Have you ever wanted to do a password audit on the SQL logins that applications and developers use to connect to the instances that you manage? Offline password cracking is a great way of doing that with 0 impact on the performance of your SQL Server instances.

About offline cracking

Password cracking is the process of obtaining the clear text version of a password from the scrambled (hashed) version of said password, usually by means of brute-forcing which implies trying multiple password candidates until you identify the one that, when the same hashing algorithm that generated the original hash is applied, results in an identical hash to the one you were trying to identify the password for.

Offline cracking consists of getting one or more username and password hash pairs and attempting to carry out the cracking process outside of the system where those user and password hash pairs reside, in this case the system being a SQL Server instance.

SQL Server login hashes

As per the official documentation, SQL Server stores the password as a SHA-512 hash of the salted password.
The salt is a random 4 byte hexadecimal number, like what CRYPT_GEN_RANDOM(4) would return.
The hashed password is generated using the following simplified formula:
0x0200+Salt+SHA-512(password + Salt)

To generate a password hash the same way SQL Server does during a login creation or password update, you can use the following code:

Image displays the password hash being generated according to the same algorithm used to generate the SQL login password hashes
Hash generated from a provided string

To view the password hashes of your instance’s currently existing SQL logins you can use the sys.sql_logins catalog view.

Screenshot of SSMS showing a result of the query from sys.sql_logins
SQL logins, their types, password hashes, and SIDs

Getting the hashes

Since the cracking tools used in this demo work with a [username]:[hash] format, I’ve written the following query to prepend the server name to the username so that it’s easier to keep track of which credentials come from which server in case you would want to do this against a list collected from your whole environment.

username and hashed password pairs LISTED USING THE ABOVE QUERY.
A hashcat-friendly format of the server name, login names and their hashed passwords.

Cracking

On Windows

On Windows I like to use hashcat for tests like this one, it’s especially fast if it can take advantage of relatively new GPU.
I create a new txt file, paste the output of the above query in it and save the file.
And then I run the following command:

Parameters:
--username specifies that the provided list of hashes contains usernames as well
-a 0 tells hashcat that this is a dictionary attack
-m 1731 stands for the SQL2012 hash type
--hwmon-temp-abort 70 tells hashcat to abort if the GPU reaches 70 degrees
.\sqlhashes.txt is the txt file that I’ve created earlier containing the usernames and hashes
E:\wordlists\rockyou.txt is a file containing 14.3 million password candidates

powershell window cracking sql login passwords by running ".\hashcat.exe --username -a 0 -m 1731 --hwmon-temp-abort 70 .\sqlhashes.txt E:\wordlists\rockyou.txt"
continued - powershell window cracking sql login passwords by running ".\hashcat.exe --username -a 0 -m 1731 --hwmon-temp-abort 70 .\sqlhashes.txt E:\wordlists\rockyou.txt"

Hashcat cracks the 5 hashes in a matter of seconds using rockyou.txt, a well-known password list.
To view the clear text passwords I just run the following command:

powershell window cracking sql login passwords and listing them
Listing passwords cracked using hashcat

On Linux

For the Linux-based demo I’m using Offensive Security’s Kali Linux distribution that comes with the most used penetration testing tools, including password crackers like John the Ripper.

The process is fairly similar, I create a txt file containing the results from the query that gets the server name, login names and their hashes.

in Linux, running: cat sqlhashes.txt returning the contents of the file cracking sql login passwords
Contents of sqlhashes.txt

And then proceed to run john against that text file using the same rockyou.txt password list.

In Linux, cracking sql login passwords by running john --wordlist=/usr/share/wordlists/rockyou.txt sqlhashes.txt
Running john

To show the cracked passwords, I just run the following command:

in Linux, showing the cracked passwords by running john --show sqlhashes.txt
SQL Logins and their clear text passwords

Conclusion

Auditing your environment’s SQL login passwords via offline cracking is a fairly simple process and it’s a good first step in identifying and addressing applications and/or developers using potentially weak or common passwords in your environment.

Don’t limit yourself to only the rockyou.txt password list, there are a bunch of great lists out there that are used by both security professionals and malicious actors.