?l?d --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash ?1?2?2?2?2?1?1

    rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.

    hashcat-cli64.exe --attack-mode=3 -m 131 --pw-min=13 --pw-max=13 --remove -1 ?d --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash "(?1?1?1)?1?1?1-?1?1?1?1"

    rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.

    rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 ?2?2?2?2?2?2?2?2

    rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine.

    rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash only

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?l?d-() -2 ?l 0x0100SaltHash --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 ?1?2?2?2?2?2?2?2?2

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 ?1?2?2?2?2?2?2?2?2

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 ?1?2?2?2?2?2?2?2?2?2

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 ?1?2?2?2?2?2?2?2?2?2?2

    hashcat-cli64.exe --attack-mode=3 -m 131 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2

    rem Now we're going to do rules based dictionary attacks!

    rem Let's start with the quickest, because any passwords we can remove now give later iterations less work.

    rem 10s Mode Straight rules: Best64 Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 20s Mode Straight rules: specific Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\specific.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 45s Mode Combinator rules: NOT APPLICABLE TO STRAIGHT COMBINATION ATTACK Wordlist: Phpbb * 500worst

    hashcat-cli64.exe --attack-mode=1 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash phpbb.txt 500-worst-passwords.txt

    rem 45s Mode Combinator rules: NOT APPLICABLE TO STRAIGHT COMBINATION ATTACK Wordlist: 500worst * Phpbb

    hashcat-cli64.exe --attack-mode=1 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash 500-worst-passwords.txt phpbb.txt

    rem 45s Mode Straight rules: Best64 Wordlist: large dictionary

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash dictionary-huge

    rem 5m Mode Straight rules: leetspeak * Best64 Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\leetspeak.rule --rules-file rules\best64.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 10m Mode Straight rules: T0XlC Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\T0XlC.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 10m Mode Straight rules: combinator * Best64 Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\combinator.rule --rules-file rules\best64.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 18m Mode Straight rules: Best64 Wordlist: Rockyou

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash rockyou.txt

    rem 18m Mode Straight rules: leetspeak * Best64 Wordlist: large dictionary

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\leetspeak.rule --rules-file rules\best64.rule SQL2005to2008R2Many.hash dictionary-huge

    rem 30min Mode Combinator rules: NOT APPLICABLE TO STRAIGHT COMBINATION ATTACK Wordlist: small dictionary * small dictionary

    hashcat-cli64.exe --attack-mode=1 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 SQL2005to2008R2Many.hash dictionary-small dictionary-small

    rem **** IN PROGRESS MUST USE HASHCAT_UTILS ****

    rem Mode Hashcat-utils Combinator rules: toggles1 Wordlist: small dictionary len 1-8 only * small dictionary len 1-8 only

    rem NOTE that the togglesN ruleset is always a strict superset of togglesN-1.

    rem 1 use Hashcat-utils combinator to combine the dictionaries.

    rem 2 pipe the output into a straight attack to apply rules to the combined dictionaries.

    rem *** PREGENERATE MODE - RUN ME ONCE OR PIPE OUTPUT INTO CRACKING PROGRAM *** hashcat-utils-0.9-64\combinator.exe dictionary-small-Length8andless dictionary-small-Length8andless >dictionary-small-len-1-to-8-squared

    rem *** PREGENERATE MODE hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\toggles1.rule SQL2005to2008R2Many.hash dictionary-small-len-1-to-8-squared

    rem *** PIPED MODE BELOW ***

    hashcat-utils-0.9-64\combinator.exe dictionary-small-Length8andless dictionary-small-Length8andless | hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\toggles1.rule SQL2005to2008R2Many.hash

    rem 40m Mode Straight rules: generated Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\generated.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 90m Mode Straight rules: d3ad0ne Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 6h Mode Straight rules: d3ad0ne Wordlist: large dictionary

