Auditing IT components using CAATs

Auditing SQL Server Passwords

SQL Server allows two methods of authenticating to the database.  You can configure the database to use either Windows Authentication or Mixed Mode.

Windows Authentication uses Microsoft Windows security to validate the account and password of the requesting user account with the Windows operating system.

Mixed mode allows for both Windows Authentication and SQL Server authentication.  With SQL Server authentication an explicit user account and password is required to access the database (see http://msdn.microsoft.com/en-us/library/ee677331(v=azure.10).aspx for more details).

From SQL Server 2005 the passwords hashes are stored in the table sys.sql_logins (see http://msdn.microsoft.com/en-us/library/ms174355(v=sql.90).aspx for the table description).

To audit the passwords request that the SQL Server Administrator runs the following SQL;

Once you have them, there are various tools you can use to audit the password hashes. 

I use HASHCAT (see http://hashcat.net/hashcat/).  This tool has an array of options and features including a GUI.  These are documented at http://hashcat.net/wiki/doku.php?id=start

There is also a user manual at http://hashcat.net/files/hashcat_user_manual.pdf

The basic requirements of the tool are shown below.

 
Get help by typing

Fundamentally you put the retrieved hashes in a text file and point HASHCAT at it using the SQL Server option.  Available modes includes dictionary, brute force etc.  

You can also use CAIN (although given its other capabilities I would be surprised if your security administrator would be happy to have it on your network!).  See http://hkashfi.blogspot.ie/2007/08/breaking-sql-server-2005-hashes.html for details.

You must sign in to rate content.
(1 ratings)

Comments

RE: Auditing SQL Server Passwords

Excellent SQL Server password audtit advice that complements the previous Oracle equivalent.

Martin554 at 9/11/2012 3:42 AM
You must sign in to rate content.
(Unrated)

RE: Auditing SQL Server Passwords

Excellent SQL Server password audtit advice that complements the previous Oracle equivalent.

Martin554 at 9/11/2012 3:42 AM
You must sign in to rate content.
(Unrated)

RE: Auditing SQL Server Passwords

Excellent SQL Server password audtit advice that complements the previous Oracle equivalent.

Martin554 at 9/11/2012 3:42 AM
You must sign in to rate content.
(Unrated)

Leave a Comment

You must be logged in to post a comment.