Penetration Testing mailing list archives
RE: SQL passwords
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 27 Oct 2009 16:25:37 -0400
Are there any penetration testing / commercial cracking tools on the
market, or
freebies, where we could export the password hashes directly from our SQL
tables
(sys.syslogins) and crack the passwords offline, so not to affect our live
servers? Any
pointers would be great.
David Litchfield wrote a paper on this very topic which includes source for a cracker: http://www.ngssoftware.com/papers/cracking-sql-passwords.pdf If I'm not mistaken, you can also build John The Ripper with mssql05 support and use that to crack the hashes also. PaulM ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- SQL passwords pma111 (Oct 27)
- Re: SQL passwords Yannick Hamon (Oct 28)
- RE: SQL passwords Paul Melson (Oct 28)
- Re: SQL passwords Nikhil Wagholikar (Oct 28)
- Re: SQL passwords Wasim Halani (Oct 28)
- Re: SQL passwords Martin Rublik (Oct 28)
- <Possible follow-ups>
- RE: SQL passwords DUSTIN.TANNER (Oct 28)
- Re: SQL passwords Elizabeth Greene (Oct 28)
- RE: SQL passwords Security Email (Oct 28)