Cracking the HASH password in MSSQL (1)

How does the SQL Server Store passwords?

The SQL Server uses an undisclosed function pwdencrypt () to generate a hash for the user password. Through research, we can find that this hash is stored in the sysxlogins table of the mater database. This may already be well known.

The pwdencrypt () function has not published detailed information. We will discuss this function in detail in this document and point out some shortcomings of this method for storing hash on the SQL server. In fact, I will say 'password hashes' later '. Allyesno: As we will discuss later, the hash generated when the password is the same is not the only one, so it is hashes)

What does the SQL password hash look like?

We use the query analyzer or any SQL client to execute this statement: select password from master. dbo. sysxlogins where name = 'sa'

The screen returns something similar to the following string. Bytes

This is the hash of the logon password on my machine.

By analyzing the hash, we can obtain some information about pwdencrypt?

1. Time

First, we use the query select pwdencrypt () to generate the hash

Select pwdencrypt ('ph4nt0m ')

Generate hash

Bytes

OK again select pwdencrypt ('ph4nt0m ')

Bytes

We noticed that although the two encrypted strings are both ph4nt0m, the generated hash is different. So what makes the two hash results different? Our bold speculation is that time plays a key role here. It is an important factor for creating a password hashes and storing hashes. The reason for this is that when two people enter the same password, different hashes passwords can be generated to conceal that their passwords are the same.

2. Case sensitivityAdvertisement Time: The English-Chinese Network Technology vocabulary is a good dictionary. Many Kingsoft word masters can get out of anything they cannot find during translation)

Use Query

Select pwdencrypt ('allyesno ')

We will get the hash

Bytes
771E4C91

Through observation, we can find that two segments in the hash are the same. If you cannot see them immediately, let's cut them apart.

0x0100 fixed)
4 c61cd2d supplement key)
D04D67BD065181E1E8644ACBE3551296771E4C91 prototype hash)
D04D67BD065181E1E8644ACBE3551296771E4C91 uppercase hash)

Now we can see that the last two strings are exactly the same. This indicates that the password is encrypted twice by the same encryption method. One is encrypted according to the character prototype, and the other is encrypted in uppercase. It will be easier for someone to try to crack the SQL password than he expected. This is a bad encryption method. Because the password cracking personnel do not need to understand whether the character prototype is uppercase or lowercase, they only need to crack the uppercase characters. This greatly reduces the number of characters that the attacker needs to crack the password. Allyesno: flashsky's article "talking about SQL SERVER Database Password vulnerabilities" once mentioned that "because of its algorithm, if HASH1 = HASH2, it can be determined that the password is definitely not using letters, only passwords with numbers and symbols are used ". Actually it is not exactly the same as flashsky said. After we use select pwdencrypt () for encryption, we can find that the passwords hash1 and hash2 both use numbers and symbols and uppercase letters are the same, so this is a small bug in the flashsky article)