Archive for March, 2013

A simple hack of a login password

Posted: March 30, 2013 in MSSQL
Tags:
Task: to show how simply to hack a login password in SQL Server. Comparison of elapsed/estimated time for decryption vs different password lengths in different SQL Server versions




WARNING: by hacking any part of SQL Server, e.g. a password login, you will lose the warranty from Microsoft. This blog post has the educational purpose only. For testing purposes, you should try it on the development machine only. I do not take any responsibility for any damages caused by this article.

Recommendations:
  • run the cmd.exe as an administrator
  • ERROR: cuModuleLoad() 209 – NV users require ForceWare 310.32 or later (NVIDIA update); AMD users require Catalyst 13.1 -exact-
  • set convenient paths to hashcat utility (C:\Temp\Hashcat) and to text files (PASSWORDS and HASHES)

Prerequisites:

1. SSMS > T-SQL > get hashes of login passwords


SELECT [NAME], [PASSWORD_HASH]
FROM [SYS].[SQL_LOGINS]

or

SELECT [NAME], 
LOGINPROPERTY([SYS].[SYSLOGINS].[NAME],'PasswordHash') AS PasswordHash
FROM [SYS].[SYSLOGINS]
WHERE LOGINPROPERTY([SYS].[SYSLOGINS].[NAME],'PasswordHash') IS NOT NULL

2. Windows > Explorer > download hashcat utility and create auxiliary files

  • create C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_CPU.txt
  • create C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_GPU.txt
  • create C:\Temp\Hashcat\MSSQL05-08R2_HASHES.txt
  • create C:\Temp\Hashcat\MSSQL12_PASSWORDS_CPU.txt
  • create C:\Temp\Hashcat\MSSQL12_PASSWORDS_GPU.txt
  • create C:\Temp\Hashcat\MSSQL12_HASHES.txt
  • download and unzip hashcat utility from hashcat utility to C:\Temp\Hashcat\

Tests:

SW & HW > Laptop > Lenovo Thinkpad E530

  • Windows 7
  • Processor: Intel Core i5 3210 Ivy Bridge
  • RAM: 12GB
  • Graphics: NVIDIA GeForce GT630M 2GB Optimus + Intel HD Graphics 4000

1. Windows > Run > run a new CMD window – MSSQL05-08R2_CMD_CPU.bat


cd C:\Temp\Hashcat\hashcat-0.44
echo Started: %time%
hashcat-cli64.exe -a 3 --pw-min=5 --pw-max=5 -m 131 -p : -o "C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_CPU.txt" --output-format=0 -n 4 "C:\Temp\Hashcat\MSSQL05-08R2_HASHES.txt" -1 ?l?u?d?s ?1?1?1?1?1
echo Stopped: %time%
pause


2. Windows > Run > run a new CMD window – MSSQL05-08R2_CMD_GPU.bat


cd C:\Temp\Hashcat\oclHashcat-lite-0.15
cudaHashcat-lite64.exe -m 132 -p : -o "C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_GPU.txt" --outfile-format=3 --gpu-temp-abort=100 --pw-min=5 --pw-max=5 -1 ?l?u?d?s "C:\Temp\Hashcat\MSSQL05-08R2_HASHES.txt" ?1?1?1?1?1
pause


3. Windows > Run > run a new CMD window – MSSQL12_CMD_CPU.bat


cd C:\Temp\Hashcat\hashcat-0.44
echo Started: %time%
hashcat-cli64.exe -a 3 --pw-min=5 --pw-max=5 -m 1731 -p : -o "C:\Temp\Hashcat\MSSQL12_PASSWORDS_CPU.txt" --output-format=0 -n 4 "C:\Temp\Hashcat\MSSQL12_HASHES.txt" -1 ?l?u?d?s ?1?1?1?1?1
echo Stopped: %time%
pause


4. Windows > Run > run a new CMD window – MSSQL12_CMD_GPU.bat


cd C:\Temp\Hashcat\oclHashcat-lite-0.15
cudaHashcat-lite64.exe -m 1732 -p : -o "C:\Temp\Hashcat\MSSQL12_PASSWORDS_GPU.txt" --outfile-format=3 --gpu-temp-abort=100 --pw-min=5 --pw-max=5 -1 ?l?u?d?s "C:\Temp\Hashcat\MSSQL12_HASHES.txt" ?1?1?1?1?1
pause

