{"id":2877,"date":"2015-02-19T15:56:49","date_gmt":"2015-02-19T15:56:49","guid":{"rendered":"https:\/\/dn-www.azurewebsites.net\/2015\/02\/19\/grabbing-microsoft-sql-server-password-hashes\/"},"modified":"2019-12-11T13:56:38","modified_gmt":"2019-12-11T13:56:38","slug":"grabbing-microsoft-sql-server-password-hashes","status":"publish","type":"post","link":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/","title":{"rendered":"Grabbing Microsoft SQL Server Password Hashes"},"content":{"rendered":"<p>Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear text credentials, password hashes, tokens and so on in order to compromise the network further. An example of these are the Microsoft SQL (MS SQL) Server password hashes. Since version 2008 of MS SQL Server, the domain administrator group is not in the \u201csysadmin\u201d group anymore. Moreover, since version 2012 the Windows built-in System account isn\u2019t there either. This means that regardless your domain admin privileges you can\u2019t just connect to MS SQL Server to extract the password hashes. However there are some <a href=\"https:\/\/blog.netspi.com\/sql-server-local-authorization-bypass\/\">workarounds<\/a> to bypass these restrictions which will involve gaining System privileges if you are dealing with version 2008, or migrating to the MS SQL process if the version that you are targeting is 2012 or higher. As a penetration tester I like automating tasks keeping everything organised in one single place. Metasploit is a great framework with a lot of modules and the \u201cmssql_local_auth_bypass\u201d one allows you to create a MS SQL login account in the sysadmin group by providing domain admin credentials. However if your goal is to extract hashes this means you need to login to the MS SQL Server instance again and execute the queries you want; this is one process that can be automated in order to save time and effort. This is the idea of \u201cmssql_local_hash\u201d, a metasploit module that will extract the password hashes, regardless of the version of MS SQL Server. <b>[29\/03\/2015] This module is now part of Metasploit master branch: <a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/post\/windows\/gather\/credentials\/mssql_local_hashdump.rb\">mssql_local_hashdump.rb<\/a><b> <\/b><\/b><\/p>\n<h4><b><b>Installation<\/b><\/b><\/h4>\n<pre>\r\n<b><b>\r\nmkdir -p ~\/.msf4\/modules\/post\/windows\/manage\r\ncd ~\/.msf4\/modules\/post\/windows\/manage\r\ncurl -O https:\/\/raw.githubusercontent.com\/m7x\/Metasploit-Modules\/master\/post\/windows\/manage\/mssql_local_hashdump.rb\r\n<\/b><\/b><\/pre>\n<h4><b><b>Usage<\/b><\/b><\/h4>\n<p><b><b>Pop a meterpreter shell in the remote server using the psexec module and then run post\/windows\/manage\/mssql_local_hashdump Here is the output of running the module against MS SQL Server 2008: <\/b><\/b><\/p>\n<p><b><b><img decoding=\"async\" src=\"\/wp-content\/uploads\/files\/sql1.png\" \/> <\/b><\/b><\/p>\n<p>&nbsp;<\/p>\n<p><b><b>Output running against MS SQL Server 2012:<\/b><\/b><\/p>\n<p><b><b><img decoding=\"async\" src=\"\/wp-content\/uploads\/files\/sql2.png\" \/> <\/b><\/b><\/p>\n<p>&nbsp;<\/p>\n<p><b><b>The module will store the hashes in a file that can be used as input for John the Ripper. Here is an example file:<\/b><\/b><\/p>\n<p><b><b><img decoding=\"async\" src=\"\/wp-content\/uploads\/files\/sql3.png\" \/> <\/b><\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear text credentials, password hashes, tokens and so on in order to compromise the network further. An example of these are the Microsoft SQL (MS SQL) Server password hashes. Since version 2008 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[209],"class_list":["post-2877","post","type-post","status-publish","format-standard","hentry","category-researchblog","tag-infrastructure","wpbf-post"],"contentshake_article_id":"","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Grabbing Microsoft SQL Server Password Hashes<\/title>\n<meta name=\"description\" content=\"Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/\" \/>\n<meta property=\"og:locale\" content=\"nl_NL\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Grabbing Microsoft SQL Server Password Hashes\" \/>\n<meta property=\"og:description\" content=\"Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear\" \/>\n<meta property=\"og:url\" content=\"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/\" \/>\n<meta property=\"og:site_name\" content=\"Dionach\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/dionachcyber\" \/>\n<meta property=\"article:published_time\" content=\"2015-02-19T15:56:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-12-11T13:56:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Dionach Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:site\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:label1\" content=\"Geschreven door\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dionach Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Geschatte