A simple hack of a login password

Task: to show how simply to hack a login password in SQL Server. Comparison of elapsed/estimated time for decryption vs different password lengths in different SQL Server versions


WARNING: by hacking any part of SQL Server, e.g. a password login, you will lose the warranty from Microsoft. This blog post has the educational purpose only. For testing purposes, you should try it on the development machine only. I do not take any responsibility for any damages caused by this article.


Recommendations:

• run the cmd.exe as an administrator
• ERROR: cuModuleLoad() 209 – NV users require ForceWare 310.32 or later (NVIDIA update); AMD users require Catalyst 13.1 -exact-
• set convenient paths to hashcat utility (C:\Temp\Hashcat) and to text files (PASSWORDS and HASHES)

Prerequisites:

1. SSMS > T-SQL > get hashes of login passwords

SELECT [NAME], [PASSWORD_HASH]
FROM [SYS].[SQL_LOGINS]

or

SELECT [NAME], 
LOGINPROPERTY([SYS].[SYSLOGINS].[NAME],'PasswordHash') AS PasswordHash
FROM [SYS].[SYSLOGINS]
WHERE LOGINPROPERTY([SYS].[SYSLOGINS].[NAME],'PasswordHash') IS NOT NULL

2. Windows > Explorer > download hashcat utility and create auxiliary files

• create C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_CPU.txt
• create C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_GPU.txt
• create C:\Temp\Hashcat\MSSQL05-08R2_HASHES.txt
• create C:\Temp\Hashcat\MSSQL12_PASSWORDS_CPU.txt
• create C:\Temp\Hashcat\MSSQL12_PASSWORDS_GPU.txt
• create C:\Temp\Hashcat\MSSQL12_HASHES.txt
• download and unzip hashcat utility from hashcat utility to C:\Temp\Hashcat\

Tests:

SW & HW > Laptop > Lenovo Thinkpad E530

• Windows 7
• Processor: Intel Core i5 3210 Ivy Bridge
• RAM: 12GB
• Graphics: NVIDIA GeForce GT630M 2GB Optimus + Intel HD Graphics 4000

1. Windows > Run > run a new CMD window – MSSQL05-08R2_CMD_CPU.bat

cd C:\Temp\Hashcat\hashcat-0.44
echo Started: %time%
hashcat-cli64.exe -a 3 --pw-min=5 --pw-max=5 -m 131 -p : -o "C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_CPU.txt" --output-format=0 -n 4 "C:\Temp\Hashcat\MSSQL05-08R2_HASHES.txt" -1 ?l?u?d?s ?1?1?1?1?1
echo Stopped: %time%
pause

2. Windows > Run > run a new CMD window – MSSQL05-08R2_CMD_GPU.bat

cd C:\Temp\Hashcat\oclHashcat-lite-0.15
cudaHashcat-lite64.exe -m 132 -p : -o "C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_GPU.txt" --outfile-format=3 --gpu-temp-abort=100 --pw-min=5 --pw-max=5 -1 ?l?u?d?s "C:\Temp\Hashcat\MSSQL05-08R2_HASHES.txt" ?1?1?1?1?1
pause

3. Windows > Run > run a new CMD window – MSSQL12_CMD_CPU.bat

cd C:\Temp\Hashcat\hashcat-0.44
echo Started: %time%
hashcat-cli64.exe -a 3 --pw-min=5 --pw-max=5 -m 1731 -p : -o "C:\Temp\Hashcat\MSSQL12_PASSWORDS_CPU.txt" --output-format=0 -n 4 "C:\Temp\Hashcat\MSSQL12_HASHES.txt" -1 ?l?u?d?s ?1?1?1?1?1
echo Stopped: %time%
pause

4. Windows > Run > run a new CMD window – MSSQL12_CMD_GPU.bat

cd C:\Temp\Hashcat\oclHashcat-lite-0.15
cudaHashcat-lite64.exe -m 1732 -p : -o "C:\Temp\Hashcat\MSSQL12_PASSWORDS_GPU.txt" --outfile-format=3 --gpu-temp-abort=100 --pw-min=5 --pw-max=5 -1 ?l?u?d?s "C:\Temp\Hashcat\MSSQL12_HASHES.txt" ?1?1?1?1?1
pause

