March 4, 2013 at 9:30 am
TravisDBA (3/4/2013)
Be very careful about suggesting that people do this. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.:-D
I don't work for the government, but I don't see a problem with the sa having this on his system (developers are another story). After all, as sa I can change your password at will and I have access to all unencrypted data.
/* ----------------------------- */
Tochter aus Elysium, Wir betreten feuertrunken, Himmlische, dein Heiligtum!
March 4, 2013 at 9:34 am
paul.knibbs (3/4/2013)
Sigerson (3/4/2013)On the other hand I don't want anybody else to know this. It's like the One Ring of Power, it's already making me think of all the malicious acts I could do with this power.
Use longer passwords and it ceases to be an issue. Yes, he was able to find a 5-character password in 2 seconds using a brute force search with a powerful GPU, but the complexity of such a search increases massively with the number of characters--a guesstimate would suggest that if it takes 2 seconds to find a 5-character password, it will take approximately 23 days to find an 8-character password using the same mechanism! (This is assuming perhaps 100 possible characters used in the password, which would give the 8-character one a million times more possibilities than the 5-character one).
If you had a 20-character password, well, it would probably take longer than the remaining life of the Universe to crack it!
Greg,
The government auditors don't care who you are or what level of access you have in your brain. If the files are PHYSICALLY on the government work laptop then it is vulnerable to attack and you are ultimately liable. Particularly, if this software can be used to crack SQL logins that have access to HIPPA Health related data.:-D
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
March 4, 2013 at 10:10 am
Excellent post on brute forcing using oclhashcat-lite - everyone, please be aware that dictionary and rules-based dictionary attacks are also available in GPU-powered form with these excellent tools.
For everyone worried about their passwords, note that SQL Server itself dues support a maximum of 128 characters, and high ASCII is allowed, so if you absolutely must have the "sa" account or a similar SQL Server sysadmin level account available, then a password like
Éá«zpÙYÆÉlêÙRoPõ3wC3Ó)~=5ûÈælZOcLÛÛ¼{ÖÅw™úG54)uQçeÂ?n¾KaôÅAÔÓ½Ò5år³\5ÞÑ=l¾[ÑæQ}ÞZPÐAþ+xhR߬fó1ßfG{ñBÉÜšn‡ƒeji—ÜQ¾væ—ŸTBËŠÍÔ—xÂ
is perfectly acceptable, and can be cut and pasted into SSMS without any problems.
As far as longer word-based passwords, something like
Madeline12152008 is a horrible password, especially if your daughter Madeline was born on December 15th in 2008.
ETA: Software like KeePass[/url] can be used to generate (and store) such passwords.
March 4, 2013 at 10:13 am
TravisDBA (3/4/2013)
Geoff,Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.:-D
Travis,
i am not sure how i am resposible for goverment employees and their activities on their laptops.
but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open 😉
March 4, 2013 at 10:56 am
Geoff A (3/4/2013)
TravisDBA (3/4/2013)
Geoff,Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.:-D
Travis,
i am not sure how i am resposible for goverment employees and their activities on their laptops.
but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open 😉
Ok, no problem, just be careful suggesting that kind of thing to the public at large. Not everyone means well in this world. That is all I'm saying. I could see someone sitting in court and explaining "Well your honor, Geoff Albin showed me how to hack a SQL Login production password on SQLServerCentral.com!!!":-D
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
March 4, 2013 at 11:19 am
One word of caution: if you are using the GPU method (which does seem to be quicker) and you are running Vista/7 with window's aero enabled, you will have a very difficult time switching between applications. My GPU is at 99% so there is not much left to show the application in the task bar.
/* ----------------------------- */
Tochter aus Elysium, Wir betreten feuertrunken, Himmlische, dein Heiligtum!
March 4, 2013 at 2:10 pm
Geoff,
Did the following:
C:\tmp5\hashcat-0.42>hashcat-cli32.exe -a 3 --pw-min=4 --pw-max=12 -m 131 -p : -o "C:\tmp5\hashcat-0.42/SQL_passwords.txt" --output-format=0 -n 2 "C:\tmp5\hashcat-0.42/Hashes.txt" -1 ?l?u?d?s ?1?1?1?1?1?1?1?1?1?1?1?1
Initializing hashcat v0.42 by atom with 2 threads and 32mb segment-size...