NOTE: not supported at the moment

Abbreviations:
  • -a 3 – the attack mode. 3 indicates using brute force
  • –pw-min=5 –pw-max=5 – at least 5 characters long and not more than 5 characters long
  • -m 131 – this means a SQL 2005-2008 R2 hash (CPU)
  • -m 132 – this means a SQL 2005-2008 R2 hash (GPU)
  • -m 1731 – this means a SQL 2012 hash (CPU)
  • -m 1732 – this means a SQL 2012 hash (GPU; note: not supported at the moment)
  • -p : -o “C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_CPU.txt” – the output file name and location (CPU)
  • -p : -o “C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_GPU.txt” – the output file name and location (GPU)
  • -p : -o “C:\Temp\Hashcat\MSSQL12_PASSWORDS_CPU.txt” – the output file name and location (CPU)
  • -p : -o “C:\Temp\Hashcat\MSSQL12_PASSWORDS_GPU.txt” – the output file name and location (GPU)
  • –output-format=0 – the format of the output file (CPU)
  • –output-format=3 – the format of the output file (GPU)
  • -n 4 – the number of thread counts to use
  • “C:\Temp\Hashcat\MSSQL05-08R2_HASHES.txt” – the name and location of hash file for SQL 2005-2008 R2
  • “C:\Temp\Hashcat\MSSQL12_HASHES.txt” – the name and location of hash file for SQL server 2012
  • -1 ?l?u?d?s – the type of characters to try using brute force. l = lower case letters, u = upper case letters, d = numbers and s = special characters. (!@#, etc). Using ?a for all
  • -?1?1?1?1?1 – number of position to the pw-max
  • –gpu-temp-abort=100 – at 100 degrees Celsius, it will automatically stop

Notes:
  • -oclHashcat-lite – decrypting single hash only
  • -oclHashcat-plus – decrypting multiple hashes

Results:

Figure 1: CMD result – MSSQL05-08R2 (4-character password) – CPU

Figure 1: CMD result – MSSQL05-08R2 (4-character password) – CPU


Figure 2: CMD result – MSSQL05-08R2 (5-character password) – CPU

Figure 2: CMD result – MSSQL05-08R2 (5-character password) – CPU


Figure 3: CMD result – MSSQL05-08R2 (6-character password) – CPU

Figure 3: CMD result – MSSQL05-08R2 (6-character password) – CPU


Figure 4: CMD result – MSSQL05-08R2 (8-character password) – CPU

Figure 4: CMD result – MSSQL05-08R2 (8-character password) – CPU


Figure 5: CMD result – MSSQL05-08R2 (4-character password) – GPU

Figure 5: CMD result – MSSQL05-08R2 (4-character password) – GPU


Figure 6: CMD result – MSSQL05-08R2 (5-character password) – GPU

Figure 6: CMD result – MSSQL05-08R2 (5-character password) – GPU


Figure 7: CMD result – MSSQL05-08R2 (6-character password) – GPU

Figure 7: CMD result – MSSQL05-08R2 (6-character password) – GPU


Figure 8: CMD result – MSSQL05-08R2 (8-character password) – GPU

Figure 8: CMD result – MSSQL05-08R2 (8-character password) – GPU


Figure 9: CMD result – MSSQL12 (4-character password) – CPU

Figure 9: CMD result – MSSQL12 (4-character password) – CPU


Figure 10: CMD result – MSSQL12 (5-character password) – CPU

Figure 10: CMD result – MSSQL12 (5-character password) – CPU


Figure 11: CMD result – MSSQL12 (6-character password) – CPU

Figure 11: CMD result – MSSQL12 (6-character password) – CPU


Figure 12: CMD result – MSSQL12 (8-character password) – CPU

Figure 12: CMD result – MSSQL12 (8-character password) – CPU

Table results:
SQL Server CPU GPU
password [chars] _1Tc [4] _1Tc& [5] _1Tc5& [6] _1Tc5&dI [8] _1Tc [4] _1Tc& [5] _1Tc5& [6] _1Tc5&dI [8]
2005-08R2 decryption time <1s 7m 12h 30m >113h 2s 7s 2h 19m 2y 143d
2012 decryption time <3s >31m >2h >63h

Notes:
  • -light green – elapsed time
  • -yellow – estimated time

Conclusion: the hashcat – advanced password recovery utility is very useful tool not only for decrypting SQL Server login passwords. The decryption time differences between particular SQL Server versions are caused by using of different hash algorithms. The version 2005-08R2 uses only SHA-1 hash whereas the version 2012 already uses SHA-2 (SHA-512 concretely) hash. To increase computing power and decrease decrypting time, it would be possible to connect more computers into grid etc.


Source Code:
Additional references:
Advertisements