.

[Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Nov 27, 2006 12:40 am

[Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

Although this does not follow the exact steps of the article, this video is a companion to Chris Gates' highly popular, definitive work entitled Tutorial: Rainbow Tables and RainbowCrack

Follow along as we perform the following hack:

  • - Hack an MS SQL box.
  • - Dump the password hashes with Pwdump.
  • - Crack the hashes utilizing rainbow tables.

Enjoy and keep an eye out for future videos. Feel free to post comments and suggestions for future videos.

Thanks,
Chris Gates


Video: RainbowCrack after MS-SQL/Pwdump Hack

Don
Last edited by don on Mon Nov 27, 2006 12:51 am, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Mon Nov 27, 2006 8:56 pm

Re: [Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

That was too cool! Thanks for sharing it with all of us.

Slimjim100
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

LSOChris

Post Mon Nov 27, 2006 11:06 pm

Re: [Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

thanks for the feedback!
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Nov 28, 2006 12:42 pm

Re: [Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

CISSP, MCSE, CSTA, Security+ SME
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Tue Nov 28, 2006 10:37 pm

Re: [Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

Dugg :)
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

thorin

Newbie
Newbie

Posts: 3

Joined: Thu Jan 11, 2007 11:37 am

Post Thu Jan 11, 2007 11:43 am

Re: [Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

Good video, however it would have been much more realistic if you at least included one decent strength password (time lapse it, or highlight the cracking time or whatever).

It was a very illustrative video to show someone the steps however it should also point out the fact that cracking a good password could take days or be impossible. PenTesters would love if all PW crack attempts only took minutes or hours and gave them something to show their clients however that's not really realistic. If you're PenTesting for a client that doesn't have a decent password policy then there's a lot of work they need on sec management, policy and governance before jumping into technical evaluation(s) of their apps, systems, or infrastructure.
<<

LSOChris

Post Thu Jan 11, 2007 3:12 pm

Re: [Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

thanks for the good feedback.  if you check out the rainbowtables/rainbow crack tutorial that set of password hashes does include some "tough" ones and one that is not stored as LM.  but i dont really get that into analyzing which ones it cracked and which ones it didnt in the vid.

with rainbow tables it will either crack it or not, it wont take days (thats the whole point of them that i spent the time to create the tables and i enjoy a decent % of cracked passwords).  now with john the ripper be prepared to wait...
<<

thorin

Newbie
Newbie

Posts: 3

Joined: Thu Jan 11, 2007 11:37 am

Post Thu Jan 11, 2007 3:24 pm

Re: [Article]-Video: RainbowCrack after MS-SQL/Pwdump Hack

ChrisG wrote:thanks for the good feedback.  if you check out the rainbowtables/rainbow crack tutorial that set of password hashes does include some "tough" ones and one that is not stored as LM. 

I did notice a few numbers but I didn't notice much mixed case or non-alpha num characters (!@#$%^*, etc).... though I guess that would require a much much larger set of tables.

However, your point about it not taking days is well received. I went hunting after your reply a noticed that passwords of a strength which I'd feel confident suggesting to a client still fell in <20min (based on the example at the bottom of the rainbowcrack.com main page).

Return to Gates

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software