InstantForum.NET v2.9.0SQLServerCentralhttp://www.sqlservercentral.com/Forums/notifications@sqlservercentral.comFri, 24 May 2013 22:02:18 GMT20http://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]paul.knibbs (3/6/2013)[/b][hr][quote][b]SQLCharger (3/6/2013)[/b][hr]Guys,Would this also work with [b]Windows [i][/i][/b]hashes as well?That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:[/quote]There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database...[/quote]And this is why SQL Server Service accounts should be minimally privileged (i.e. NEVER ADMIN, either local or domain) - so someone breaking one sysadmin-level account on the SQL Server instance has a harder time getting into other machines.Yes, oclHashcat-lite and/or oclHashcat-plus have settings for various forms of Windows and Active Directory passwords (as well as Oracle, Mac, Cisco, and other modes).Wed, 06 Mar 2013 08:06:40 GMTNadrekhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Michael Meierruth (3/6/2013)[/b][hr][quote][b]paul.knibbs (3/6/2013)[/b][hr][quote][b]SQLCharger (3/6/2013)[/b][hr]Guys,Would this also work with [b]Windows [i][/i][/b]hashes as well?That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:[/quote]There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?[/quote]It's for finding those people who use the same password everywhere else...[/quote]Or for escalating privileges, especially in a domain. Standard attack pattern:1. Gain admin rights to a workstation or server.2. Dump LSA Secrets. This gives you the password in plaintext for any services.3. See what rights/group memberships those accounts have. They are now in your set of accounts to use for further compromise.4. Dump the hashes from that system.5. Use rainbow tables to gain the password from said hashes. 6. See what rights/group memberships those accounts have. They are also now in your set of accounts to use for further compromise.7. If you've got a Domain Admin level at this point, you're set. You own the domain (and technically, the forest, meaning also every domain in said forest).8. If you don't have an account with the level of privs that you want, spiderweb to other systems, trying the accounts you've captured and repeating steps 1-7.3.Wed, 06 Mar 2013 07:32:06 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Michael Meierruth (3/6/2013)[/b][hr]And what's the point of what you're saying in your binary signature?[/quote]It's self-referential.Wed, 06 Mar 2013 06:59:03 GMTBenWardhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Michael Meierruth (3/6/2013)[/b][hr]And what's the point of what you're saying in your binary signature?[/quote]A yes/no answer will suffice:-PWed, 06 Mar 2013 06:54:24 GMTSQLChargerhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxAnd what's the point of what you're saying in your binary signature?Wed, 06 Mar 2013 05:04:14 GMTMichael Meierruthhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Michael Meierruth (3/6/2013)[/b][hr][quote][b]paul.knibbs (3/6/2013)[/b][hr][quote][b]SQLCharger (3/6/2013)[/b][hr]Guys,Would this also work with [b]Windows [i][/i][/b]hashes as well?That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:[/quote]There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?[/quote]It's for finding those people who use the same password everywhere else...[/quote]And naughty people who want to steal/sell sensitive data, but do it with someone else's name in the audit log so some poor innocent bloke gets fired instead of the real criminal.Wed, 06 Mar 2013 04:19:57 GMTBenWardhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxVery neat tool and a very neat article :) Thank youWed, 06 Mar 2013 04:12:05 GMTJonathan Malliahttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]paul.knibbs (3/6/2013)[/b][hr][quote][b]SQLCharger (3/6/2013)[/b][hr]Guys,Would this also work with [b]Windows [i][/i][/b]hashes as well?That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:[/quote]There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?[/quote]It's for finding those people who use the same password everywhere else...Wed, 06 Mar 2013 01:30:53 GMTMichael Meierruthhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]SQLCharger (3/6/2013)[/b][hr]Guys,Would this also work with [b]Windows [i][/i][/b]hashes as well?That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:[/quote]There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?Wed, 06 Mar 2013 01:22:39 GMTpaul.knibbshttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxGuys,Would this also work with [b]Windows [i][/i][/b]hashes as well?That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:Wed, 06 Mar 2013 01:13:21 GMTSQLChargerhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxAs a note for the mildly more advanced, in general, it's best to run the very quick checks first