Password cracking tools for SQL Server

When performing a penetration test or higher-level security audit of SQL Server systems, there's one test that should not be skipped: the SQL Server password test. It may seem obvious, but many people overlook it.

Password testing can help determine how easily a malicious insider or external attacker can break into a database, and it can also help ensure SQL Server users are being responsible with their accounts. Furthermore, testing for password flaws is especially important with SQL Server authentication in mixed mode, which is less secure than other Windows authentication modes.

The first step of password testing is to determine which systems to test. While you may know your environment like the back of your hand, it doesn't hurt to ferret out servers that may have been forgotten or that someone else connected to the network without your knowledge.

SQLPing3, a free SQL Server discovery tool and password cracker, can help you get started. The tool has multiple options for discovering live SQL Server Systems, as shown in Figure 1.

Figure 1: Options for discovering live systems with SQLPing3 (click to enlarge)
[IMAGE]

In addition, SQLPing3 can scan for SQL Server instances that conventional port scanning might miss, and it can point out the systems that have blank sa passwords. SQLPing3 can also run dictionary attacks against SQL Server, which is as simple as loading your own user account and password lists.

While this is the most basic level of SQL Server discovery and password cracking, it's a great place to begin.

Another free tool, Cain & Abel, allows you to dump and crack SQL Server password hashes, as shown in Figure 2.

Figure 2: ...

To read more you must become a member of SearchSQLServer.com

As an existing member of the TechTarget network please activate your SearchSQLServer.com account 

By joining SearchSQLServer.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers Database Management and Administration Using traces in SQL Server Profiler Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server How SQL Server 2008 components impact SharePoint implementations Troubleshooting Distributed Transaction Coordinator errors in SQL Server Achieving high availability and disaster recovery with SharePoint databases Clearing the Windows page file and its effect on server performance Deploying a SQL Server virtual appliance for Microsoft Hyper-V How to create SQL Server virtual appliances for Hyper-V

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Dumping and cracking hashes with Cain & Abel (click to enlarge)
[IMAGE]

With Cain & Abel, you can insert your own hashes or connect to the database via ODBC and dump them all in one fell swoop for subsequent cracking.

On the commercial side, both NGSSQLCrack and AppDetective Pro are good tools for performing dictionary and brute-force password cracking.

My favorite new commercial SQL Server password cracker is Advanced SQL Password Recovery from Elcomsoft. With Advanced SQL Password Recovery, you can immediately recover passwords from SQL Server master.mdf files, as shown in Figure 3.

Figure 3: Point and click password cracking directly from master.dbf with Advanced SQL Password Recovery (click to enlarge)
[IMAGE]

This may seem unreasonable or downright impossible since SQL Server systems are assumed to be locked down on the inside of the network. However, I often come across administrator-level passwords or find missing patches that, when exploited, allow for easy access to database servers with full rights. At that point, anything on the system is fair game.

It's important to remember that SQL Server password cracking shouldn't be taken lightly. Treat this as a formal security assessment, getting the approval of management and carefully planning things out -- you don't want to create trouble.

Still, there are a few downsides to password cracking to keep in mind:

• Password cracking can eat up valuable system resources including CPU time, memory and network bandwidth literally to the point of creating a denial-of-service attack on the system.
• Dictionary and brute-force attacks can take a lot of time -- something you may not have, especially if you can only test your systems during a certain window of time.
• Dictionary attacks are only as good as the dictionary you're using, so make sure you've got reliable dictionaries at your disposal. I have found the BlackKnight List to be the most comprehensive dictionary.

Finally -- and perhaps most importantly -- make sure you follow up on your findings. That may mean sharing your findings with management and your colleagues in IT, tweaking your password policy and spreading the word on security to show just how serious a business issue it is.

ABOUT THE AUTHOR:   

[IMAGE]Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.