Added hashes from file C:\tmp5\hashcat-0.42/Hashes.txt: 4 (4 salts)
NOTE: press enter for status-screen
and getting a memorable
The instructions at "0x004143cc" referenced memeory at "0xffffffff". The memory could not be "read".
on my memorable Intel Core 2
I like the way that error message misspells 'memoery'...
March 5, 2013 at 9:13 am
OK, getting it to work on 64bit.
Already found 2 of the 4.
It's estimating 4 hours for the remaining.
Very neat tool!
March 5, 2013 at 3:36 pm
TravisDBA (3/4/2013)
Geoff A (3/4/2013)
TravisDBA (3/4/2013)
Geoff,Please be Be very careful about suggesting or even implying that people should do this on productiohn SQL Servers. i work for the government and the auditors are looking for this kind of stuff on your PC and if they find it, you are probably gone!!! I repeat: DO NOT KEEP THESE FILES ON YOUR WORK LAPTOP IF YOU WORK FOR THE GOVERNMENT, OR YOU ARE A GOVERNMENT CONTRACTOR!!!! You can not only be fired you can also be prosecuted.:-D
Travis,
i am not sure how i am resposible for goverment employees and their activities on their laptops.
but if you saying i should be on the look out for black suits knocking on my door, I'll keep one eye open 😉
Ok, no problem, just be careful suggesting that kind of thing to the public at large. Not everyone means well in this world. That is all I'm saying. I could see someone sitting in court and explaining "Well your honor, Geoff Albin showed me how to hack a SQL Login production password on SQLServerCentral.com!!!":-D
On a personal system, there's no one to tell you, "No."
For most corporations and government agencies, a password cracker is considered a hacking tool and the discovery of such on your system tends to lead to a career altering event. This is why, whenever I cover a tool like this, I make a point to issue that standard disclaimer. Keep in mind that even though you may have the purest of motives for having such a tool. However, unless you went and got prior permission from someone authorized to give it (usually this is a manager on the security or network/systems side, not the DBA or development manager), you're reason for having it is suspect.
K. Brian Kelley
@kbriankelley
March 5, 2013 at 3:41 pm
paul.knibbs (3/4/2013)
Wayne Evans-440401 (3/4/2013)
slightly off topic: For the likes of windows passwords back in the 2000/2003 server days, it looked to the lay person (me) that, only stored the first 8 characters were encrypted in the SAM (no idea what 2008/2012 does) The remaining characters were readable (with a tool like l0pht), so to use Bens example, it would show as********tterandjellysandwiches
It didn't quite work that way. The old LAN Manager password system that was used prior to Kerberos authentication split the password into two 7-character chunks and encrypted them separately--it was thus possible for a password cracker to deal with each half individually and work much faster. It also wasn't case sensitive, massively reducing the possible list of passwords any cracker needed to check. Note that Windows 2000 and 2003 would still generate a LAN Manager hash for any passwords shorter than 15 characters in order to maintain backward compatibility with older versions of Windows that didn't recognise Kerberos.
The password specified above would be too long to get an LM hash on Windows 2k/2k3, so you'd only have a problem if you were trying to use it on a pre-Active Directory domain. It would get split into PEANUTB and UTTERAN, and since both of those are simple dictionary words with one or two letters attached, would be crackable extremely easily.
It's not Kerberos authentication, just to clarify. Windows 2000 defaulted to Kerberos authentication, too, BTW.
LAN Manager was the weakness and that's why on any system prior to about Windows 7/2008 if you tried to specify a password over 14 characters you'd receive that warning about backward compatibility. With that said, and considering Windows XP and Server 2003 are still in use in large numbers, you don't have to be vulnerable because of LAN Manager. It could actually be disabled going back to NT4 (which would then only use NTLM/NTLMv2). If your organization hasn't already done this and you support Windows XP and 2003 platforms, it's long past time to implement the following:
K. Brian Kelley
@kbriankelley
March 5, 2013 at 4:32 pm
As a note for the mildly more advanced, in general, it's best to run the very quick checks first to remove those, and the large checks later.
For the even more advanced practitioner doing dictionary cracking (see below), after a reasonable pass, any passwords you find should be added to your cracking dictionary and then start over.
Here's an example of "quick first, slow last" oclHashcat-lite brute force, including an example phone number test:
rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..
rem After that, move to oclHashcat-plus and use rules based dictionary attacks!
rem If you have more time and/or processing power, put larger pw sizes earlier.
rem If you have less, put larger pw sizes later.
rem First: Extremely Low sizes, brute force with full hex set!
