When performing a penetration test or higher-level security audit of SQL Server systems, there's one test that should not be skipped: the SQL Server password test. It may seem obvious, but many people overlook it.
Password testing can help determine how easily a malicious insider or external attacker can break into a database, and it can also help ensure SQL Server users are being responsible with their accounts. Furthermore, testing for password flaws is especially important with SQL Server authentication in mixed mode, which is less secure than other Windows authentication modes.
The first step of password testing is to determine which systems to test. While you may know your environment like the back of your hand, it doesn't hurt to ferret out servers that may have been forgotten or that someone else connected to the network without your knowledge.
SQLPing3, a free SQL Server discovery tool and password cracker, can help you get started. The tool has multiple options for discovering live SQL Server Systems, as shown in Figure 1.
In addition, SQLPing3 can scan for SQL Server instances that conventional port scanning might miss, and it can point out the systems that have blank sa passwords. SQLPing3 can also run dictionary attacks against SQL Server, which is as simple as loading your own user account and password lists.
While this is the most basic level of SQL Server discovery and password cracking, it's a great place to begin.
Another free tool, Cain & Abel, allows you to dump and crack SQL Server password hashes, as shown in Figure 2.
With Cain & Abel, you can insert your own hashes or connect to the database via ODBC and dump them all in one fell swoop for subsequent cracking.
My favorite new commercial SQL Server password cracker is Advanced SQL Password Recovery from Elcomsoft. With Advanced SQL Password Recovery, you can immediately recover passwords from SQL Server master.mdf files, as shown in Figure 3.
This may seem unreasonable or downright impossible since SQL Server systems are assumed to be locked down on the inside of the network. However, I often come across administrator-level passwords or find missing patches that, when exploited, allow for easy access to database servers with full rights. At that point, anything on the system is fair game.
It's important to remember that SQL Server password cracking shouldn't be taken lightly. Treat this as a formal security assessment, getting the approval of management and carefully planning things out -- you don't want to create trouble.
Still, there are a few downsides to password cracking to keep in mind:
- Password cracking can eat up valuable system resources including CPU time, memory and network bandwidth literally to the point of creating a denial-of-service attack on the system.
- Dictionary and brute-force attacks can take a lot of time -- something you may not have, especially if you can only test your systems during a certain window of time.
- Dictionary attacks are only as good as the dictionary you're using, so make sure you've got reliable dictionaries at your disposal. I have found the BlackKnight List to be the most comprehensive dictionary.
Finally -- and perhaps most importantly -- make sure you follow up on your findings. That may mean sharing your findings with management and your colleagues in IT, tweaking your password policy and spreading the word on security to show just how serious a business issue it is.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.