Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««12345»»»

How to recover a SQL Server login password. Expand / Collapse
Author
Message
Posted Monday, March 4, 2013 11:19 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, April 17, 2014 4:56 AM
Points: 1,002, Visits: 884
One word of caution: if you are using the GPU method (which does seem to be quicker) and you are running Vista/7 with window's aero enabled, you will have a very difficult time switching between applications. My GPU is at 99% so there is not much left to show the application in the task bar.

/* ----------------------------- */
Tochter aus Elysium, Wir betreten feuertrunken, Himmlische, dein Heiligtum!

Post #1426379
Posted Monday, March 4, 2013 2:10 PM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Saturday, July 19, 2014 8:45 AM
Points: 531, Visits: 2,078
Geoff,

Did the following:

C:\tmp5\hashcat-0.42>hashcat-cli32.exe -a 3 --pw-min=4 --pw-max=12 -m 131 -p : -o "C:\tmp5\hashcat-0.42/SQL_passwords.txt" --output-format=0 -n 2 "C:\tmp5\hashcat-0.42/Hashes.txt" -1 ?l?u?d?s ?1?1?1?1?1?1?1?1?1?1?1?1
Initializing hashcat v0.42 by atom with 2 threads and 32mb segment-size...

Added hashes from file C:\tmp5\hashcat-0.42/Hashes.txt: 4 (4 salts)

NOTE: press enter for status-screen

and getting a memorable

The instructions at "0x004143cc" referenced memeory at "0xffffffff". The memory could not be "read".

on my memorable Intel Core 2

I like the way that error message misspells 'memoery'...
Post #1426462
Posted Tuesday, March 5, 2013 9:13 AM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Saturday, July 19, 2014 8:45 AM
Points: 531, Visits: 2,078
OK, getting it to work on 64bit.
Already found 2 of the 4.
It's estimating 4 hours for the remaining.
Very neat tool!
Post #1426888
Posted Tuesday, March 5, 2013 3:36 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, July 10, 2014 1:34 PM
Points: 6,623, Visits: 1,855
TravisDBA (3/4/2013)
Geoff A (3/4/2013)
TravisDBA (3/4/2013)
Geoff,

Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.


Travis,
i am not sure how i am resposible for goverment employees and their activities on their laptops.
but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open


Ok, no problem, just be careful suggesting that kind of thing to the public at large. Not everyone means well in this world. That is all I'm saying. I could see someone sitting in court and explaining "Well your honor, Geoff Albin showed me how to hack a SQL Login production password on SQLServerCentral.com!!!"


On a personal system, there's no one to tell you, "No."

For most corporations and government agencies, a password cracker is considered a hacking tool and the discovery of such on your system tends to lead to a career altering event. This is why, whenever I cover a tool like this, I make a point to issue that standard disclaimer. Keep in mind that even though you may have the purest of motives for having such a tool. However, unless you went and got prior permission from someone authorized to give it (usually this is a manager on the security or network/systems side, not the DBA or development manager), you're reason for having it is suspect.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1427061
Posted Tuesday, March 5, 2013 3:41 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, July 10, 2014 1:34 PM
Points: 6,623, Visits: 1,855
paul.knibbs (3/4/2013)
Wayne Evans-440401 (3/4/2013)
slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as

********tterandjellysandwiches


It didn't quite work that way. The old LAN Manager password system that was used prior to Kerberos authentication split the password into two 7-character chunks and encrypted them separately--it was thus possible for a password cracker to deal with each half individually and work much faster. It also wasn't case sensitive, massively reducing the possible list of passwords any cracker needed to check. Note that Windows 2000 and 2003 would still generate a LAN Manager hash for any passwords shorter than 15 characters in order to maintain backward compatibility with older versions of Windows that didn't recognise Kerberos.

The password specified above would be too long to get an LM hash on Windows 2k/2k3, so you'd only have a problem if you were trying to use it on a pre-Active Directory domain. It would get split into PEANUTB and UTTERAN, and since both of those are simple dictionary words with one or two letters attached, would be crackable extremely easily.


It's not Kerberos authentication, just to clarify. Windows 2000 defaulted to Kerberos authentication, too, BTW.

LAN Manager was the weakness and that's why on any system prior to about Windows 7/2008 if you tried to specify a password over 14 characters you'd receive that warning about backward compatibility. With that said, and considering Windows XP and Server 2003 are still in use in large numbers, you don't have to be vulnerable because of LAN Manager. It could actually be disabled going back to NT4 (which would then only use NTLM/NTLMv2). If your organization hasn't already done this and you support Windows XP and 2003 platforms, it's long past time to implement the following:

How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1427063
Posted Tuesday, March 5, 2013 4:32 PM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: 2 days ago @ 8:10 AM
Points: 861, Visits: 2,360
As a note for the mildly more advanced, in general, it's best to run the very quick checks first to remove those, and the large checks later.

