This tool should be used to audit the strength of Microsoft SQL Server passwords offline. The tool can be used either in BruteForce mode or in Dictionary attack mode. The performance on a 1 Ghz pentium (256mb) is around 750 000 guesses/sec.

To be able to perform an audit one needs the password hashes that are stored in the sysxlogins table int the master database. The program needs to have them formated in a textfile accordingly (look at the included file hashes.txt)


The hashes are easy to retrieve allthough you need a priviliged account to do so, like the sa account. The query you would use in this case would be.
select name, password from master..sysxlogins

To perform a dictionary attack on the retrieved hashes:
sqlbf -u hashes.txt -d dictionary.dic -r out.rep

This will run the dictionary.dic against the hashes in the hashes.txt file and report found matches in the out.rep file.

To perform a bruteforce attack on the retrieved hashes:
sqlbf -u hashes.txt -c default.cm -r out.rep

This will try to brute force the passwords by using the supplied characterset (see default.cm) in the default cm and output the results to out.rep.

Thanks to David Litchfield for publishing the excellent article “SQL Server Passwords” http://www.nextgenss.com/

2002-07-12 Version 1.0.1 – Minor patches to correct bug on Solaris

Version 1.0.1 source sqlbf-all-src-1.0.1.zip
Version 1.0.0 binary sqlbf-win-binary-1.0.0.zip

SQLPAT was developed by Patrik Karlsson.