I noticed a post in our forums about a new password cracker for MS SQL Server. So I decided to download and give it a try.
I went to the NGSSoftware site and read a little about the program, including the white paper to get an idea of what the program does. I then registered to get the evaluation program and had a password emailed to me within minutes.
After downloading the program, I ran the installation, which completed flawlessly inside a couple minutes. After watching a nag screen on the eval for 20 seconds, the program started. I didn't time the screen, in fact it seemed like minutes, so I went on to other things, but they do tell you it's a 20 second screen right on the dialog.
Running the program
I started the program and it is an intuitive system with only a few menu choices, so it's hard to make a mistake. The first step was to look through the menus. The File menu only had Save, Open, and Exit, so I went on to the "Crack" menu.
The Crack menu only had "Start" and "Settings" menus. Selecting Settings gave me a screen that had a character set at the top and a large "Get Hashes from SQL Server" button. Selecting that button allowed me to specify a server, choose Windows Auth or SQL Auth and then get a list of password hashes. This worked flawlessly and returned me to the main screen. From there I clicked the "Start" button and got my passwords.
There were only 6 hashes on my SQL Server because this is a test system. Of these, only 2 are SQL accounts, the others are NT accounts. Since my company insists on Windows Authentication only, this is the only system I had handy.
Initially I had a blank sa password (I just had switched from Windows only to mixed security) and 1 4 character password. This program completed the crack in about 10 seconds and guessed my password. It tried something like 5 million combinations. Now I know I have a fast machine, but this is impressive.
I next set a long (12 character) random password for sa and re-ran the program. It took a little longer, actually I paused the program after 45 minutes since I was ready to go home.
The next day, I changed the password to 'sqls3v3rc3ntr@l' (don't worry, it's since been changed) and re-ran the program. I started at 11:15 and let this run for about 5 hours. No crack. Since I had to go home, I stopped this test.
One last try. I set the password to a six character 'sqlm@n'. Started the crack again. My test user with a password of "test", was cracked within 30 seconds. After an hour, the brute force display had passed the "s" and moved into the "t" range with 6 characters, yet had not cracked this password. I had checked the box where it looks for the common substitutions of 1 for i, 3 for e, etc.
Hmmmm, I'm confused. I was sure I'd be cracked by now.
I sent an email to NGS with a few comments and received an email back which explained the issue. There is a setting that determines what characters are used for the brute force attack and I was not including the '@' character. I changed this and in a few hours the password had been cracked!
1.1GHz Intel CPU
SQL 2000 Client tools installed
1.5GHz Intel CPU
Windows 2000 Server
SQL 2000 SP2
Andy Warren mentioned to me that this program consumed 100% CPU when running. I checked this while running the program and it was true on my laptop as well. But I didn't notice any slowdown while switching between mail, QA, the crack program, and a few other items even listening to ESPN Radio. But maybe that's my machine. There is also an option to run this program at low priority, which reduces the CPU load somewhat. Setting this didn't make a difference in my case, but compare your machine to mine.
This is a great tool for administrators to use for checking passwords. It's also a good educational tool. If you can run this, so can someone else. If it cracks your passwords, consider making some administrative changes. Also be sure you secure sa access to your SQL Server. If someone can get the hashes from your server, your security is compromised.
I was surprised at the time it took to try and crack some of my passwords. L0phtCrack seemed to work much faster, though I received an email from NGS Software that states this is because of the different hashing algorithms used by Microsoft for the passwords. If you can spare a machine, this is a good security audit tool and definitely one to be aware of and guard against.
If you would like to know more about how this program works, there is a white paper (Cracking SQL Server Passwords) that you can read.
As always I welcome feedback on this article using the "Your Opinion" button below. Please also
rate this article.
©dkRanch.net July 2002
Summary of Pros and Cons
- Ease of use
- Allows auditing of SQL Passwords
- Can be slow
- Uses 100% of CPU (can be changed)
NEXT GENERATION SECURITY SOFTWARE LIMITED
52 THROWLEY WAY
Return to Steve Jones Home