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash dictionary-huge

    rem 15h Mode Straight rules: T0XlC Wordlist: Rockyou

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\T0XlC.rule SQL2005to2008R2Many.hash rockyou.txt

    rem 33h EST Mode Hashcat-utils Combinator rules: best64 Wordlist: small dictionary len 1-9 only * small dictionary len 1-9 only

    rem NOTE that the togglesN ruleset is always a strict superset of togglesN-1.

    rem 1 use Hashcat-utils combinator to combine the dictionaries.

    rem 2 pipe the output intoa straight attack to apply rules to the combined dictionaries.

    hashcat-utils-0.9-64\combinator.exe dictionary-small-Length9andless dictionary-small-Length9andless | hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash

    rem 39h Mode Straight rules: leetspeak + d3ad0ne Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\leetspeak.rule --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 65h EST Mode Hashcat-utils Combinator rules: toggles2 Wordlist: small dictionary len 1-9 only * small dictionary len 1-9 only

    rem NOTE that the togglesN ruleset is always a strict superset of togglesN-1.

    rem 1 use Hashcat-utils combinator to combine the dictionaries.

    rem 2 pipe the output intoa straight attack to apply rules to the combined dictionaries.

    hashcat-utils-0.9-64\combinator.exe dictionary-small-Length9andless dictionary-small-Length9andless | hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\toggles2.rule SQL2005to2008R2Many.hash

    rem 79h Mode Straight rules: combinator + d3ad0ne Wordlist: Phpbb

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\combinator.rule --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 125h Mode Straight rules: d3ad0ne Wordlist: Rockyou

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash rockyou.txt

    rem 136h Mode Straight rules: leetspeak + d3ad0ne Wordlist: large dictionary

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\leetspeak.rule --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash dictionary-huge

    rem 253h Mode Straight rules: combinator + d3ad0ne Wordlist: large dictionary

    hashcat-cli64.exe --attack-mode=0 -m 131 --remove --output-file=SQL2005to2008R2_cpu_Many.out --output-format=7 --rules-file rules\combinator.rule --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash dictionary-huge

    Poor example of oclHashcat-plus (again, a few versions out of date - it should be similar to the new oclHashcat)

    rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..

    rem After that, try rules based dictionary attacks, many large rules for small lists, small rules for large lists.

    rem If you have more time and/or processing power, put larger pw sizes earlier.

    rem If you have less, put larger pw sizes later.

    rem since we're removing hashes from the file as we crack them, let's start fresh for each run.

    copy /y SQL2005to2008R2Many.hash.orig SQL2005to2008R2Many.hash

    rem First: Extremely Low sizes, brute force with full hex set!

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    rem 2E2 1 char full hex

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1

    rem 6E4 2 char full hex

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1

    rem 1E7 3 char full hex

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1

    rem 4E9 4 char full hex No need to go through a rules-based dictionary attack at these sizes

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1

    rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!

    rem 1E11 5 char DLUSforeign No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s?D?F?R --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1

    rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbol

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1?1

    rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.

    rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?2?2?2?2?1?1

    rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash "(?1?1?1)?1?1?1-?1?1?1?1"

    rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.

    rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?2?2?2?2?2?2?2?2

    rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine.

    rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash only

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2

    oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2

    rem Now we're going to do rules based dictionary attacks!

    rem Let's start with the quickest, because any passwords we can remove now give later iterations less work.

    rem 1E7 Mode Straight rules: Best64 Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 3E7 Mode Straight rules: specific Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\specific.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 9E7 Mode Combinator rules: NOT APPLICABLE TO STRAIGHT COMBINATION ATTACK Wordlist: Phpbb * 500worst

    oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash phpbb.txt 500-worst-passwords.txt

    rem 9E7 Mode Combinator rules: NOT APPLICABLE TO STRAIGHT COMBINATION ATTACK Wordlist: 500worst * Phpbb

    oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash 500-worst-passwords.txt phpbb.txt

    rem 4E7 Mode Straight rules: Best64 Wordlist: large dictionary

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash dictionary-huge

    rem 2E8 Mode Straight rules: leetspeak * Best64 Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\leetspeak.rule --rules-file rules\best64.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 7E8 with some rules failing Mode Straight rules: T0XlC Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\T0XlC.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 5E8 Mode Straight rules: combinator * Best64 Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\combinator.rule --rules-file rules\best64.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 1E9 Mode Straight rules: Best64 Wordlist: Rockyou