to remove those, and the large checks later.For the even more advanced practitioner doing dictionary cracking (see below), after a reasonable pass, any passwords you find should be added to your cracking dictionary and then start over.Here's an example of "quick first, slow last" oclHashcat-lite brute force, including an example phone number test:[code]rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..rem After that, move to oclHashcat-plus and use rules based dictionary attacks!rem If you have more time and/or processing power, put larger pw sizes earlier.rem If you have less, put larger pw sizes later.rem First: Extremely Low sizes, brute force with full hex set!rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.YourPath\oclHashcat-lite64.exe -m 132 --pw-min=1 --pw-max=4 --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.YourPath\oclHashcat-lite64.exe -m 132 --pw-min=5 --pw-max=5 -1 ?d?l?u?s?D?F?R?h 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbolrem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.YourPath\oclHashcat-lite64.exe -m 132 --pw-min=6 --pw-max=6 -1 ?d?l?u?s 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!YourPath\oclHashcat-lite64.exe -m 132 --pw-min=7 --pw-max=7 -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?1?1rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.YourPath\oclHashcat-lite64.exe -m 132 --pw-min=13 --pw-max=13 -1 ?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 "(?1?1?1)?1?1?1-?1?1?1?1"rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!YourPath\oclHashcat-lite64.exe -m 132 --pw-min=8 --pw-max=8 -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?2?2?2?2?2?2?2?2rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine. rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash onlyrem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!YourPath\oclHashcat-lite64.exe -m 132 --pw-min=9 --pw-max=9 -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2YourPath\oclHashcat-lite64.exe -m 132 --pw-min=9 --pw-max=9 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2YourPath\oclHashcat-lite64.exe -m 132 --pw-min=10 --pw-max=10 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2YourPath\oclHashcat-lite64.exe -m 132 --pw-min=11 --pw-max=11 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2YourPath\oclHashcat-lite64.exe -m 132 --pw-min=12 --pw-max=12 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2[/code]And here's an oclHashcat-plus test that starts with brute force and quickly proceeds to dictionary attacks. This is much more appropriate for most corporate password audits.[code]rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..rem After that, try rules based dictionary attacks, many large rules for small lists, small rules for large lists.rem If you have more time and/or processing power, put larger pw sizes earlier.rem If you have less, put larger pw sizes later.rem since we're removing hashes from the file as we crack them, let's start fresh for each run.copy /y SQL2005to2008R2Many.hash.orig SQL2005to2008R2Many.hashrem First: Extremely Low sizes, brute force with full hex set!rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s?D?F?R?h --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbolrem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1?1rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?2?2?2?2?1?1rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash "(?1?1?1)?1?1?1-?1?1?1?1"rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?2?2?2?2?2?2?2?2rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine. rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash onlyrem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2rem Now we're going to do rules based dictionary attacks!rem Let's start with the quickest, because any passwords we can remove now give later iterations less work.rem Mode Straight rules: Best64 Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Straight rules: specific Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\specific.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Combinator rules: Best64 Wordlist: Phpbb * 500worstYourPath\oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt YourWordlistPath\500worst.txtrem Mode Straight rules: Best64 Wordlist: American English Very LargeYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txtrem Mode Straight rules: leetspeak * Best64 Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Straight rules: T0XlC Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\T0XlC.