Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Is this value the SQL password hash ?
From: "Thor" <thor () hammerofgod com>
Date: Thu, 9 Sep 2004 21:11:44 -0700

Basically, this unattended install file specifies that both the server and agent are started under a domain account (from the 61680 entry), with the domain and user you "X'd" out. The password is encrypted though, and is not resultant of the standard method used to generate the passwords found in sysxlogins that you can decrypt with David's NGSCrack.

This from KB 233312:

<snip>
On Windows NT, you can autostart SQLServerAgent only if you autostart MSSQLServer as well, because the SQLServerAgent service is dependent on MSSQLServer. The remaining entries in this section (SQLDomain, SQLDomainAcct, SQLDomainPwd,and so forth) specify which Windows NT account(s) will be used if the Local-Domain entry indicates that one or both services will use a Windows NT domain account instead of the LocalSystem account. These entries are not present when LocalSystem is being used. The password entries are encrypted, and can only be obtained by running SQL Server setup interactively to generate a new .iss file. If this is not possible or practical in your circumstances, you must install MSSQLServer and SQLServerAgent to run under the LocalSystem account (Local-Domain=3855). Windows NT users can later change the service startup accounts, if desired (see the SQL Server Books Online articles "How to set up a SQL Server service to log on under a different user account (Windows NT)" and "Creating SQL Server Services User Accounts"). On Windows NT, the utility Scm.exe (in the MSSQL7\BINN directory) can be used after installation to change the service startup account from LocalSystem to a domain account, if it is necessary that this be automated. For more information see the Microsoft Knowledge Base article referenced previously for details
</snip>

hth

T




----- Original Message ----- From: "nobody" <pentester () yahoo com>
To: <pen-test () securityfocus com>
Sent: Wednesday, September 08, 2004 7:34 PM
Subject: Is this value the SQL password hash ?


While doing a pen test I came across a Windows share
that allowed anyone to read it.  This share had an SQL
SMS install input file of the form  xxxx.iss

In this file the follwing exists:

[DlgServices-0]
Local-Domain=61680
AutoStart=15
SQLDomain=XXXXX
SQLDomainAcct=XXXSQL
SQLDomainPwd=142e7e5da8cb39066a6f1759ec9aab

The length of this entry versus the SQL sysxlogin data
data that David Litchfield talks about (in his
whitepaper on SQL passwords)is quite different.  Also
the CQURE tool (SQLBF) seems to expect a differnet
length hash.

from ccqure.net -  sqlbf tools - demo hashes
foobar,0x0100905BB15ECA1847296A79ADD350E3138D6D255BF9FA24964FCA1847296A79ADD350E3138D6D255BF9FA24964F

Does anyone know what type of hash the data following
the SQLDomainPwd is ?

It cannot be an NTLM hash or a LANMAN hash.  Just to
be sure I plugged it into LC4 and it did not recognize
the hash.  I will also try John-16 using all modes but
I am guessing at this point.

Oh - I cannot get admin status (yet) on the SQl server
that I think this file was installed on.  If I did so
I could dump the SAM and the SQl hahses and see what
matches.

Anyone seen this before ?

Thanks

pentester









__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------





------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]