How to crack SQL Server's password Hashes

SQL Server uses an undeclared and undocumented function, pwdencrypt() to produce a hash of the user's password, which is stored in the sysxlogins table of the master database. I guess this is a common known thing which most of the people related to SQL knows. But i never met any article detailing this function. So here i am focusing on the details of this password hash so as to further get deeper with it. 

So lets begin with how it looks like.

Using Query Analyzer, or the SQL tool of your choice, run the following query :

select password from master.dbo.sysxlogins where name='sa'

You should get something that looks similar to the following returned.

0x01008D504D65431D6F8AA7AED333590D7DB1863CBFC98186BFAE06EB6B327EFA

5449E6F649BA954AFF4057056D9B
 

This is the hash of the 'sa' login's password on my machine.

Now there is a uniqueness in this password hashing function. It would give you two different password hashes for the same password if you put some difference in their time. Design for this password hash function is made something like if two people use same password then their hashes will be different – thus would misinterpret you that password is the same.       

Now lets run a case scenario and then lets study it. Here I am gonna take AAAAAA as the password ad then lets take a Hash on it using :

Select pwndecrypt(‘AAAAAA’) 

Which produces hash 

0x01008444930543174C59CC918D34B6A12C9CC9EF99C4769F819B43174C59CC918D34B6A

12C9CC9EF99C4769F819B

The key point here is there are two password hashes here and these has been concatenated for some advancd security measure. However luck lies in the fact that we ca crack them separately as well.  This has actually do have 4 parts :

• 10x0100
• 284449305
• 343174C59CC918D34B6A12C9CC9EF99C4769F819B
• 43174C59CC918D34B6A12C9CC9EF99C4769F819B

As you can see 3^rd and 4^th parts are identical [same] which proves that the password is always stored twice. One of them is normal case sensitive password [which is originally provided] and the other one is upper case version of the same password. This is seriously concerning as anyone attempting to attack the hash had got his work reduced by Half. Moreover, he do not have to give any “case perms [Random caps lock sequences]” rather he can simply use Upper characters which will reduce the keyspace required for the same. 

Here I am attaching the link for a simple command line dictionary attack tool.

Click here to get the code.

 [ And this program is not coded by me, as my programming is a Null vector. :D ]