Microsoft SQL Server password cracking

From: Barry Dorrans (barryd@VIRTUEAPPLICATIONS.COM)
Date: 07/09/02


Date:         Tue, 9 Jul 2002 09:59:37 +0100
From: Barry Dorrans <barryd@VIRTUEAPPLICATIONS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Note : This email has gone to both NTBUGTRAQ and incidents.org - please
direct your replies to the list you are subscribed too.

Some of you will have seen the register article on SQL server password
cracking, http://www.theregister.co.uk/content/4/26086.html

As usual, Mr Greene's reporting is accurate to a point, but leaves out
any mitigating circumstances, and in this case the migating circumstance
makes the password cracker a not useful tool. Judging from my attempts
to get Microsoft security articles fixed before, I don't hold out much
hope for accuracy either. So I thought I'd fire off this email to the
lists in order to halt some worries.

The password cracker relies on getting access to the hashes that SQL
users to store old style usernames and passwords. This are stored within
a SQL database on the servers, and can be retrieved. However, they can
ONLY be retrieved by users who already have SA rights. This is the
information that theregister, and Mr Greene leaves out. The hashes are
stored in sysxlogins, which is not available to your average joe user.

Now of course there are numerous people out there who haven't set SA
passwords, as the spread of the SQL worm last month showed, but for
anyone with an ounce of sense this password cracker will not create
problems. It CANNOT work by simply pointing it at an MS SQL server.

As I recommended when the SQL worm started (the last time I attempted to
correct theregister, again, never corrected), you should consider using
NT usernames and passwords. I also suggest that you make sure that
logging of failed SQL logins are turned on (this is off by default) -
open SQL enterprise manager, right click on your server, choose
properties and then choose security.

For those of you not in a domain or AD environment, you can still use
NTLM security by mirroring usernames and passwords, see my incidents.org
post archived at
http://www.incidents.org/archives/intrusions/msg12880.html

Regards,

Barry



Relevant Pages

  • Re: Access 2007->SQL Server2005 "connection was forcibly closed",G
    ... I moved every table I was able to move to the SQL ... closed connections - but all of these errors are in the version which used ... the SQL Server 2000 and everything worked ... communication between ODBC (OLEDB and Native Client, ...
    (microsoft.public.sqlserver.connect)
  • It can be Done
    ... I just installed a 3 SQL Server 2005 instances on a 2 node Active/Passive cluster. ... IWiz will then offer you a choice of Group on where you can install teh Fail Over Clustered Instance of SQL. ...
    (microsoft.public.sqlserver.clustering)
  • Re: Unable to Apply SP4 to SQL 2000 Cluster (new Node)
    ... Rebuild the node in the failover cluster. ... Scenario 1" in SQL Server 2000 Books Online. ... This setup process updates to SP4 only the binaries on the new ...
    (microsoft.public.sqlserver.clustering)
  • Re: WSS 3.0 question
    ... I followed the advise given in removing WSS 3.0 etc, ... the server is complaining that the SQL service(?) was tempered with or corrupt. ... I may just instal the SQL server as I was going eventuall use it anyway. ... If WSUS 3.0 is installed, I would suggest you uninstall it and then you install WSS 3.0. ...
    (microsoft.public.windows.server.sbs)
  • Re: SQL Server 2005 Cluster Setup Quiz
    ... I did test and it did not install the client tools. ... http://www.clusterhelp.com - Cluster Training ... Microsoft SQL Server MVP ... Provide a template on how to read SQL Server 2005 setup log files. ...
    (microsoft.public.sqlserver.clustering)