NOTE: not supported at the moment

Abbreviations:

• -a 3 – the attack mode. 3 indicates using brute force
• –pw-min=5 –pw-max=5 – at least 5 characters long and not more than 5 characters long
• -m 131 – this means a SQL 2005-2008 R2 hash (CPU)
• -m 132 – this means a SQL 2005-2008 R2 hash (GPU)
• -m 1731 – this means a SQL 2012 hash (CPU)
• -m 1732 – this means a SQL 2012 hash (GPU; note: not supported at the moment)
• -p : -o “C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_CPU.txt” – the output file name and location (CPU)
• -p : -o “C:\Temp\Hashcat\MSSQL05-08R2_PASSWORDS_GPU.txt” – the output file name and location (GPU)
• -p : -o “C:\Temp\Hashcat\MSSQL12_PASSWORDS_CPU.txt” – the output file name and location (CPU)
• -p : -o “C:\Temp\Hashcat\MSSQL12_PASSWORDS_GPU.txt” – the output file name and location (GPU)
• –output-format=0 – the format of the output file (CPU)
• –output-format=3 – the format of the output file (GPU)
• -n 4 – the number of thread counts to use
• “C:\Temp\Hashcat\MSSQL05-08R2_HASHES.txt” – the name and location of hash file for SQL 2005-2008 R2
• “C:\Temp\Hashcat\MSSQL12_HASHES.txt” – the name and location of hash file for SQL server 2012
• -1 ?l?u?d?s – the type of characters to try using brute force. l = lower case letters, u = upper case letters, d = numbers and s = special characters. (!@#, etc). Using ?a for all
• -?1?1?1?1?1 – number of position to the pw-max
• –gpu-temp-abort=100 – at 100 degrees Celsius, it will automatically stop

Notes:

• -oclHashcat-lite – decrypting single hash only
• -oclHashcat-plus – decrypting multiple hashes

Results:

Figure 1: CMD result – MSSQL05-08R2 (4-character password) – CPU

Figure 2: CMD result – MSSQL05-08R2 (5-character password) – CPU

Figure 3: CMD result – MSSQL05-08R2 (6-character password) – CPU

Figure 4: CMD result – MSSQL05-08R2 (8-character password) – CPU

Figure 5: CMD result – MSSQL05-08R2 (4-character password) – GPU

Figure 6: CMD result – MSSQL05-08R2 (5-character password) – GPU

Figure 7: CMD result – MSSQL05-08R2 (6-character password) – GPU

Figure 8: CMD result – MSSQL05-08R2 (8-character password) – GPU

Figure 9: CMD result – MSSQL12 (4-character password) – CPU

Figure 10: CMD result – MSSQL12 (5-character password) – CPU

Figure 11: CMD result – MSSQL12 (6-character password) – CPU

Figure 12: CMD result – MSSQL12 (8-character password) – CPU

Table results:

SQL Server		CPU				GPU
	password [chars]	_1Tc [4]	_1Tc& [5]	_1Tc5& [6]	_1Tc5&dI [8]	_1Tc [4]	_1Tc& [5]	_1Tc5& [6]	_1Tc5&dI [8]
2005-08R2	decryption time	<1s	7m	12h 30m	>113h	2s	7s	2h 19m	2y 143d
2012	decryption time	<3s	>31m	>2h	>63h	–	–	–	–

Notes:

• -light green – elapsed time
• -yellow – estimated time

Conclusion: the hashcat – advanced password recovery utility is very useful tool not only for decrypting SQL Server login passwords. The decryption time differences between particular SQL Server versions are caused by using of different hash algorithms. The version 2005-08R2 uses only SHA-1 hash whereas the version 2012 already uses SHA-2 (SHA-512 concretely) hash. To increase computing power and decrease decrypting time, it would be possible to connect more computers into grid etc.

