MSSQL Database Credentials

Context

In this article, we will explore how to extract and crack Microsoft SQL Server (MSSQL) database credentials using SQL injection techniques. Readers should have a foundational understanding of database authentication, credential storage, and hashing algorithms. The objective is to demonstrate the process of credential extraction through SQL injection vulnerabilities and the subsequent cracking of password hashes.

Theory

Credential Storage in MSSQL

MSSQL databases store credentials in system tables, primarily in syslogins for older versions like MSSQL 2000, and sys.syslogins for newer versions such as MSSQL 2005 and beyond. These tables contain essential details, including usernames and password hashes. If access controls are not properly implemented, adversaries can use SQL injection to access these stored credentials.

Password Hashing in MSSQL

MSSQL employs hashing algorithms to secure passwords. However, earlier versions of MSSQL used less robust hashing techniques, leaving them vulnerable to password cracking. Understanding the hashing mechanism used by the target MSSQL version is crucial for effective hash cracking.

SQL Injection for Credential Extraction

SQL injection is a technique where malicious SQL statements are inserted into an entry field for execution. When applied strategically, attackers can query credential tables such as syslogins to extract sensitive information like password hashes. The ability to exploit SQL injection vulnerabilities hinges on lax security measures and improper input sanitation within the database environment.

Practice

Extracting Credentials from MSSQL

To extract credentials from MSSQL, you can utilize the following SQL queries to retrieve usernames and password hashes from the respective system tables:

  • For newer MSSQL versions (e.g., MSSQL 2005 and later):

    SELECT name, password_hash FROM sys.sql_logins;

    This command extracts usernames and their associated password hashes from the sys.sql_logins table, which is standard in later MSSQL versions.

  • For older MSSQL versions (e.g., MSSQL 2000):

    SELECT name, password FROM master..sysxlogins;

    Uses this query to access the master..sysxlogins table, typical of older MSSQL versions, to obtain stored credentials.

Upon executing these queries through a successful SQL injection, attackers can extract the needed usernames and password hashes from the MSSQL database.

Cracking MSSQL Password Hashes

Once credential extraction is successful, the next step involves cracking the retrieved password hashes to obtain plaintext passwords. This can be accomplished using powerful password-cracking tools like hashcat:

  • Use hashcat with a specified MSSQL hash mode (13100) and a chosen wordlist:

    hashcat -m 13100 hashes.txt wordlist.txt

This command directs hashcat to use mode 13100, which is designed for MSSQL password hashes, using hashes.txt and a chosen wordlist wordlist.txt for matching potential plaintext passwords against the hashes.

By executing this process, attackers can attempt to crack password hashes, which, if successful, results in obtaining the plaintext versions of passwords from the extracted data.

Tools

  • hashcat: A well-known and highly efficient password recovery tool designed to crack a variety of hash algorithms, including those used by MSSQL.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.