Is this value the SQL password hash ?

From: nobody (pentester@yahoo.com)
Date: Wed Sep 08 2004 - 22:34:53 EDT


While doing a pen test I came across a Windows share
that allowed anyone to read it. This share had an SQL
SMS install input file of the form xxxx.iss

In this file the follwing exists:

[DlgServices-0]
Local-Domain=61680
AutoStart=15
SQLDomain=XXXXX
SQLDomainAcct=XXXSQL
SQLDomainPwd=142e7e5da8cb39066a6f1759ec9aab

The length of this entry versus the SQL sysxlogin data
data that David Litchfield talks about (in his
whitepaper on SQL passwords)is quite different. Also
the CQURE tool (SQLBF) seems to expect a differnet
length hash.

from ccqure.net - sqlbf tools - demo hashes
foobar,0x0100905BB15ECA1847296A79ADD350E3138D6D255BF9FA24964FCA1847296A79ADD350E3138D6D255BF9FA24964F

Does anyone know what type of hash the data following
the SQLDomainPwd is ?

It cannot be an NTLM hash or a LANMAN hash. Just to
be sure I plugged it into LC4 and it did not recognize
the hash. I will also try John-16 using all modes but
I am guessing at this point.

Oh - I cannot get admin status (yet) on the SQl server
that I think this file was installed on. If I did so
I could dump the SAM and the SQl hahses and see what
matches.

Anyone seen this before ?

Thanks

pentester

                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:04 EDT