Source Code:

• SQL_Server__a_simple_hack_of_a_login_password.zip
  by Marian Placko

Additional references:

• DBCS – double-byte character set
  by Wikipedia
• hashcat – advanced password recovery
  by hashcat
• LOGINPROPERTY (Transact-SQL)
  by MSDN
• MD5
  by Wikipedia
• Pen test and hack microsoft sql server (mssql)
  by Travis Altman
• SHA-1
  by Wikipedia
• SHA-2 (SHA512)
  by Wikipedia
• sys.sql_logins (Transact-SQL)
  by MSDN
• sys.syslogins (Transact-SQL)
  by MSDN

48.312872 18.086038

A simple hack of a system stored procedure

Task: to show how simply to hack a system stored procedure in SQL Server 2005 and higher by means of DAC (Dedicated Administrator Connection) and resource database (the read-only mssqlsystemresource database)


WARNING: by hacking any part of SQL Server, e.g. a system stored procedure, you will lose the warranty from Microsoft. This blog post has the educational purpose only. For testing purposes, you should try it on the development machine only. I do not take any responsibility for any damages caused by this article.


Recommendations:

• make a backup of the mssqlsystemresource database
• if necessary, add “Full control” permissions for the user of “NT Service\MSSLQSERVER” (the account of SQL Server (MSSQLSERVER) service) on “C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\mssqlsystemresource.ldf and mssqlsystemresource.mdf”
• run the cmd.exe as an administrator

The process of altering, i.e. hacking, e.g. of the system stored procedure sys.sp_who2 consists of the following steps:
1. Windows > Run => RUN A NEW CMD WINDOW

net stop mssqlserver
net start mssqlserver
cd C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn
sqlcmd -S .\
sys.sp_who2
go
exit
exit @echo CLOSE THE CMD WINDOW

2. Windows > Run => RUN A NEW CMD WINDOW

net stop mssqlserver
cd C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn
sqlservr -s mssqlserver -m
@echo DO NOT CLOSE THE CMD WINDOW

3. Windows > Run => RUN A NEW CMD WINDOW

cd C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn
sqlcmd -S .\ -A
use mssqlsystemresource
go
alter database mssqlsystemresource set read_write
go
sp_helptext 'sys.sp_who2'
go
alter procedure sys.sp_who2 as select 'hacked procedure'
go
sp_helptext 'sys.sp_who2'
go
alter database mssqlsystemresource set read_only
go
exit
exit @echo CLOSE ALL RUNNING CMD WINDOWS

4. Windows > Run => RUN A NEW CMD WINDOW

net start mssqlserver
cd C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn
sqlcmd -S .\
sys.sp_who2
go
exit
exit @echo CLOSE THE CMD WINDOW

Abbreviations:

• -A > dedicated admin connection
• -S > server
• -m > single user admin mode
• -s > name (alternate registry key name)
• .\ > localhost and default instance

Figure 1: SQLCMD result – the procedure sys.sp_who2 before hacking

Figure 2: SQLCMD result – the procedure sys.sp_who2 after hacking

Additional references:

• DAC (Dedicated Administrator Connection) in SQL Server 2008/2005 Express Edition
  by Marian Placko
• Resource Database
  by MSDN

48.312872 18.086038

A simple hack of a built-in MS SQL Server WITH ENCRYPTION mechanism

The SQL professionals know that the built-in MS SQL Server encryption mechanism by means of WITH ENCRYPTION T-SQL keyword is ineffective and easily broken. For much more details see also Google’s results e.g.:

• search phrase: sql decryptor (approximate number of results: 405 000)
• search phrase: sql server syscomments decryptor (approximate number of results: 2 850)

{3S} SQL Smart Security is an add-in which can be installed in Microsoft SQL Server Management Studio (SSMS) 2005, 2008, 2008 R2, 2012 and their respective Express versions. It enables software companies to create a secured content for database objects (note: currently, in 1.1 version can be secured only the content of stored procedures, but in the future, there are considered user defined functions, triggers and views as well). It brings much higher level of protection in comparison with SQL Server built in WITH ENCRYPTION mechanism for software companies that want to protect their heavily acquired know-how by creation of application logic on the database server side on a daily basis.

None of the currently available SQL decryptors are capable of cracking {3S} SQL Smart Security. Most importantly, all encrypted database objects remain executable! Moreover, installing {3S} SQL Smart Security does not affect any settings and does not replace default encryption options entirely. The developers (end-users) always have an option to choose which encryption settings to use.

See a short story of a simple hack by means of built-in MS SQL Server WITH ENCRYPTION mechanism on the example bellow.