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash rockyou.txt

    rem 8E8 Mode Straight rules: leetspeak * Best64 Wordlist: large dictionary

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\leetspeak.rule --rules-file rules\best64.rule SQL2005to2008R2Many.hash dictionary-huge

    rem 2E9 Mode Combinator rules: NOT APPLICABLE TO STRAIGHT COMBINATION ATTACK Wordlist: American English Small * American English Small

    oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash dictionary-small dictionary-small

    rem **** IN PROGRESS MUST USE HASHCAT_UTILS ****

    rem 1E10 Mode Hashcat-utils Combinator rules: toggles1 Wordlist: American English Small len 1-8 only * American English Small len 1-8 only

    rem NOTE that the togglesN ruleset is always a strict superset of togglesN-1.

    rem 0 create a length based subset of another dictionary

    rem 1 use Hashcat-utils combinator to combine the dictionaries.

    rem 2 pipe the output intoa straight attack to apply rules to the combined dictionaries.

    rem ****** WARNING WARNING WARNING - combinator.exe SKIPS ALL WORDS MORE THAN 16 characters long!!! ******

    rem *** DISK COMBINATION PREGENERATE MODE First cut down dictionary based on length *** hashcat-utils-0.9-64\len 1 8 <dictionary-small >dictionary-small-Length8andless

    rem *** PREGENERATE MODE Second combine them if you have drive space- RUN ME ONCE OR PIPE OUTPUT INTO CRACKING PROGRAM *** hashcat-utils-0.9-64\combinator.exe dictionary-small-Length8andless dictionary-small-Length8andless >dictionary-small-len-1-to-8-squared

    rem *** PREGENERATE MODE Third do the actual attack *** oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\toggles1.rule SQL2005to2008R2Many.hash dictionary-small-len-1-to-8-squared

    rem ******

    rem *** NOT WORKING YET RULES BASED PREGENERATE MODE First turn the dictionary into a prepend rule list *** perl f:\cracking\DictionaryTools\PerlGeneral\WordlistToRulesPrependList.pl dictionary-small-Length8andless dictionary-small-Length8andless.prepend.rule

    rem *** NOT WORKING YET RULES BASED PREGENERATE MODE Second do a multiple rules attack *** oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\toggles1.rule --rules-file dictionary-small-Length8andless.prepend.rule SQL2005to2008R2Many.hash dictionary-small-Length8andless

    rem *** PIPED MODE BELOW ***

    hashcat-utils-0.9-64\combinator.exe dictionary-small-Length8andless dictionary-small-Length8andless | oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\toggles1.rule SQL2005to2008R2Many.hash

    rem 2E9 Mode Straight rules: generated Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\generated.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 6E9 Mode Straight rules: d3ad0ne Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 2E10 Mode Straight rules: d3ad0ne Wordlist: large dictionary

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash dictionary-huge

    rem 5E10 Mode Straight rules: T0XlC Wordlist: Rockyou

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\T0XlC.rule SQL2005to2008R2Many.hash rockyou.txt

    rem 7E10 EST Mode Hashcat-utils Combinator rules: best64 Wordlist: American English Small len 1-9 only * American English Small len 1-9 only

    rem 1 use Hashcat-utils combinator to combine the dictionaries.

    rem 2 pipe the output intoa straight attack to apply rules to the combined dictionaries.

