hashcat Forum
QBW Encoding, Hash Extraction - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: QBW Encoding, Hash Extraction (/thread-4150.html)



QBW Encoding, Hash Extraction - Loopy - 03-03-2015

Apologies if this isn't a good place for the question... Close if necessary.

In my organization I frequently need to crack passwords on Quickbooks QBW files. It is simple enough to strip the passwords from the files with other tools, but this isn't ideal for us for a few reasons. Some weaker passwords can be cracked with other tools, but I'd prefer to attack the raw hash if feasible for the more difficult passwords.

Through some research and testing I've been able to determine that the QBW files use a SQLAnywhere structure for the security and passwords are stored using SHA1 salted with the user name. The problem I'm finding is that all of this data looks to be encoded in such a way as to hide the 'plain text' hash and user name - a search of the raw file content (in Hexedit, big and/or little endian, unicode, etc) doesn't 'hit' on a known user name, hash, or known transactional item. I've tried accessing directly through SQLAW but can't establish a connection to the database (I'm assuming due to the encoding.) I haven't yet tried the quickbooks SDK and don't really want to go there if I don't have to.

So the fundamental question is whether anyone here knows the method that Intuit uses to encode the content of the file, and/or how to locate/view/access the Security table(s) so I can access the raw hashes.

Thanks for any thoughts.

-a guy name Lou

(Edit: Brain cramp - typed MySQL, is actually SQLAnywhere)


RE: QBW Encoding, Hash Extraction - atom - 03-04-2015

The answer is simple, the implementation may not. You need to find out is how the real program loads it.


RE: QBW Encoding, Hash Extraction - hops - 03-04-2015

I don't know anything about Quickbooks but I work with SQL Anywhere on a daily basis.
You say these QBW files "use a SQL Anywere structure". So it probably meens that's just a SQL Anywhere database file.
If you don't see any interesting strings in this file it's most likely because the db is encrypted.
There are two possible types:
"simple" which doesn't need a key and it's basically just obfuscation though I've no idea how it acutally works.
"strong" uses AES with either a 128bit or a 256bit key. In this case without the key you'll have no chance to read the data.

However like atom said, the application knows how to read/write QBW files so that's your starting point.