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Straight rules: combinator * Best64 Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Straight rules: Best64 Wordlist: RockyouYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txtrem Mode Straight rules: leetspeak * Best64 Wordlist: American English Very LargeYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txtrem Mode Straight rules: Best64 Wordlist: American English Small * American English SmallYourPath\oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishSmall.txt YourWordlistPath\EnglishSmall.txtrem Mode Straight rules: generated Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\generated.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Straight rules: d3ad0ne Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Straight rules: d3ad0ne Wordlist: American English Very LargeYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txtrem Mode Straight rules: T0XlC Wordlist: RockyouYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\T0XlC.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txtrem Mode Straight rules: leetspeak + d3ad0ne Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Straight rules: combinator + d3ad0ne Wordlist: PhpbbYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txtrem Mode Straight rules: d3ad0ne Wordlist: RockyouYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txtrem Mode Straight rules: leetspeak + d3ad0ne Wordlist: American English Very LargeYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txtrem Mode Straight rules: combinator + d3ad0ne Wordlist: American English Very LargeYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txtrem Mode Straight rules: leetspeak + d3ad0ne Wordlist: RockyouYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txtrem Mode Straight rules: combinator + d3ad0ne Wordlist: RockyouYourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt[/code]I leave conversion to CPU-based Hashcat as an exercise for the reader!Phpbb and Rockyou are two very common password lists, both very well regarded; Phpbb is much smaller.I'm sure everyone can Google an N worst passwords list as well.The [url=http://dreamsteep.com/projects/the-english-open-word-list.html]English Open Word List[/url] is available online as well.ETA: Don't forget to dump your username list into your dictionaries as well!Tue, 05 Mar 2013 16:32:30 GMTNadrekhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]paul.knibbs (3/4/2013)[/b][hr][quote][b]Wayne Evans-440401 (3/4/2013)[/b][hr]slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as ********tterandjellysandwiches[/quote]It didn't quite work that way. The old LAN Manager password system that was used prior to Kerberos authentication split the password into two 7-character chunks and encrypted them separately--it was thus possible for a password cracker to deal with each half individually and work much faster. It also wasn't case sensitive, massively reducing the possible list of passwords any cracker needed to check. Note that Windows 2000 and 2003 would still generate a LAN Manager hash for any passwords shorter than 15 characters in order to maintain backward compatibility with older versions of Windows that didn't recognise Kerberos.The password specified above would be too long to get an LM hash on Windows 2k/2k3, so you'd only have a problem if you were trying to use it on a pre-Active Directory domain. It would get split into PEANUTB and UTTERAN, and since both of those are simple dictionary words with one or two letters attached, would be crackable extremely easily.[/quote]It's not Kerberos authentication, just to clarify. Windows 2000 defaulted to Kerberos authentication, too, BTW. LAN Manager was the weakness and that's why on any system prior to about Windows 7/2008 if you tried to specify a password over 14 characters you'd receive that warning about backward compatibility. With that said, and considering Windows XP and Server 2003 are still in use in large numbers, you don't have to be vulnerable because of LAN Manager. It could actually be disabled going back to NT4 (which would then only use NTLM/NTLMv2). If your organization hasn't already done this and you support Windows XP and 2003 platforms, it's long past time to implement the following:[url=http://support.microsoft.com/kb/299656]How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases[/url]Tue, 05 Mar 2013 15:41:07 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]TravisDBA (3/4/2013)[/b][hr][quote][b]Geoff A (3/4/2013)[/b][hr][quote][b]TravisDBA (3/4/2013)[/b][hr]Geoff,Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.:-D[/quote]Travis,i am not sure how i am resposible for goverment employees and their activities on their laptops. but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open ;-)[/quote]Ok, no problem, just be careful suggesting that kind of thing to the public at large. Not everyone means well in this world. That is all I'm saying. I could see someone sitting in court and explaining "Well your honor, Geoff Albin showed me how to hack a SQL Login production password on SQLServerCentral.com!!!":-D[/quote]On a personal