Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Review: MSSQLCrack

By Steve Jones,

Review: MSSQLCrack

Introduction

I noticed a post in our forums about a new password cracker for MS SQL Server. So I decided to download and give it a try.

Installation

I went to the NGSSoftware site and read a little about the program, including the white paper to get an idea of what the program does. I then registered to get the evaluation program and had a password emailed to me within minutes.

After downloading the program, I ran the installation, which completed flawlessly inside a couple minutes. After watching a nag screen on the eval for 20 seconds, the program started. I didn't time the screen, in fact it seemed like minutes, so I went on to other things, but they do tell you it's a 20 second screen right on the dialog.

Running the program

I started the program and it is an intuitive system with only a few menu choices, so it's hard to make a mistake. The first step was to look through the menus. The File menu only had Save, Open, and Exit, so I went on to the "Crack" menu.

The Crack menu only had "Start" and "Settings" menus. Selecting Settings gave me a screen that had a character set at the top and a large "Get Hashes from SQL Server" button. Selecting that button allowed me to specify a server, choose Windows Auth or SQL Auth and then get a list of password hashes. This worked flawlessly and returned me to the main screen. From there I clicked the "Start" button and got my passwords.

The Results

There were only 6 hashes on my SQL Server because this is a test system. Of these, only 2 are SQL accounts, the others are NT accounts. Since my company insists on Windows Authentication only, this is the only system I had handy.

Initially I had a blank sa password (I just had switched from Windows only to mixed security) and 1 4 character password. This program completed the crack in about 10 seconds and guessed my password. It tried something like 5 million combinations. Now I know I have a fast machine, but this is impressive.

I next set a long (12 character) random password for sa and re-ran the program. It took a little longer, actually I paused the program after 45 minutes since I was ready to go home.

The next day, I changed the password to 'sqls3v3rc3ntr@l' (don't worry, it's since been changed) and re-ran the program. I started at 11:15 and let this run for about 5 hours. No crack. Since I had to go home, I stopped this test.

One last try. I set the password to a six character 'sqlm@n'. Started the crack again. My test user with a password of "test", was cracked within 30 seconds. After an hour, the brute force display had passed the "s" and moved into the "t" range with 6 characters, yet had not cracked this password. I had checked the box where it looks for the common substitutions of 1 for i, 3 for e, etc.

Hmmmm, I'm confused. I was sure I'd be cracked by now.

I sent an email to NGS with a few comments and received an email back which explained the issue. There is a setting that determines what characters are used for the brute force attack and I was not including the '@' character. I changed this and in a few hours the password had been cracked!

Test Systems

Client Computer:
Toshiba 9000
1.1GHz Intel CPU
768MB RAM
10GB+ disk Windows XP
SQL 2000 Client tools installed

Server:
Toshiba 9000
1.5GHz Intel CPU
1gB RAM
10GB+ disk Windows 2000 Server
SQL 2000 SP2

Conclusions

Andy Warren mentioned to me that this program consumed 100% CPU when running. I checked this while running the program and it was true on my laptop as well. But I didn't notice any slowdown while switching between mail, QA, the crack program, and a few other items even listening to ESPN Radio. But maybe that's my machine. There is also an option to run this program at low priority, which reduces the CPU load somewhat. Setting this didn't make a difference in my case, but compare your machine to mine.

This is a great tool for administrators to use for checking passwords. It's also a good educational tool. If you can run this, so can someone else. If it cracks your passwords, consider making some administrative changes. Also be sure you secure sa access to your SQL Server. If someone can get the hashes from your server, your security is compromised.

I was surprised at the time it took to try and crack some of my passwords. L0phtCrack seemed to work much faster, though I received an email from NGS Software that states this is because of the different hashing algorithms used by Microsoft for the passwords. If you can spare a machine, this is a good security audit tool and definitely one to be aware of and guard against.

If you would like to know more about how this program works, there is a white paper (Cracking SQL Server Passwords) that you can read.

As always I welcome feedback on this article using the "Your Opinion" button below. Please also rate this article.

Steve Jones
©dkRanch.net July 2002

Summary of Pros and Cons

 Pros Cons
  • Ease of use
  • Allows auditing of SQL Passwords
  • Can be slow
  • Uses 100% of CPU (can be changed)

Price

Single License US$285

Contact Information

NEXT GENERATION SECURITY SOFTWARE LIMITED
SURREY HOUSE
52 THROWLEY WAY
SUTTON
SURREY
SM1 4BF
UNITED KINGDOM

Sales@ngssoftware.com
http://www.nextgenss.com/company.html

 


Return to Steve Jones Home

 

Total article views: 18018 | Views in the last 30 days: 6
 
Related Articles
BLOG

Excellent article on cracking SQL Server passwords

The SQLServerAdvisor mailing from SearchSQLServer.com had a link to a very good article on cracking...

FORUM

sql server 2005, password character set

sql server 2005, password character set

FORUM

Cracking

just thought you guys might be interested... [url]http://www.nextgenss.com/papers/cracking-sql-pass...

FORUM

Passwords

Storing passwords securely

BLOG

Password Cracking–Part 1

I’ve run into the not uncommon situation where there is a SQL login and no one seems to have the...

Tags
product reviews    
reviews    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones