Post reply

Desperate Help needed

  • January 15, 2008 at 9:12 am

    #202350

    Hello, there this is my first post and I´m desperate seeking for help, I have almost not knowledge of SQL as it is not my usual work. However, suddenly it has converted in mine....Hopefully I will got help in here.

    Well the issue is that our database manager has resigned suddenly and before doing it he has changed the passwords of all the users in our database of a monitoring web application. So all our users have no access now to the application. After many tryouts I finally got access to the database and to the users table. However I have the issue that the passwords looks as below showed and I don´t know what the real password is.

    I have tried to decrypt using web decrypting pages as it looks like normal base64 strings, but it returns weird stuff. Also as I don´t know the real encryption used I can´t change to a know string. So if some could help me getting how it was encrypted or better to find out the real passwords it will be truly appreciated. If it is needed more info please tell me so I can send it to you, or if you need the database itself I can send you a backup.

    Best Regards to everyone.

    NumberUSERNAMEPassword

    11***uFHNaI0yloE=

    22***uQ7f4zrS+I8=

    33***vZLMcLSYGgU=

    44***X1huNktKxiE=

    55***Xj7X/j7IJlY=

    66***xnjJfMyiK24=

    77***YcQhuzE8ZKM=

    88***yPkatR/yu34=

    99***Z/+ujjLnAPI=

    1010***Z/+ujjLnAPI=

    1111***/E4vCqpZ0HWGa5akKPfeGg==

    1212***+/IkfCripBiyGKX+0BOq5Q==

    1313***+wv6aVBpAdoaVOIop5k7hA==

    1414***0Xn9c0+SZLfFS+jEYqBUuQ==

    1515***1CvLvdtfMemipN6agFOUcw==

    1616***1YVYxTctsZlar9Vv7btVTw==

    1717***4PVwBey0bOkwC3NA183F5g==

    1818***5thrQN8LxHNhaMr4RJz1Bg==

    1919***6qk+WBaRa9+GiOdvR5pEjw==

  • January 16, 2008 at 4:39 am

    #768561

    Hmm, i cant give you lots of information but one thing you could look at doing is downloading a tool called NGSSQLCrack. It will connect to the database and retrieve the password hashes, then try and work them out. You can change the settings of what character sets it uses etc on one of the options tabs. Whatever machine you run it on it will murder the processor, so dont run it on the server itself.

    This will (depending on how strong the passwords are) probably take days to work out the passwords. Other than that i cant think of another way.

    You could probably threaten the guy with some sort of negligence case unless he provides the password. I dont know the history of why this guy left etc so it might not be the best option. What an arse tho, you dont need people like that around :angry:

  • January 16, 2008 at 4:52 am

    #768564

    Would there be a way to reset the passwords and allow the users to create new ones?

    Toni

  • January 16, 2008 at 6:45 am

    #768613

    Great thanks a lot I will try that tool...the thing is that I can´t reset any of the pass as also the administrator account was changed and is the only with those rigths in system, also I can´t take out of production the server to reintall sql and gain access as other working app are running.

    In the other hand I have access to a backup of the database that I manage to install in another computer to test and for now we see that maybe the only way will be to retrive some of the accounts or at least the admin one....is going that way. Otherwise we are starting creating another server with all the services of that one and reseted passwords from sql but it takes quite a long time as the person in charge of something like that is not here...lol so is like doing blind.

    Regarding the guy, well is not my bussiness I´m a employe but I belive legal action has already been taken.

    Thanks for the help I will tell you if I manage to got it working.

  • January 16, 2008 at 7:12 am

    #768633

    I have tried the software that you mentioned, but it only returns me the hashes of the local server sa account were the backup database was restored not the hashes for the database itself. I´m doing something wrong....

    Maybe can I give you a backup too so you could maybe guide me better what to do...