system, there's no one to tell you, "No."For most corporations and government agencies, a password cracker is considered a hacking tool and the discovery of such on your system tends to lead to a career altering event. This is why, whenever I cover a tool like this, I make a point to issue that standard disclaimer. Keep in mind that even though you may have the purest of motives for having such a tool. However, unless you went and got prior permission from someone authorized to give it (usually this is a manager on the security or network/systems side, not the DBA or development manager), you're reason for having it is suspect.Tue, 05 Mar 2013 15:36:44 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxOK, getting it to work on 64bit.Already found 2 of the 4.It's estimating 4 hours for the remaining.Very neat tool!Tue, 05 Mar 2013 09:13:34 GMTMichael Meierruthhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxGeoff,Did the following:C:\tmp5\hashcat-0.42&gt;hashcat-cli32.exe -a 3 --pw-min=4 --pw-max=12 -m 131 -p : -o "C:\tmp5\hashcat-0.42/SQL_passwords.txt" --output-format=0 -n 2 "C:\tmp5\hashcat-0.42/Hashes.txt" -1 ?l?u?d?s ?1?1?1?1?1?1?1?1?1?1?1?1Initializing hashcat v0.42 by atom with 2 threads and 32mb segment-size...Added hashes from file C:\tmp5\hashcat-0.42/Hashes.txt: 4 (4 salts)NOTE: press enter for status-screenand getting a memorableThe instructions at "0x004143cc" referenced memeory at "0xffffffff". The memory could not be "read".on my memorable Intel Core 2I like the way that error message misspells 'memoery'...Mon, 04 Mar 2013 14:10:04 GMTMichael Meierruthhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxOne word of caution: if you are using the GPU method (which does seem to be quicker) and you are running Vista/7 with window's aero enabled, you will have a very difficult time switching between applications. My GPU is at 99% so there is not much left to show the application in the task bar.Mon, 04 Mar 2013 11:19:43 GMTGregoryFhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Geoff A (3/4/2013)[/b][hr][quote][b]TravisDBA (3/4/2013)[/b][hr]Geoff,Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.:-D[/quote]Travis,i am not sure how i am resposible for goverment employees and their activities on their laptops. but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open ;-)[/quote]Ok, no problem, just be careful suggesting that kind of thing to the public at large. Not everyone means well in this world. That is all I'm saying. I could see someone sitting in court and explaining "Well your honor, Geoff Albin showed me how to hack a SQL Login production password on SQLServerCentral.com!!!":-DMon, 04 Mar 2013 10:56:02 GMTTravisDBAhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]TravisDBA (3/4/2013)[/b][hr]Geoff,Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.:-D[/quote]Travis,i am not sure how i am resposible for goverment employees and their activities on their laptops. but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open ;-)Mon, 04 Mar 2013 10:13:42 GMTGeoff Ahttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxExcellent post on brute forcing using oclhashcat-lite - everyone, please be aware that dictionary and rules-based dictionary attacks are also available in GPU-powered form with these excellent tools.For everyone worried about their passwords, note that SQL Server itself dues support a maximum of 128 characters, and high ASCII is allowed, so if you absolutely must have the "sa" account or a similar SQL Server sysadmin level account available, then a password likeÉá«zpÙYÆÉlêÙRoPõ3wC3Ó)~=5ûÈælZOcLÛہ¼{ÖÅw™úG54)uQçeÂ?n¾KaôÅAÔÓ½Ò5år³\5ÞÑ=l¾[ÑæQ}ÞZPÐAþ+xhR߬fó1ßfG{ñBÉÜšn‡ƒeji—ÜQ¾væ—ŸTBËŠÍÔ—xÂis perfectly acceptable, and can be cut and pasted into SSMS without any problems.As far as longer word-based passwords, something like Madeline12152008 is a horrible password, especially if your daughter Madeline was born on December 15th in 2008.ETA: Software like [url=http://keepass.info/]KeePass[/url] can be used to generate (and store) such passwords.Mon, 04 Mar 2013 10:10:56 GMTNadrekhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]paul.knibbs (3/4/2013)[/b][hr][quote][b]Sigerson (3/4/2013)[/b]On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power.