Join Us!

Database cracking t...
 
Notifications
Clear all

Database cracking tools and setup?  

  RSS
erowe
(@erowe)
Active Member

I was wondering if anyone had any experience or advice on cracking database passwords.

I received an inquiry from one of our departments and it looks like they to set up some equipment to crack passwords on database files (e.g. MSAccess, MSSQL, Pervasive/Btrieve, Sybase, etc.).

Thanks for any advice.

Quote
Posted : 05/08/2016 10:40 pm
jaclaz
(@jaclaz)
Community Legend

I was wondering if anyone had any experience or advice on cracking database passwords.

I received an inquiry from one of our departments and it looks like they to set up some equipment to crack passwords on database files (e.g. MSAccess, MSSQL, Pervasive/Btrieve, Sybase, etc.).

Thanks for any advice.

With all due respect ) , it is just like asking how to open and start "a" car without keys, not only you need to state the make, but also the model (possibly an exact one).

There may be specific ways for database "xy" but only for version 1 and 2, but not 3 and not 2.8 beta.

It's not like database password protection/encryption is theoretically different from the same kind of protection on any other files (containers, archives, spreadsheets, etc.), the point is only about specific vulnerabilities (if any), and or the existence of (relatively) fast specific brute-force tools for them.

jaclaz

ReplyQuote
Posted : 06/08/2016 1:11 am
RolfGutmann
(@rolfgutmann)
Community Legend

So let's take e.g. Hadoop 2.7.2 - what do you say?

ReplyQuote
Posted : 06/08/2016 3:31 am
jaclaz
(@jaclaz)
Community Legend

So let's take e.g. Hadoop 2.7.2 - what do you say?

Nothing, but - out of curiosity - weren't you busy pinning down a horse within a 10 cm range GPS postion? ?

jaclaz

ReplyQuote
Posted : 06/08/2016 2:39 pm
athulin
(@athulin)
Community Legend

I was wondering if anyone had any experience or advice on cracking database passwords.

Hm … in this particular forum, the assumed context will be that of a) imaging a system, b) finding one or more files in that image that are identified as database-related, and then c) realizing that the files require some form of decryption before they can be accessed. And you're asking for tools to do that.

Is that what you (or your colleagues) are after?

Haven't seen any systematic research published, as far as I remember. It would probably mean identifying the database release from the files, researching where that release kept its password hashes and in what form (this may require a test bench with that release running), and sufficient knowledge about password-cracking tools (such as hashcat, John the Ripper and others) to decide if it is supported, or if you need to write a new cracking module.

Password cracking is not yet an enterprise activity, except for very specific situations, such as AD or ZIP or … Cracking passwords from unspecified databases even less so it requires cracking know-how as well as a wide database knowledge.

The only general recommendation is to acquire both.

If the question is more concentrated on the hardware to do the job … I'd say it depends on the actual cracking software used. Fit the hardware to the tool, not the other way around.

ReplyQuote
Posted : 06/08/2016 2:56 pm
Share: