Re: [Full-Disclosure] mysql password cracking

From: Willem Koenings (isec_at_europe.com)
Date: 10/09/04

  • Next message: Peter Kruse: "SV: SV: [Full-Disclosure] JPEG GDI+ (MS04-028) Exploit @ http://home.zccn.net/mm2004"
    To: full-disclosure@lists.netsys.com
    Date: Sat, 09 Oct 2004 09:44:55 -0500
    
    

    hi,

    > I'm wondering how dangerous it is to allow a user on a
    > mysql db to view the grants for another user. Could
    > they take the encrypted password data and possibly
    > crack it? If they can, how easy is it?

    on certain condition it's quite easy, if you have
    a hash:

    test.exe 57510426775c5b0f
    Hash: 57510426775c5b0f
    Trying length 3
    Trying length 4
    Trying length 5
    Found pass: guest

    some reading for you:

    http://www.ngssoftware.com/papers/HackproofingMySQL.pdf

    all the best,

    W.

    -- 
    ___________________________________________________________
    Sign-up for Ads Free at Mail.com
    http://promo.mail.com/adsfreejump.htm
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Peter Kruse: "SV: SV: [Full-Disclosure] JPEG GDI+ (MS04-028) Exploit @ http://home.zccn.net/mm2004"

    Relevant Pages

    • Re: Cracking Ettercap Generated hashes
      ... What you have there are the challenge/response hashes. ... You can crack ... i got a hash through Ettercap(ARP ... Chief Information Security Officer ...
      (Pen-Test)
    • Re: Craking Serv-u passwords stored in .ini file.
      ... let me say that I ran across Lepton's crack about a year ... > 1) hash the password, with or without prepending the salt, doesn't matter. ... > 4) append the salt to the last hash if you like, but I don't see any particular reason to do so ...
      (Pen-Test)
    • Re: [Full-Disclosure] mysql password cracking
      ... allowing users to see other user's hashes - it's dangerous; ... knowledge of the *hash* is what the authentication ... modify your mysql client to authenticate this way but that's not too hard. ... user's grants, you could do it safely a number of ways (assuming version ...
      (Full-Disclosure)
    • Re: [Full-disclosure] Best way to crack NT passwds
      ... You needn't actually crack the password if you know your hash, ... Xurron> I have tried many softwares for cracking NTLM hashes, like NC4, ... Cain and have't tried Rainbow Crack yet. ... that hashes on some site and it did recover my passwd in around 5min. ...
      (Full-Disclosure)
    • reversing hash ?
      ... Looking for a solution to crack a javascript hash coded string! ... I'm not active in informatics professionally but I do some programming in my ... Could anyone tell me how I could crack this code? ...
      (sci.crypt)