    rem *** DISK COMBINATION PREGENERATE MODE First cut down dictionary based on length *** hashcat-utils-0.9-64\len 1 9 <dictionary-small >dictionary-small-Length9andless

    rem *** PREGENERATE MODE Second combine them if you have drive space- RUN ME ONCE OR PIPE OUTPUT INTO CRACKING PROGRAM *** hashcat-utils-0.9-64\combinator.exe dictionary-small-Length9andless dictionary-small-Length9andless >dictionary-small-len-1-to-9-squared

    rem *** PREGENERATE MODE Third do the actual attack *** oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash dictionary-small-len-1-to-9-squared

    rem *** PIPED MODE BELOW ***

    hashcat-utils-0.9-64\combinator.exe dictionary-small-Length9andless dictionary-small-Length9andless | oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash

    rem 1E11 Mode Straight rules: leetspeak + d3ad0ne Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\leetspeak.rule --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 1E11 EST Mode Hashcat-utils Combinator rules: toggles2 Wordlist: American English Small len 1-9 only * American English Small len 1-9 only

    rem NOTE that the togglesN ruleset is always a strict superset of togglesN-1.

    rem 1 use Hashcat-utils combinator to combine the dictionaries.

    rem 2 pipe the output intoa straight attack to apply rules to the combined dictionaries.

    rem *** DISK COMBINATION PREGENERATE MODE First cut down dictionary based on length *** hashcat-utils-0.9-64\len 1 9 <dictionary-small >dictionary-small-Length9andless

    rem *** PREGENERATE MODE Second combine them if you have drive space- RUN ME ONCE OR PIPE OUTPUT INTO CRACKING PROGRAM *** hashcat-utils-0.9-64\combinator.exe dictionary-small-Length9andless dictionary-small-Length9andless >dictionary-small-len-1-to-9-squared

    rem *** PREGENERATE MODE *** oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\toggles2.rule SQL2005to2008R2Many.hash dictionary-small-len-1-to-9-squared

    rem *** PIPED MODE BELOW ***

    hashcat-utils-0.9-64\combinator.exe dictionary-small-Length9andless dictionary-small-Length9andless | oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\toggles2.rule SQL2005to2008R2Many.hash

    rem 2E11 Mode Straight rules: combinator + d3ad0ne Wordlist: Phpbb

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\combinator.rule --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash phpbb.txt

    rem 3E11 Mode Straight rules: leetspeak + d3ad0ne Wordlist: large dictionary

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\leetspeak.rule --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash dictionary-huge

    rem 4E11 Mode Straight rules: d3ad0ne Wordlist: Rockyou

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash rockyou.txt

    rem 8E11 Mode Straight rules: combinator + d3ad0ne Wordlist: large dictionary

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\combinator.rule --rules-file rules\d3ad0ne.rule SQL2005to2008R2Many.hash dictionary-huge

    rem POOR CHOICES LAST DITCH EFFORTS 5E8 Mode Straight rules: none Wordlist: PsycOPacKv2 AllMain_aA4_eE3_gG6_lL1_oO0__sS5_tT7.txt

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash PsycOPacK.txt

    rem POOR CHOICES LAST DITCH EFFORTS 9E9 Mode Straight rules: leetspeak Wordlist: PsycOPacKv2 AllMain_aA4_eE3_gG6_lL1_oO0__sS5_tT7.txt

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\leetspeak.rule SQL2005to2008R2Many.hash PsycOPacK.txt

    rem POOR CHOICES LAST DITCH EFFORTS 4E10 Mode Straight rules: Best64 Wordlist: PsycOPacKv2 AllMain_aA4_eE3_gG6_lL1_oO0__sS5_tT7.txt

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\best64.rule SQL2005to2008R2Many.hash PsycOPacK.txt

    rem POOR CHOICES LAST DITCH EFFORTS 2E12 Mode Straight rules: T0XlC Wordlist: PsycOPacKv2 AllMain_aA4_eE3_gG6_lL1_oO0__sS5_tT7.txt

    oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file rules\T0XlC.rule SQL2005to2008R2Many.hash PsycOPacK.txt

    More advanced versions would use the hashcat utils rli and rli2 to make exclusive lists - i.e. if you're going to try a small dictionary and then a large one with the same rules, then pull all the small dictionary's words out of the large dictionary. If you're going to try leetspeak.rule and then dead0ne.rule, then remove any rules in dead0ne.rule that are also in leetspeak.rule, etc.

