Cracking a specific MSSQL hash type
#1
I encountered some old MSSQL hashes that start with 0x0105... instead of 0x0100 (mode 131/132)

To my knowledge looking at hashcat example hashes, there is no support for this type. Am I correct, and if so what are my options for cracking these hashes?
Reply
#2
hmm ,do you have any further information about this variant ?

how did you get these hashes, what is the algorithm or difference in algorithm, how do you produce these hashes etc ?

If we decide that this is new/important algo to add, we would also need to create a hashcat github issue and mention the full algo and examples (hash + password). but do not post hashes here (just a reminder).

Please do some more research about what type of hash and which version produce these hashes etc. thx



update: from this link it seems to be a different field (not the user hash): https://www.sqlserver-dba.com/2013/02/fi...sname.html
or am I interpreting this information incorrectly ? are you sure that these are password hashes ?
Reply
#3
I got these hashes from some sort of generated report/log file during a pentest exercise. The beginning of the file mentions SQL Server 2000. I will include some examples found with the appropriate obfuscation detailed in the forum rules.

The hashes I found consists of 58 characters starting with 0x0105:
0x010500XX000000XXX5XX0000XDE30XXD8XEX7EXFX3170AX26XXX0000

I also encountered this shorter hash type of 34 chars beginning with 0x102:
0x01020X00X00X000XX000X000X00X0X00
Reply
#4
(07-10-2021, 10:21 AM)philsmd Wrote: hmm ,do you have any further information about this variant ?

The query shown in the log to obtain these hashes was:
SELECT * FROM sysxlogins

The dates shown are from 2000 or 2003. Could be a variant of the SHA algorithm. Maybe SHA256?
Reply
#5
again: are these hashed passwords or just IDs ? an id is just an identiier that has nothing to do with passwords.

It also seems that this type of table (sysxlogins) is very old and doesn't exist anymore. I would recommend looking at the table column/field name and see if the column names have something to do with login data or are just (random) ids or similar. not everything is a password hash that looks "random" !

some (old) web sites say that the sysxlogins table looked like this:
Code:
srvid smallint(2)
sid varbinary(85)
xstatus smallint(2)
xdate1 datetime(8)
xdate2 datetime(8)
name sysname(128)
password varbinary(256)
dbid smallint(2)
language sysname(128)
isrpcinmap smallint(2)
ishqoutmap smallint(2)
selfoutmap smallint(2)

so there are several IDs (but only SID is quite long, but it is not the "password" field, that's the important point here), see https://www.databasejournal.com/features...m#part_2_9

what is the name of these 0x0102 and 0x0105 fields ? do they even have something to do with passwords ? It doesn't seem so from internet searches
Reply
#6
(07-13-2021, 09:25 AM)philsmd Wrote: again: are these hashed passwords or just IDs ? an id is just an identiier that has nothing to do with passwords.

Ah yes, you are absolutely right. Judging by the column positions they were indeed SIDs and not password hashes. Only one of those users (sa) had a valid hash, which I cracked but it was so old that it has changed. My apologies and thanks for the clarification.
Reply