How to Crack Database Passwords

By Kevin Beaver

QLPing3 serves as a nice dictionary-based SQL Server password-cracking program. It checks for blank sa passwords by default. Another free tool for cracking SQL Server, MySQL, and Oracle password hashes is Cain & Abel, shown here.

Using Cain & Abel to crack Oracle password hashes.
Using Cain & Abel to crack Oracle password hashes.

You simply load Cain & Abel, click the Cracker tab at the top, select Oracle Hashes at the bottom left, and click the blue plus symbol at the top to load a user name and password hash to start the cracking. You can also select Oracle TNS Hashes at the bottom left and attempt to capture Transport Network Substrate hashes off the wire when capturing packets with Cain. You can do the same for MySQL password hashes.

The commercial product ElcomSoft Distributed Password Recovery can also crack Oracle password hashes. If you have access to SQL Server master.mdf files (which are often readily available on the network due to weak share and file permissions), you can use ElcomSoft’s Advanced SQL Password Recovery to recover database passwords immediately.

You might stumble across some legacy Microsoft Access database files that are password protected as well. No worries: The tool Advanced Office Password Recovery can get you right in.

As you can imagine, these password-cracking tools are a great way to demonstrate the most basic of weaknesses in your database security. It’s also a nice way to underscore the problems with critical files scattered across the network in an unprotected fashion.

Another good way to demonstrate SQL Server weaknesses is to use Microsoft SQL Server 2008 Management Studio Express to connect to the database systems you now have the passwords for and set up backdoor accounts or browse around to see (and show) what’s available. In practically every unprotected SQL Server system, there’s sensitive personal financial or healthcare information available for the taking.