Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SQL passwords

From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 27 Oct 2009 16:25:37 -0400
Are there any penetration testing / commercial cracking tools on the

market, or 

freebies, where we could export the password hashes directly from our SQL

tables 

(sys.syslogins) and crack the passwords offline, so not to affect our live

servers? Any 

pointers would be great.


David Litchfield wrote a paper on this very topic which includes source for
a cracker:

http://www.ngssoftware.com/papers/cracking-sql-passwords.pdf

If I'm not mistaken, you can also build John The Ripper with mssql05 support
and use that to crack the hashes also.


PaulM



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: