But for a penetration tester, he should know where the passwords store, how to dump hashes, and crack them to gain more information. And it is necessary to audit the strength of sql server passwords, because weak sql passwords could cause system command execution remotely by a malicious hacker, compromising the application security.
David Litchfiled has written a good paper about cracking sql server passwords in 2002. You should read it to understand the mechanism of hashes, and after that, practice the following instructions and tools.
1. Dump hash locally
C:\>osql -E
1> select name, password from master..sysxlogins where name='sa'
2> go
name password
sa 0x0100EA1ED32230A0DC42EE75F0A8D98234E26DDFF9720590BB687641F98DE93C45E05E6406A0E1BE291FA4D8205C
1>
2. Crack it!
Split the hash as following:
0x0100
EA1ED322 (salt, 8 chars)
30A0DC42EE75F0A8D98234E26DDFF9720590BB68 (case sensitive hash, 40 chars)
7641F98DE93C45E05E6406A0E1BE291FA4D8205C (upper case hash, 40 chars)
Launch your favorite hash crackers, here I use PasswordsPro, add hash then crack.
Mention that it is not an instant recovery, it must use dictionary or brute force. But this demo password was cracked by a preliminary crack immediately!
3. Reset password
The sql server passwords are stored in master.mdf, located in C:\Program Files\Microsoft SQL Server\MSSQL\Data. The Russian company ElcomSoft released a tool named Advanced SQL Password Recovery, which provides instant recovery of sql passwords by modifying master.mdf.
Another choice is SQL Password by LastBit, which can both reset and crack sql password, while ElcomSoft can only reset password. But SQL Password cannot parse some master.mdf files through my test.