[/quote]Use longer passwords and it ceases to be an issue. Yes, he was able to find a 5-character password in 2 seconds using a brute force search with a powerful GPU, but the complexity of such a search increases massively with the number of characters--a guesstimate would suggest that if it takes 2 seconds to find a 5-character password, it will take approximately 23 days to find an 8-character password using the same mechanism! (This is assuming perhaps 100 possible characters used in the password, which would give the 8-character one a million times more possibilities than the 5-character one).If you had a 20-character password, well, it would probably take longer than the remaining life of the Universe to crack it![/quote]Greg,The government auditors don't care who you are or what level of access you have in your brain. If the files are PHYSICALLY on the government work laptop then it is vulnerable to attack and you are ultimately liable. Particularly, if this software can be used to crack SQL logins that have access to HIPPA Health related data.:-DMon, 04 Mar 2013 09:34:50 GMTTravisDBAhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]TravisDBA (3/4/2013)[/b][hr]Be very careful about suggesting that people do this. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.:-D[/quote]I don't work for the government, but I don't see a problem with the sa having this on his system (developers are another story). After all, as sa I can change your password at will and I have access to all unencrypted data.Mon, 04 Mar 2013 09:30:19 GMTGregoryFhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxGeoff,Please be very careful about suggesting or even implying that people should do this on production SQL Servers. I work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be fined and/or prosecuted.:-DMon, 04 Mar 2013 09:27:31 GMTTravisDBAhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Sigerson (3/4/2013)[/b]On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power.[/quote]Use longer passwords and it ceases to be an issue. Yes, he was able to find a 5-character password in 2 seconds using a brute force search with a powerful GPU, but the complexity of such a search increases massively with the number of characters--a guesstimate would suggest that if it takes 2 seconds to find a 5-character password, it will take approximately 23 days to find an 8-character password using the same mechanism! (This is assuming perhaps 100 possible characters used in the password, which would give the 8-character one a million times more possibilities than the 5-character one).If you had a 20-character password, well, it would probably take longer than the remaining life of the Universe to crack it!Mon, 04 Mar 2013 09:19:00 GMTpaul.knibbshttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Sigerson (3/4/2013)[/b][hr] we'll all have implanted RF chips [/quote]Until some quack attempting to make a quick buck publishes a dubious medical report based on 3 test patients who just so happen to work in a nuclear power station linking RF implants to some disease that everyone is afraid of.I'm not cynical at all! Even that isn't fool proof, pickpocketers will start bumping into you with RF scanners and instead of just nabbing your wallet, will steal your identity, your car, you house and probably your wife and kids too.Mon, 04 Mar 2013 09:16:07 GMTBenWardhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxI'm with Jeff. This is very cool stuff butvery ominous, too. I do have a SQL utility user pwd that I've lost, so this will be useful. On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power. [i]("My precious, my precious.")[/i]Actually, I've pretty much given up on passwords protecting me. One day and not too long from now, we'll all have implanted RF chips like doggie-lojacks that will identify us and let us use the atm, buy groceries, login to Amazon, etc.Mon, 04 Mar 2013 09:09:57 GMTSigersonhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Jeff Moden (3/4/2013)[/b][hr] It's going to help me a lot.[/quote]Sounds ominous :w00t:Mon, 04 Mar 2013 08:17:16 GMTmister.magoohttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxWow! Awesome article, Geoff! This is spooky stuff. I knew that passwords mostly kept the honest man honest because there's lots of ways to crack them especially with the power built into some of these bloody video cards. I just had no idea how fast they really were. Thank you for the time you spent on this article. It's going to help me a lot.Mon, 04 Mar 2013 08:10:01 GMTJeff Modenhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]Wayne Evans-440401 (3/4/2013)[/b][hr]slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as ********tterandjellysandwiches[/quote]It didn't quite work that way. The old LAN Manager password system that was used prior to Kerberos authentication split the password into two 7-character chunks and encrypted them separately--it was thus possible for a password cracker to deal with each half individually and work much faster. It also wasn't case sensitive, massively reducing the possible list of passwords any cracker needed to check. Note that Windows 2000 and 2003 would still generate a LAN Manager hash for any passwords shorter than 15 characters in order to maintain backward compatibility with older versions of Windows that didn't recognise Kerberos.The password specified above would be too