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=1 --pw-max=4 --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=5 --pw-max=5 -1 ?d?l?u?s?D?F?R?h 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbol
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=6 --pw-max=6 -1 ?d?l?u?s 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.
rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=7 --pw-max=7 -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?1?1
rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=13 --pw-max=13 -1 ?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 "(?1?1?1)?1?1?1-?1?1?1?1"
rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.
rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=8 --pw-max=8 -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?2?2?2?2?2?2?2?2
rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine.
rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash only
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=9 --pw-max=9 -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=9 --pw-max=9 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=10 --pw-max=10 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=11 --pw-max=11 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2
YourPath\oclHashcat-lite64.exe -m 132 --pw-min=12 --pw-max=12 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2
And here's an oclHashcat-plus test that starts with brute force and quickly proceeds to dictionary attacks. This is much more appropriate for most corporate password audits.
rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..
rem After that, try rules based dictionary attacks, many large rules for small lists, small rules for large lists.
rem If you have more time and/or processing power, put larger pw sizes earlier.
rem If you have less, put larger pw sizes later.
rem since we're removing hashes from the file as we crack them, let's start fresh for each run.
copy /y SQL2005to2008R2Many.hash.orig SQL2005to2008R2Many.hash
rem First: Extremely Low sizes, brute force with full hex set!
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1
rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s?D?F?R?h --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1
rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbol
rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1?1
rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.
rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?2?2?2?2?1?1
rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash "(?1?1?1)?1?1?1-?1?1?1?1"
rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.
rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?2?2?2?2?2?2?2?2
rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine.
rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash only
rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2
YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2
rem Now we're going to do rules based dictionary attacks!
rem Let's start with the quickest, because any passwords we can remove now give later iterations less work.
rem Mode Straight rules: Best64 Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Straight rules: specific Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\specific.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Combinator rules: Best64 Wordlist: Phpbb * 500worst
YourPath\oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt YourWordlistPath\500worst.txt
rem Mode Straight rules: Best64 Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt
rem Mode Straight rules: leetspeak * Best64 Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Straight rules: T0XlC Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\T0XlC.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Straight rules: combinator * Best64 Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Straight rules: Best64 Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt
rem Mode Straight rules: leetspeak * Best64 Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt
rem Mode Straight rules: Best64 Wordlist: American English Small * American English Small
YourPath\oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishSmall.txt YourWordlistPath\EnglishSmall.txt
rem Mode Straight rules: generated Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\generated.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Straight rules: d3ad0ne Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Straight rules: d3ad0ne Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt
rem Mode Straight rules: T0XlC Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\T0XlC.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt
rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Straight rules: combinator + d3ad0ne Wordlist: Phpbb
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt
rem Mode Straight rules: d3ad0ne Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt
rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt
rem Mode Straight rules: combinator + d3ad0ne Wordlist: American English Very Large
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt
rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt
rem Mode Straight rules: combinator + d3ad0ne Wordlist: Rockyou
YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt
I leave conversion to CPU-based Hashcat as an exercise for the reader!
Phpbb and Rockyou are two very common password lists, both very well regarded; Phpbb is much smaller.
I'm sure everyone can Google an N worst passwords list as well.
The English Open Word List is available online as well.
ETA: Don't forget to dump your username list into your dictionaries as well!
March 6, 2013 at 1:13 am
Guys,
Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:
Cheers,
JohnA
MCM: SQL2008
March 6, 2013 at 1:22 am
SQLCharger (3/6/2013)
Guys,Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:
There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?
March 6, 2013 at 1:30 am
paul.knibbs (3/6/2013)
SQLCharger (3/6/2013)
Guys,Would this also work with Windows hashes as well?
That would be even more scary (if someone manages to get your Windows hash from a server). :unsure:
There's no reason why it wouldn't, but getting the Windows hash of your password from the server isn't a trivial thing--you usually need admin access in order to read the SAM database, and if you already have that level of access, why do you care about hacking somebody else's password?
It's for finding those people who use the same password everywhere else...
March 6, 2013 at 4:12 am
Very neat tool and a very neat article 🙂
Thank you
Viewing 15 posts - 16 through 30 (of 59 total)
You must be logged in to reply to this topic. Login to reply