    Thanks

  • January 16, 2008 at 7:37 am

    #768654

    I think whats happened is when you restored the database you have orphaned users in the database and the logins dont exist on the server. You CAN (with minimal performance hit) retrieve the hashes from the live server, it just takes a copy of them then works through the brute force locally where the program runs. Once it has the hashes it does not do any more work on the server

  • January 16, 2008 at 7:39 am

    #768656

    Sorry, just read your earlier post about not having any admin rights, so ignore my last post. Hmmm

  • January 16, 2008 at 8:34 am

    #768717

    What user did you use to get access to the DB and see user tables? Is Windows Authentication blocked on the DB? If not, try logging on to the DB with Windows Authentication (Make sure your user us a Domain Admin).

    -Roy

  • January 16, 2008 at 8:43 am

    #768725

    What about making a new DB owner/changing the DB owner. Use something like sp_changeDBOwner.

    If need be - detach the DB - attach it to a database instance you have control of (as in - you have a valid SA account in), and change it there, then detach it again, and move it back to the original server.

    I hope charges are pending against the former mgr.. Idiots like that make us all look bad.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • January 16, 2008 at 8:43 am

    #768726

    What I did was install in my computer sql 2005 express, and from sa account restore the database from the backup I found, after kind of some deals I manage to got it done as the original database was sql 2000. If I connect with the server management studio with the windows account I can´t get access to the database or the tables neither restore it again from the same backup.

    Roy Ernest (1/16/2008)

    What user did you use to get access to the DB and see user tables? Is Windows Authentication blocked on the DB? If not, try logging on to the DB with Windows Authentication (Make sure your user us a Domain Admin).

  • January 16, 2008 at 8:50 am

    #768735

    Check on the Services under what account The SQL Server is being Run. If it is a domain account try with it. Also try to alter the DB and let Windows Authentication also allowed.

    -Roy

  • January 16, 2008 at 9:28 am

    #768765

    Some thoughts after reading all the above:

    If I'm reading it right, the passwords are stored within a table in a user-defined database in encrypted form, right? Is the encryption application-based (you guys do it yourself), or are you using SQL-based encryption? ...actually, that's a trick question, since SQL 2000 didn't formally provide encrypting services.

    Assuming the above, what I'd try and do is get the restored copy of the database from before the jerk messed it up onto that server, and update the password table in the "live/corrupt" database with the passwords from the "old/valid" database. There are a couple of ways to do this. Simplest that I can think of would be to:

    - Restore the old/valid DB *with a new name* to the hosting server

    - Update the password table based on the contents of the old table

    - It's live production data, so test everything by wrapping in "BEGIN TRANSACTION / ROLLBACK" statements until you *know* it works. Be paranoid, because (as you've found out) fixing production data on the fly is no fun at all, and you don't want to make the problem worse!

    So to do all that, you have to be able to restore database on the server, read the data in the old/valid DB, and modify (write) to tables on the live/corrupt db. This does not require SysAdmin access... but it's not clear what access rights you do currently have.

    I'll have to leave it here for now, let us know how things proceed!

    Philip

  • January 16, 2008 at 9:36 am

    #768773

    If you are sure this person changed passwords, I'd contact a lawyer/solicitor and file a legal action against the person. That might get you some cooperation from them.

    I'm confused. are you viewing syslogins (or sysxlogins) in master? Or are you viewing some table in your database?

    If it's a table, you're probably stuck as you might have no idea what type encrpytion was applied. For all you know, those are the passwords!

    If it's the system table, then you could try set a new service account, which I think would get sysadmin permissions. Then connect with that and reset. Or connect with a local administrator, or even the old administrator's window's account (the person who changed the passwords).

  • January 16, 2008 at 10:40 am

    #768828

    As I told before I have now experience on sql...so you lost me on the last reply...lol.

    However I have uploaded the backup of the database as also all the application files and information I was able to collect from the server. If you could download it and guide me it will be very helpfull. If someone needs to charge for the help we are glad to pay, let make a deal on the price and I will pay by Paypal.

  • January 16, 2008 at 11:13 pm

    #769071

    Not sure if you can do this but it sounds fairly workable at least to get back a sysadmin id then proceed from there.

    http://www.lazydba.com/sql/1__7395.html%5B/code%5D

    Toni

Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic. Login to reply