long to get an LM hash on Windows 2k/2k3, so you'd only have a problem if you were trying to use it on a pre-Active Directory domain. It would get split into PEANUTB and UTTERAN, and since both of those are simple dictionary words with one or two letters attached, would be crackable extremely easily.Mon, 04 Mar 2013 06:19:25 GMTpaul.knibbshttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxScary and unsettling.More reason to ensure access to master db is restricted (backups too!)Long live long passwords:-DMon, 04 Mar 2013 05:48:27 GMTSQLChargerhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxexcellent - thanks for the info. I've decided to do some maths.If you used a dictionary based brute force it might feasibly take less time I suppose depending on how many words were in your dictionary.The Oxford English dictionary has ~ 220,000 words plus they estimate more than 8000 additional words are in use.the number of possible combinations on a 5 word pass-phrase like peanut butter and jelly sandwiches would be 228000^5 or:616132666368000000000000000for a letter-by-letter brute force attack you'd be looking at 26^30 or:~281319890128474591925862102961600000000000an 8-character 'secure' password has roughly 80 different characters you might expect to see used 80^8:1677721600000000so a dictionary attack is dramatically quicker on the passphrase than character by character but is easilly scuppered by throwing the number 5 into the middle of a word, using a French word etc. Even with the dictionary attack it is still hugely more effective than the regular 8 character model in use by most places.Fun times.Mon, 04 Mar 2013 05:41:34 GMTBenWardhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspx[quote][b]BenWard (3/4/2013)[/b][hr]Very useful article, but I can't help but wonder if this was just an excuse to show off that you have a 7970 clocked at 1010MHz!I read some time ago that very long but easy to remember pass-phrases like peanutbutterandjellysandwiches actually take a password cracker longer to answer than supposedly safe passwords like for example Z34d*&1a.Alas I don't have access/permission to play with this tool at work - any chance you could run up a benchmark/test or comment on a long pass-phrase like this? I wonder if this technology supports crossfireX ... :D[/quote]crossfire is supported. so is SLI if you use NVIDIA.i am not bragging. if i were i would tell you I actually have an HP workstation with 2 XEON procs and crossfired 7970'syour 30 character password is stronger than your 10 character password. you have to use the CPU version of hashcat to crack 30 characters and with 16 cores it would still take over 100 years! I suppose if you have a rack of Cisco UCS's at your dispossal, you could get that down to a handful of days.....Mon, 04 Mar 2013 05:25:40 GMTGeoff Ahttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxslightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as ********tterandjellysandwichespre any bruteforce decryption. A human could probably figure out the missing words, or at least know not to bother with numbers, uppercase or symbols for the brute force crack.Maybe using long alphanumeric + symbols passwords is the way forward again to make the delay too long for the brute force method to find the password i.e. before the important passwords get changedMust investigate to prove this one way or another to myself! :)Mon, 04 Mar 2013 04:44:02 GMTWayne Evans-440401http://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxVery useful article, but I can't help but wonder if this was just an excuse to show off that you have a 7970 clocked at 1010MHz!I read some time ago that very long but easy to remember pass-phrases like peanutbutterandjellysandwiches actually take a password cracker longer to answer than supposedly safe passwords like for example Z34d*&1a.Alas I don't have access/permission to play with this tool at work - any chance you could run up a benchmark/test or comment on a long pass-phrase like this? I wonder if this technology supports crossfireX ... :DMon, 04 Mar 2013 04:22:20 GMTBenWardhttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxHi,in my systemselect name, password_hash from sys.sql_loginsreturns null for password_hash for simple users.so what permissions is required?CarmeloMon, 04 Mar 2013 02:49:50 GMTCarmelo Messinahttp://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxNice. Knew there must be a tool to do thisI can see my pcs graphics card will be busy this afternoon to see how long it takes to break my passMon, 04 Mar 2013 01:25:57 GMTWayne Evans-440401http://www.sqlservercentral.com/Forums/Topic1426046-2831-1.aspxComments posted to this topic are about the item [B]<A HREF="/articles/password+cracking/96540/">How to recover a SQL Server login password.</A>[/B]Sun, 03 Mar 2013 17:18:30 GMTGeoff A