Retrieve SQL Server Password
Introduction
This tool is used to retrieve the forgotten SQL Server Password. SQL Server creates the user's password hash, which is stored in the master database (sysxlogins
).The user's password is converted to Unicode with the salt tacked on the end, and this is used to produce a hash with SHA 1. The same salt is added to the password when a user attempts to log in, and the resulting hash is compared to the one on record. If they match, access is granted. The hash is produced twice, against the case-sensitive password and again against the uppercase form. The uppercase 'version' is obviously a good deal easier to crack; and once we know it, finding the case-sensitive version is child's play. Indeed, there's little point in using case-sensitive passwords on your system if the crypto scheme is going to create hashes from the uppercase version, using the same salt, and then store them. Case-sensitive passwords are an improvement only so long as we're kept in the dark about their uppercase companions.
This uses Brute- force algorithm to attach SQL Server Password. Clearly Complex and long password may take few days to retrieve.
Registered Servers
Password and login ID of a registered SQL Server user in Enterprise Manager for SQL Server can be easily retrieved using SQL DMO (Distributed Management Object). Create file SQLPasswords.vbs and open it in Notepad. Add the following code and save it:
Dim pApplication Set pApplication = CreateObject("SQLDMO.Application") Call EnumGroups(pApplication.ServerGroups) Sub EnumGroups(ByVal pGroups) Dim pServerGroup Dim pRegServer For Each pServerGroup In pGroups If pServerGroup.RegisteredServers.Count > 0 Then Msgbox "Group :" & pServerGroup.Name For Each pRegServer In pServerGroup.RegisteredServers Msgbox "Name:" & pRegServer.Name Msgbox "Login:" & pRegServer.Login Msgbox "Password:" & pRegServer.Password Next End If If pServerGroup.ServerGroups.Count > 0 Then Call EnumGroups(pServerGroup.ServerGroups) End If Next End Sub
Run the script and this will retrieve the passwords of registered servers using your account. If the 'Always prompt for login name and password' checkbox is not set when registering a SQL Server, the login ID and password is weakly encrypted and stored in the following registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server X.
Recommendations
To securely use SQL Server, Microsoft recommends using Windows Integrated Security. In Windows Integrated Security mode, passwords are never stored as your Windows Domain sign-on is used as the security identifier to the database server.
History
- 5th October, 2006: Initial post