Retrieve SQL Server Password

Introduction

This tool is used to retrieve the forgotten SQL Server Password. SQL Server creates the user's password hash, which is stored in the master database (sysxlogins).The user's password is converted to Unicode with the salt tacked on the end, and this is used to produce a hash with SHA 1. The same salt is added to the password when a user attempts to log in, and the resulting hash is compared to the one on record. If they match, access is granted. The hash is produced twice, against the case-sensitive password and again against the uppercase form. The uppercase 'version' is obviously a good deal easier to crack; and once we know it, finding the case-sensitive version is child's play. Indeed, there's little point in using case-sensitive passwords on your system if the crypto scheme is going to create hashes from the uppercase version, using the same salt, and then store them. Case-sensitive passwords are an improvement only so long as we're kept in the dark about their uppercase companions.
This uses Brute- force algorithm to attach SQL Server Password. Clearly Complex and long password may take few days to retrieve.

Registered Servers

Password and login ID of a registered SQL Server user in Enterprise Manager for SQL Server can be easily retrieved using SQL DMO (Distributed Management Object). Create file SQLPasswords.vbs and open it in Notepad. Add the following code and save it:

Dim pApplication
Set pApplication = CreateObject("SQLDMO.Application")
Call EnumGroups(pApplication.ServerGroups)

Sub EnumGroups(ByVal pGroups)
    Dim pServerGroup
    Dim pRegServer
    
    For Each pServerGroup In pGroups
        If pServerGroup.RegisteredServers.Count > 0 Then
     Msgbox "Group :" &  pServerGroup.Name
            For Each pRegServer In pServerGroup.RegisteredServers
                Msgbox "Name:" & pRegServer.Name
                Msgbox "Login:" & pRegServer.Login
                Msgbox "Password:" & pRegServer.Password
            Next
        End If
        If pServerGroup.ServerGroups.Count > 0 Then
            Call EnumGroups(pServerGroup.ServerGroups)
        End If
    Next
    
End Sub

Run the script and this will retrieve the passwords of registered servers using your account. If the 'Always prompt for login name and password' checkbox is not set when registering a SQL Server, the login ID and password is weakly encrypted and stored in the following registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server X.

Recommendations

To securely use SQL Server, Microsoft recommends using Windows Integrated Security. In Windows Integrated Security mode, passwords are never stored as your Windows Domain sign-on is used as the security identifier to the database server.

History

5^th October, 2006: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Rajneesh Noonia

Software Developer (Senior)

United Kingdom

Member

I am an Techinical Lead working with Seria India Ltd. (Previously Known as Xansa),Noida, India. I have worked with Microsoft Visual Basic 6.0 , SQL Server,COM ,WIN32 API. I have been playing with the .NET Framework since it was in beta but have been using it commercially since late 2004.

Article Top

Poor

Excellent

Add a reason or comment to your vote: x
Votes of 3 or less require a comment