WARNING: In the following examples, an excellent free tool called dbForge SQL Decryptor by the Devart (formerly known as Core Lab) software development company (http://www.devart.com/) will be used for educational purposes, only for decrypting the stored procedure.

Figure 1: built-in WITH ENCRYPTION hack – stored procedure encryption by means of built-in MS SQL Server WITH ENCRYPTION mechanism

Figure 2: built-in WITH ENCRYPTION hack – lock on encrypted stored procedure by means of built-in MS SQL Server WITH ENCRYPTION mechanism

Figure 3: built-in WITH ENCRYPTION hack – stored procedure decrypting by means of dbForge SQL Decryptor

Figure 4: built-in WITH ENCRYPTION hack – decrypted stored procedure by means of dbForge SQL Decryptor

By applying dbForge SQL Decryptor to the encrypted stored procedure by means of built-in MS SQL Server WITH ENCRYPTION mechanism it is possible to see that the stored procedure body IS A PLAIN SOURCE CODE TEXT!!!

Figure 5: built-in WITH ENCRYPTION hack – encrypted stored procedure by means of {3S} SQL Smart Security

Figure 6: built-in WITH ENCRYPTION hack – decrypted {3S} SQL Smart Security stored procedure by means of dbForge SQL Decryptor

By applying dbForge SQL Decryptor to the encrypted stored procedure by means of {3S} SQL Smart Security it is possible to see that the stored procedure body IS NOT A PLAIN SOURCE CODE TEXT but includes the {3S} SQL Smart Security metadata only!!!

Additional references:

• {3S} SQL Smart Security: Step by Step Manual”
  by Marian Placko

48.312872 18.086038

DAC (Dedicated Administrator Connection) in SQL Server 2008/2005 Express Edition

For the first time, DAC appeared in the SQL Server 2005 version. It enables one user from the sysadmins group (that means, the system administrator) to connect to the running instance of SQL Server Database Engine, especially for the purpose of solving occurred problems on the server (note: DAC connection will disconnect all other users from this server.) It will be used, e.g. in cases when the server does not respond to requirements coming from the client’s side but also in decrypting the content of database objects (i.e. of stored procedures, user-defined functions, views and triggers) which were encrypted using the key word WITH ENCRYPTION (note: the possibilities of content decryption by means of implicit encryption of  database objects will be dealt in some of other contributions on this topic.)

In the Express versions, this feature is implicitly deactivated. The procedure to allow DAC for the Express versions is as follows:

• starting up of “Control Panel\System and Maintenance\Administrative Tools\Services”
• stopping of “SQL Server Express” service
• opening of the dialog window “Properties” on the suspended service
• adding “-T7806” into the text box “Start parameters”
• starting of the “SQL Server Express” service

DAC is available either through the SQLCMD utility (e.g. C:>SQLCMD -E -S.\SQLEXPRESS -A) or by means of SSMS (i.e. SQL Server Management Studio). A requirement is a need to use Query Editor with the ADMIN parameter for the server name (e.g. ADMIN:MP\SQLEXPRESS2008), while it is not possible to use the Object Explorer! The connection may be established direct from the given server only. No network connection to such a server is allowed.

Figure 1: Applet Services (Windows Vista)

Figure 2: SQL Server Properties (SQLS 2008)

Figure 3: Management Studio – failure of an attempt to DAC before allowing it (SQLS 2008)

Figure 4: Management Studio – failure of an attempt to DAC before allowing it (SQLS 2005)

Figure 5: Management Studio – failure of an attempt to DAC after allowing it through Object Explorer (SQLS 2008)

Figure 6: SQLCMD – DAC performance (SQLS 2008)

Figure 7: SQLCMD – execution of a query in the database (SQLS 2008)

Figure 8: SQLCMD – failure of an attempt to DAC after restarting the SQL Server service (SQLS 2008)

Figure 9: Management Studio – DAC connection configuration through Query Editor (SQLS 2008)

Figure 10: Management Studio – execution of a query in the database through Query Editor (SQLS 2008)

Figure 11: Management Studio – a case when DAC is already used by other person (SQLS 2008)

Additional reference:

• Dedicated Administrator Connection – SQL School Video
  by Andy Warren
• Enabling the Dedicated Administrator Connection (DAC) in SQL Server Express
  by Brian Kelley

48.312872 18.086038