OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: SQL passwords

From: Yannick Hamon (yannick.hamonxmcopartners.com)
Date: Tue Oct 27 2009 - 14:04:46 CDT


Hi,

1°) You can try the free software IMA "Identity Management
Auditor" (beta release v0.2) :
http://www.xmcopartners.com/ima/

It supports SQL and Windows authentification for SQL SERVER
2000/2005/2008.
It will retrieve MS SQL password hashs and then you have 2 choices :

* crack trivial passwords (login=password, null password or dictionnary)
* bruteforce cracking with the embedded external cracking tool (John
The Ripper).

2°) You can also try Cain&Abel (free)
http://www.oxid.it/cain.html

He can do the same with an OBDC driver. However, cain&abel support
dictionnary, bruteforce or rainbow tables cracking mode.

Best Regards,
--
Yannick Hamon - Xmco Partners
Consultant Sécurité / Tests d'intrusion
Web : http://www.xmcopartners.com
11 bis rue de Beaujolais 75001 PARIS

Le 27 oct. 2009 à 14:38, pma111 a écrit :

>
> Hi All,
>
> Are there any penetration testing / commercial cracking tools on the
> market,
> or freebies, where we could export the password hashes directly from
> our SQL
> tables (sys.syslogins) and crack the passwords offline, so not to
> affect our
> live servers? Any pointers would be great.
>
> Thanks
> --
> View this message in context: http://www.nabble.com/SQL-passwords-tp26077906p26077906.html
> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification
> Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs
> require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------