Hash Mode request MS SQL 2016 with salt
#1
Lightbulb 
Hi,

I have the following and would like firstly how to confirm what it is and secondly the mode to use in hashcat.

The Salt and Password have come from a MSSQL Server 2016 database.
(added X's only to obscure)

Salt - 32 characters
AX2486X10A7D87172X6759366F0FB0XF

Password:
4KX5aETqOLGXYtFfC+ImI9sjVnU=

I thought the password might be base64encoded but throws junk when converted back to plain text that way.

I've used online identity tools as well as hashident. Is there any other way or even a native hashcat discovery of hash type I'm not aware of?
Reply
#2
Could be anything. Do you know the software / CMS / code that generates these hashes ?

I assume it's not the MSSQL software itself ? is it some custom software / webpage ?

You need to be more specific what you are talking about and how these hashes are generated
Reply
#3
First step is to have a test password that you know so you can test your hypothesis.
Mine is: The password base-64 decodes to 160 bit of data, the same length as a SHA1 hash. The salt looks like hex chars. If you know the correct password you can test the scenario's sha1(dehex(salt) + base-64-decode(password)), sha1(base-64-decode(password) + dehex(salt)), sha1(salt + base-64-decode(password)), sha1(base-64-decode(password) + salt), sha1(sha1(dehex(salt) + base-64-decode(password))), etc.

Once you know that you can find the mode to use.
Reply
#4
Thanks for your response. I wish i could be more specific, I'm doing a pentest for a client and managed to find an injection point that subsequently allwoed me to dump the columns of the backed  db and find a set of passwords and salts.

I know the fronend login uses ASP.net and its a windows server 2016 but a part from that nothign else is there.
Its one of those back end portals that doesnt have any other web pages availabel except for a login prompt.

Its custom built too but not sure of anything else by looking at it built on asp.net.


Still searching for more info now.
Reply
#5
(03-19-2020, 04:14 PM)DanielG Wrote: First step is to have a test password that you know so you can test your hypothesis.
Mine is: The password base-64 decodes to 160 bit of data, the same length as a SHA1 hash. The salt looks like hex chars. If you know the correct password you can test the scenario's sha1(dehex(salt) + base-64-decode(password)), sha1(base-64-decode(password) + dehex(salt)), sha1(salt + base-64-decode(password)), sha1(base-64-decode(password) + salt), sha1(sha1(dehex(salt) + base-64-decode(password))), etc.

Once you know that you can find the mode to use.

Nice idea, i cant do that in my situation unfortunately. I'm doing a BlackBox website test so have no information or ability to do what you are suggesting.
Reply