Re: Is this value the SQL password hash ?

["Thor" <thor () hammerofgod com>]

Basically, this unattended install file specifies that both the server and 
agent are started under a domain account (from the 61680 entry), with the 
domain and user you "X'd" out.  The password is encrypted though, and is not 
resultant of the standard method used to generate the passwords found in 
sysxlogins that you can decrypt with David's NGSCrack.

This from KB 233312:

<snip>
On Windows NT, you can autostart SQLServerAgent only if you autostart 
MSSQLServer as well, because the SQLServerAgent service is dependent on 
MSSQLServer. The remaining entries in this section (SQLDomain, 
SQLDomainAcct, SQLDomainPwd,and so forth) specify which Windows NT 
account(s) will be used if the Local-Domain entry indicates that one or both 
services will use a Windows NT domain account instead of the LocalSystem 
account. These entries are not present when LocalSystem is being used. The 
password entries are encrypted, and can only be obtained by running SQL 
Server setup interactively to generate a new .iss file. If this is not 
possible or practical in your circumstances, you must install MSSQLServer 
and SQLServerAgent to run under the LocalSystem account (Local-Domain=3855). 
Windows NT users can later change the service startup accounts, if desired 
(see the SQL Server Books Online articles "How to set up a SQL Server 
service to log on under a different user account (Windows NT)" and "Creating 
SQL Server Services User Accounts"). On Windows NT, the utility Scm.exe (in 
the MSSQL7\BINN directory) can be used after installation to change the 
service startup account from LocalSystem to a domain account, if it is 
necessary that this be automated. For more information see the Microsoft 
Knowledge Base article referenced previously for details
</snip>

hth

T




----- Original Message ----- 
From: "nobody" <pentester () yahoo com>
To: <pen-test () securityfocus com>
Sent: Wednesday, September 08, 2004 7:34 PM
Subject: Is this value the SQL password hash ?


> While doing a pen test I came across a Windows share
> that allowed anyone to read it.  This share had an SQL
> SMS install input file of the form  xxxx.iss
>
> In this file the follwing exists:
>
> [DlgServices-0]
> Local-Domain=61680
> AutoStart=15
> SQLDomain=XXXXX
> SQLDomainAcct=XXXSQL
> SQLDomainPwd=142e7e5da8cb39066a6f1759ec9aab
>
> The length of this entry versus the SQL sysxlogin data
> data that David Litchfield talks about (in his
> whitepaper on SQL passwords)is quite different.  Also
> the CQURE tool (SQLBF) seems to expect a differnet
> length hash.
>
> from ccqure.net -  sqlbf tools - demo hashes
> foobar,0x0100905BB15ECA1847296A79ADD350E3138D6D255BF9FA24964FCA1847296A79ADD350E3138D6D255BF9FA24964F
>
> Does anyone know what type of hash the data following
> the SQLDomainPwd is ?
>
> It cannot be an NTLM hash or a LANMAN hash.  Just to
> be sure I plugged it into LC4 and it did not recognize
> the hash.  I will also try John-16 using all modes but
> I am guessing at this point.
>
> Oh - I cannot get admin status (yet) on the SQl server
> that I think this file was installed on.  If I did so
> I could dump the SAM and the SQl hahses and see what
> matches.
>
> Anyone seen this before ?
>
> Thanks
>
> pentester
>
>
>
>
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking course,
> learn to write exploits and attack security infrastructure. Attend a 
> course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------