paul.knibbs (3/6/2013)
SQLCharger (3/6/2013)
Guys,Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:
There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database...
And this is why SQL Server Service accounts should be minimally privileged (i.e. NEVER ADMIN, either local or domain) - so someone breaking one sysadmin-level account on the SQL Server instance has a harder time getting into other machines.
Yes, oclHashcat-lite and/or oclHashcat-plus have settings for various forms of Windows and Active Directory passwords (as well as Oracle, Mac, Cisco, and other modes).