Brute-forcing passwords on Microsoft SQL Server to test for weakness


SQL Server is a relational database solution created by Microsoft. It utilises several types of login to gain access to the database namely:

  1. Windows authentication which is the default, and is often referred to as integrated security because SQL Server security model is tightly integrated with Windows. In this type of authentication Windows users who have already been authenticated do not have to present additional credentials.
  2. SQL Server authentication. In this type of login ,user name and passwords are stored in the database for authentication purposes. This type of authentication is used when you have a user not integrated with windows needs access to the database.

In this post I will be showing you various techniques employed to crack password using the SQL Server authentication through port 1433 which is used for MSSQL service

What is required

  • You will need Backtrack 5 or Kali linux to run these commands
  • Virtual machine to host the operating system where required

Hydra: Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much moreWe need to choose a word list. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.
In this post, I will create a user list with the list of all users I want to test called username.txt and save it in the following location “/root/Desktop/Dictionary”.   Additionally, I will create a password list of all different password permutation called password.txt. (Note that you can also download this)and save it in the following location “/root/Desktop/Dictionary”.
Open a terminal on backtrack and run the following command
 hydra -L /root/Desktop/hydra/username.txt –P /root/Desktop/hydra/password.txt mssql
where is the target sqlserver database and mssql is the service being attacked.

-P:  denotes path for the password list
-L: denotes the path of the username text file
Once the commands are executed it will start brute-forcing the password by applying the dictionary attack. This can be seen in the screenshot bellow

Medusa: Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, MSSQL, HTTP, IMAP, rlogin, SSH, Subversion, and MSSQL to name a few
We will use the same dictionary we created in the last test. Run the following command:
medusa -h –U /root/Desktop/hydra/username.txt –P /root/Desktop/hydra/password.txt  –M mssql
-u: denotes username
-P:  denotes path for the password list

Nmap: Nmap is a very popular port scanner tool used mainly for reconnaissance. It surprisingly can also brute force passwords. Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.
nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/hydra/username.txt,passdb=/root/Desktop/hydra/password.txt
Hope you found this post valuable

Check out: Google Dork

Leave A Comment