  • Michael Meierruth, SQL2000 and later.

    My current test case is running on a SQL2012 instance with 8 logins, comparing to 10,000 + reverse = 90 second run. I think it's because of how I'm doing the JOIN with the OR's:

    LEFT JOIN dbo.[PasswordCheckerList] pc

    ON (PWDCOMPARE(pc.[Password], sl.[password_hash]) = 1-- Was the password stored in the list?

    OR PWDCOMPARE(REVERSE(pc.[Password]), sl.[password_hash]) = 1-- How about known passwords reversed?

    OR PWDCOMPARE(REPLACE(pc.[Password],'_Replace_',sl.name), sl.[password_hash]) = 1)-- Is the password the same as the user name?

    I really haven't had time lately to try and play with this a different way. Still haven't gone back and resolved the dupe issue either.

  • Adam i think just doing UNION or UNION all would probably be better than the OR statements ; one of those simple fixes that should have a perfroamnce imact:

    SELECT ..

    LEFT JOIN dbo.[PasswordCheckerList] pc

    ON (PWDCOMPARE(pc.[Password], sl.[password_hash]) = 1

    UNION ALL

    SELECT ..

    LEFT JOIN dbo.[PasswordCheckerList] pc

    ON PWDCOMPARE(REVERSE(pc.[Password]), sl.[password_hash]) = 1-- How about known passwords reversed?

    UNION ALL

    SELECT ..

    LEFT JOIN dbo.[PasswordCheckerList] pc

    ON PWDCOMPARE(REPLACE(pc.[Password],'_Replace_',sl.name), sl.[password_hash]) = 1)-- Is the password the same as the user name?

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Indeed a good thought Lowell. My colleague was thinking the same thing last week. I didn't have much luck with a performance gain then; however your post inspired me to try it again. Just did so and I went from 91 seconds to 78 seconds, so a bit of a gain. On a bigger box I'd have to assume the impact will definitely be better. Just not a huge fan because obviously this makes my code much larger; however I don't think there's much more than can be done based on how this function works, just seems like a very intensive operation.

  • Adam,

    Just out of curiosity what exactly does this mean:

    REPLACE(pc.[Password],'_Replace_',sl.name)

    Also, how exactly will you login to 250 or so instances to run this and gather the data into a single table?

    Why not gather the various login names and hashed passwords into a single table residing on a very fast machine and then run the script? I think that varbinary(256) for the hashed password and nvarchar(128) for the loginname are probably collation insensitive. Of course, if the sql server versions in those instances are different it starts to get complicated...

  • Michael Meierruth (2/3/2014)


    Adam,

    Just out of curiosity what exactly does this mean:

    REPLACE(pc.[Password],'_Replace_',sl.name)

    Also, how exactly will you login to 250 or so instances to run this and gather the data into a single table?

    Why not gather the various login names and hashed passwords into a single table residing on a very fast machine and then run the script? I think that varbinary(256) for the hashed password and nvarchar(128) for the loginname are probably collation insensitive. Of course, if the sql server versions in those instances are different it starts to get complicated...

    That's if the password is the same as the user (thanks to Lowell for that).

    Powershell via a central location; however that is definitely a good suggestion as well!

    I've got the runtime down to 25 seconds on my test box (from 91) by splitting the login into separate inserts. Now what I'm fighting is a SQL2000 version that performs like an absolute turd ... something is definitely wrong there.

Viewing 15 posts - 16 through 30 (of 32 total)

You must be logged in to reply to this topic. Login to reply