Databases Reference
In-Depth Information
Let's move on to password checking tools. You can use a tool such as
SQLdict, but this is not very effective. It is slow and it creates a lot of
“noise” (e.g., if you are alerting based on excessive failed logins, you will be
spending the next five years deleting e-mails). From a performance stand-
point, going through a dictionary with 100,000 words could take almost a
full day. Instead, you can use a class of tools that run within the database
and that use the fact that they have access to the database table where the
password hashes are stored.
If you are running SQL Server, you can use the SQL Server Password
Auditing Tool, which is available at www.cqure.net.tools.jsp?id=10. The
tool assumes that you give it a text file with the usernames and password
hashes as stored in the sysxlogins table. After downloading the tool, you
should extract this information using:
select name, password from master..sysxlogins
and export it to a comma-delimited text file called hashes.txt. You then run
the tool from the command line using:
sqlbf -u hashes.txt -d dictionary.dic -r out.rep
The tool is very fast. On my machine it made more than 200,000
guesses per second. You can also run a brute-force attack instead of a dictio-
nary attack by running:
sqlbf -u hashes.txt -c default.cm -r out.rep
The -c flag tells the tool that the .cm file is a character set file. The
default English file has the following character set, and you can change it if
you have another locale:
ABCDEFGHIJKLMNOPQRSTUVXYZ0123456789
If you have an Oracle environment, you also have an abundance of
tools. You can use any of the following tools to do password checking:
Oracle Auditing Tools (OAT) is a set of tools that you can download
from www.cqure.net.tools.jsp?id=7. Among the tools is OracleP-
WGuess, which is a dictionary attack tool.
Search WWH ::
Custom Search