Password cracking tools for SQL Server
When performing a penetration test or higher-level security audit of SQL Server systems, there's
one test that should not be skipped: the SQL Server password test. It may seem obvious, but many
people overlook it.
Password testing can help determine how easily a malicious insider or external attacker can
break into a database, and it can also help ensure SQL Server users are being responsible with
their accounts. Furthermore, testing for password flaws is especially important with SQL Server
authentication in mixed mode, which is less secure than other Windows authentication modes.
The first step of password testing is to determine which systems to test. While you may know
your environment like the back of your hand, it doesn't hurt to ferret out servers that may
Premium Access
Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy
Dig Deeper
-
People who read this also read...
-
This was first published in December 2009
have
been forgotten or that someone else connected to the network without your knowledge.
SQLPing3, a
free SQL Server discovery tool and password cracker, can help you get started. The tool has
multiple options for discovering live SQL Server Systems, as shown in Figure 1.
Figure 1: Options for discovering live systems with SQLPing3 (click to enlarge)
In addition, SQLPing3 can scan for SQL Server instances that conventional port scanning might
miss, and it can point out the systems that have blank sa passwords. SQLPing3 can also run
dictionary attacks against SQL Server, which is as simple as loading your own user account and
password lists.
While this is the most basic level of SQL Server discovery and password cracking, it's a great
place to begin.
Another free tool, Cain & Abel,
allows you to dump and crack SQL Server password hashes, as shown in Figure 2.
Figure 2: Dumping and cracking hashes with Cain & Abel (click to enlarge)
With Cain & Abel, you can insert your own hashes or connect to the database via ODBC and
dump them all in one fell swoop for subsequent cracking.
On the commercial side, both NGSSQLCrack and AppDetective
Pro are good tools for performing dictionary and brute-force password cracking.
My favorite new commercial SQL Server password cracker is Advanced SQL Password Recovery from
Elcomsoft. With Advanced SQL Password Recovery, you can immediately recover passwords from SQL
Server master.mdf files, as shown in Figure 3.
Figure 3: Point and click password cracking directly from master.dbf with Advanced SQL
Password Recovery (click to enlarge)
This may seem unreasonable or downright impossible since SQL Server systems are assumed to be
locked down on the inside of the network. However, I often come across administrator-level
passwords or find missing patches that, when exploited, allow for easy access to database servers
with full rights. At that point, anything on the system is fair game.
It's important to remember that SQL Server password cracking shouldn't be taken lightly. Treat
this as a formal security assessment, getting the approval of management and carefully planning
things out -- you don't want to create trouble.
Still, there are a few downsides to password cracking to keep in mind:
- Password cracking can eat up valuable system resources including CPU time, memory and network
bandwidth literally to the point of creating a denial-of-service attack on the system.
- Dictionary and brute-force attacks can take a lot of time -- something you may not have,
especially if you can only test your systems during a certain window of time.
- Dictionary attacks are only as good as the dictionary you're using, so make sure you've got
reliable dictionaries at your disposal. I have found the BlackKnight
List to be the most comprehensive dictionary.
Finally -- and perhaps most importantly -- make sure you follow up on your findings. That may
mean sharing your findings with management and your colleagues in IT, tweaking your password policy
and spreading the word on security to show just how serious a business issue it
is.
ABOUT THE AUTHOR
Kevin Beaver, is an information
security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC.
Kevin specializes in performing independent security assessments. Kevin has authored/co-authored
seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the
Security on Wheels information security
audio books and blog
providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.
Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation