For database admins, it is not a nightmare to handle with lost sql server password, which can be easily retrieved from application source code or just reset it in Enterprise Manager.
But for a penetration tester, he should know where the passwords store, how to dump hashes, and crack them to gain more information. And it is necessary to audit the strength of sql server passwords, because weak sql passwords could cause system command execution remotely by a malicious hacker, compromising the application security.
David Litchfiled has written a good paper about cracking sql server passwords in 2002. You should read it to understand the mechanism of hashes, and after that, practice the following instructions and tools.
1. Dump hash locally
1> select name, password from master..sysxlogins where name='sa'
2. Crack it!
Split the hash as following:
EA1ED322 (salt, 8 chars)
30A0DC42EE75F0A8D98234E26DDFF9720590BB68 (case sensitive hash, 40 chars)
7641F98DE93C45E05E6406A0E1BE291FA4D8205C (upper case hash, 40 chars)
Launch your favorite hash crackers, here I use PasswordsPro, add hash then crack.
Mention that it is not an instant recovery, it must use dictionary or brute force. But this demo password was cracked by a preliminary crack immediately!
3. Reset password
The sql server passwords are stored in master.mdf, located in C:\Program Files\Microsoft SQL Server\MSSQL\Data. The Russian company ElcomSoft released a tool named Advanced SQL Password Recovery, which provides instant recovery of sql passwords by modifying master.mdf.