Andrea Bertolotto
MyMind.InvokeMember("Dump", BindingFlags.Default | BindingFlags.InvokeMethod, null, o, new object[] {"0xD3F3C+00"});
Skip Navigation LinksHome > Articles > SQL Server Password Cracker rss  

Skip Navigation Links. 		   
SQL Server Password Cracker 1.0.0.0

2/14/2005
Download  Download (29 KB)

Background

Being interested in security and cryptography in general, I found myself reading an interesting document about how SQL Server 2000 stores logins passwords. So I decided it could be a valid exercise to code something based on that article. This tool is what I got after some hours coding: select a SQL Server, get password hashes from system tables (you should be a sysadmin), read SHA1 hashes and try to brute force them.

Implementation

First of all the article where the idea comes from: Cracking MS SQL Server 2000 Passwords by Next Generation Security Software Ltd.
This one describes how SQL Server password hashes are saved and the theoric approach to forcing them. A really good reading!.

Next we have some "related" work to do (we are lazy programmers and we want an easy UI Wink) so we have to create a DropDownList populated with all SQL Servers in network. To get this task accomplished I wrote a SqlLocator class, adapted from excellent article by Michael Potter in CodeProject (you can read full articled here). Original code was not suitable for me, cause I'm working on a single workstation, outside a windows domain, and that one was not reported directly from original class.

Next step is to get passwords from SQL Server. This is done using this query (we need to be a sysadmin to read this data from master database):
SELECT name, password 
FROM master.dbo.sysxlogins 
WHERE (CHARINDEX('\\', name) = 0) 
AND (DATALENGTH(password) = 46) 
ORDER BY name
WHERE clause filters off not-native SQL Server logins (users mapped from windows accounts) and not standard passwords.

So, at last we have password hashes.
What we should do now is create a dictionary with all possible password permutations (derived from user defined charset), and, for each word, generate SHA1 hash and compare it with SQL Server stored one.
This is the tricky and possibly very time expensive step.
I added a counter and a message to show and ask if we want to proceed when a large number of passwords is generated.

SHA1Hasher class is dedicated to generate hashes using standard .Net Cryptography classes.

Password object holds and decode data from SQL Server, based on NGS article.

PasswordGenerators class creates password permutations using recursion. We have two main methods there: one to generate UPPERCASE password permutations from a given charset (hashes stored in SQL Server are in some way weak cause we have uppercase representation there) and one to generate possible combinations of case from a know word.

Finally two important notes: keep in mind this was not created with particular optimization, so it should be considered a "proof of concept".
And please, don't consider this as an evil "cracking" tool: I cannot be held responsible if you use it for some "black hat" activity
   
My status Get Skype and call me for free.


















  
Copyright © 2004-7 - Andrea Bertolotto - Site Version: 2.3.0.0 - 2/22/2010