notnotnotveg

Professional Internet Squirrel Chaser

less than 1 minute read

The following is a compilation of queries to list database user hashes, which are stored locally in tables. The hashes obtained can be cracked using password cracking tools like Hashcat.

MySQL :

mysql_native_password :

SELECT * FROM mysql.user;

Hashcat Mode : 300

caching_sha2_password :

SELECT CONCAT('\$mysql',LEFT(authentication_string,6),'*',INSERT(HEX(SUBSTR(authentication_string,8)),41,0,'*')) AS hash FROM mysql.user WHERE plugin = 'caching_sha2_password' AND authentication_string NOT LIKE '%INVALIDSALTANDPASSWORD%' AND authentication_string !='';

Hashcat Mode : 7401

Postgres

SELECT * FROM pg_shadow;
SELECT username,passwd FROM pg_roles;

Hash Prep :

  • Strip md5 from the prefix.
  • Add the username to the hash file : 01dfae6e5d4d90d9892622325959afbe:USERNAME

Hashcat Mode : 10

Cassandra

select * FROM system_auth.roles;

Hashcat Mode : 1800

SQL server 2014

SELECT name,password_hash FROM sys.sql_logins;

MongoDB Shell :

db.system.users.find().pretty()
db.getUsers({showCredentials: true}).users[0]

VerticaDB :

select *  from v_catalog.passwords;

Hash Prep :

  • Strip md5 from the prefix.
  • Add the username to the hash file : 01dfae6e5d4d90d9892622325959afbe:USERNAME

Hashcat Mode : 10

You May Also Enjoy

RCE into EA using Kubeflow Notebooks

2 minute read

Intro Multiple articles and blog posts written about Kubeflow intrigued me to dive (albeit shallow) into and scour the depths of Shodan one evening to see wh...

Burp Suite Extension - Raw Collaborator

1 minute read

The following describes the set up and usage of a Burp Suite Extension I wrote, that creates a new Collaborator URL and dumps the raw Interaction transaction...