For the even more advanced practitioner doing dictionary cracking (see below), after a reasonable pass, any passwords you find should be added to your cracking dictionary and then start over.

Here's an example of "quick first, slow last" oclHashcat-lite brute force, including an example phone number test:
rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..
rem After that, move to oclHashcat-plus and use rules based dictionary attacks!

rem If you have more time and/or processing power, put larger pw sizes earlier.
rem If you have less, put larger pw sizes later.

rem First: Extremely Low sizes, brute force with full hex set!
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=1 --pw-max=4 --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=5 --pw-max=5 -1 ?d?l?u?s?D?F?R?h 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbol
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=6 --pw-max=6 -1 ?d?l?u?s 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.
rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=7 --pw-max=7 -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?1?1

rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=13 --pw-max=13 -1 ?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 "(?1?1?1)?1?1?1-?1?1?1?1"


rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.
rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=8 --pw-max=8 -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?2?2?2?2?2?2?2?2

rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine.
rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash only
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=9 --pw-max=9 -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=9 --pw-max=9 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=10 --pw-max=10 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=11 --pw-max=11 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=12 --pw-max=12 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2

And here's an oclHashcat-plus test that starts with brute force and quickly proceeds to dictionary attacks. This is much more appropriate for most corporate password audits.
rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..
rem After that, try rules based dictionary attacks, many large rules for small lists, small rules for large lists.

rem If you have more time and/or processing power, put larger pw sizes earlier.
rem If you have less, put larger pw sizes later.

rem since we're removing hashes from the file as we crack them, let's start fresh for each run.
copy /y SQL2005to2008R2Many.hash.orig SQL2005to2008R2Many.hash

rem First: Extremely Low sizes, brute force with full hex set!
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1


rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s?D?F?R?h --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1

rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbol
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1?1

rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.
rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?2?2?2?2?1?1

rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash "(?1?1?1)?1?1?1-?1?1?1?1"


rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.
rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?2?2?2?2?2?2?2?2

rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine.
rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash only
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2


rem Now we're going to do rules based dictionary attacks!


rem Let's start with the quickest, because any passwords we can remove now give later iterations less work.
rem Mode Straight rules: Best64 Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

rem Mode Straight rules: specific Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\specific.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

rem Mode Combinator rules: Best64 Wordlist: Phpbb * 500worst
YourPath\oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt YourWordlistPath\500worst.txt

rem Mode Straight rules: Best64 Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

rem Mode Straight rules: leetspeak * Best64 Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

rem Mode Straight rules: T0XlC Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\T0XlC.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

rem Mode Straight rules: combinator * Best64 Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

rem Mode Straight rules: Best64 Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

rem Mode Straight rules: leetspeak * Best64 Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

rem Mode Straight rules: Best64 Wordlist: American English Small * American English Small
YourPath\oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishSmall.txt YourWordlistPath\EnglishSmall.txt


rem Mode Straight rules: generated Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\generated.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

rem Mode Straight rules: d3ad0ne Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt


rem Mode Straight rules: d3ad0ne Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

rem Mode Straight rules: T0XlC Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\T0XlC.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

rem Mode Straight rules: combinator + d3ad0ne Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

rem Mode Straight rules: d3ad0ne Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

rem Mode Straight rules: combinator + d3ad0ne Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

rem Mode Straight rules: combinator + d3ad0ne Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

I leave conversion to CPU-based Hashcat as an exercise for the reader!

Phpbb and Rockyou are two very common password lists, both very well regarded; Phpbb is much smaller.
I'm sure everyone can Google an N worst passwords list as well.
The English Open Word List is available online as well.

ETA: Don't forget to dump your username list into your dictionaries as well!
Post #1427077
Posted Wednesday, March 6, 2013 1:13 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, April 17, 2014 1:41 AM
Points: 170, Visits: 1,400
Guys,

Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server).


Cheers,

JohnA

MCM: SQL2008
Post #1427223
Posted Wednesday, March 6, 2013 1:22 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Friday, July 25, 2014 3:12 AM
Points: 1,610, Visits: 5,482
SQLCharger (3/6/2013)
Guys,

Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server).


There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?
Post #1427228
Posted Wednesday, March 6, 2013 1:30 AM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Saturday, July 19, 2014 8:45 AM
Points: 531, Visits: 2,078
paul.knibbs (3/6/2013)
SQLCharger (3/6/2013)
Guys,

Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server).


There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?

It's for finding those people who use the same password everywhere else...
Post #1427229
Posted Wednesday, March 6, 2013 4:12 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 9:18 AM
Points: 982, Visits: 1,084
Very neat tool and a very neat article :)
Thank you
Post #1427290
« Prev Topic | Next Topic »

Add to briefcase «««12345»»»

Permissions Expand / Collapse