leestijd\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/grabbing-microsoft-sql-server-password-hashes\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/grabbing-microsoft-sql-server-password-hashes\\\/\"},\"author\":{\"name\":\"Dionach Admin\",\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#\\\/schema\\\/person\\\/e73f3537233924cf4944f7807068b3c8\"},\"headline\":\"Grabbing Microsoft SQL Server Password Hashes\",\"datePublished\":\"2015-02-19T15:56:49+00:00\",\"dateModified\":\"2019-12-11T13:56:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/grabbing-microsoft-sql-server-password-hashes\\\/\"},\"wordCount\":344,\"publisher\":{\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#organization\"},\"keywords\":[\"infrastructure\"],\"articleSection\":[\"researchblog\"],\"inLanguage\":\"nl-NL\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/grabbing-microsoft-sql-server-password-hashes\\\/\",\"url\":\"https:\\\/\\\/dionach.com\\\/nl\\\/grabbing-microsoft-sql-server-password-hashes\\\/\",\"name\":\"Grabbing Microsoft SQL Server Password Hashes\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#website\"},\"datePublished\":\"2015-02-19T15:56:49+00:00\",\"dateModified\":\"2019-12-11T13:56:38+00:00\",\"description\":\"Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/grabbing-microsoft-sql-server-password-hashes\\\/#breadcrumb\"},\"inLanguage\":\"nl-NL\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/dionach.com\\\/nl\\\/grabbing-microsoft-sql-server-password-hashes\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/grabbing-microsoft-sql-server-password-hashes\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/dionach.com\\\/nl\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Grabbing Microsoft SQL Server Password Hashes\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#website\",\"url\":\"https:\\\/\\\/dionach.com\\\/nl\\\/\",\"name\":\"Dionach\",\"description\":\"Real Security in a Virtual World\",\"publisher\":{\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/dionach.com\\\/nl\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"nl-NL\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#organization\",\"name\":\"Dionach\",\"url\":\"https:\\\/\\\/dionach.com\\\/nl\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.dionach.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.dionach.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"width\":512,\"height\":512,\"caption\":\"Dionach\"},\"image\":{\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/dionachcyber\",\"https:\\\/\\\/x.com\\\/dionachcyber\",\"https:\\\/\\\/uk.linkedin.com\\\/company\\\/dionach-ltd\",\"https:\\\/\\\/www.instagram.com\\\/dionachcyber\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/dionach.com\\\/nl\\\/#\\\/schema\\\/person\\\/e73f3537233924cf4944f7807068b3c8\",\"name\":\"Dionach Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"caption\":\"Dionach Admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Grabbing Microsoft SQL Server Password Hashes","description":"Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/","og_locale":"nl_NL","og_type":"article","og_title":"Grabbing Microsoft SQL Server Password Hashes","og_description":"Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear","og_url":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/","og_site_name":"Dionach","article_publisher":"https:\/\/www.facebook.com\/dionachcyber","article_published_time":"2015-02-19T15:56:49+00:00","article_modified_time":"2019-12-11T13:56:38+00:00","og_image":[{"width":512,"height":512,"url":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1","type":"image\/jpeg"}],"author":"Dionach Admin","twitter_card":"summary_large_image","twitter_creator":"@dionachcyber","twitter_site":"@dionachcyber","twitter_misc":{"Geschreven door":"Dionach Admin","Geschatte leestijd":"2 minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/#article","isPartOf":{"@id":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/"},"author":{"name":"Dionach Admin","@id":"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8"},"headline":"Grabbing Microsoft SQL Server Password Hashes","datePublished":"2015-02-19T15:56:49+00:00","dateModified":"2019-12-11T13:56:38+00:00","mainEntityOfPage":{"@id":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/"},"wordCount":344,"publisher":{"@id":"https:\/\/dionach.com\/nl\/#organization"},"keywords":["infrastructure"],"articleSection":["researchblog"],"inLanguage":"nl-NL"},{"@type":"WebPage","@id":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/","url":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/","name":"Grabbing Microsoft SQL Server Password Hashes","isPartOf":{"@id":"https:\/\/dionach.com\/nl\/#website"},"datePublished":"2015-02-19T15:56:49+00:00","dateModified":"2019-12-11T13:56:38+00:00","description":"Once you get domain administrator during an internal penetration test, it is a common practice to gather as much information as possible including clear","breadcrumb":{"@id":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/#breadcrumb"},"inLanguage":"nl-NL","potentialAction":[{"@type":"ReadAction","target":["https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/dionach.com\/nl\/grabbing-microsoft-sql-server-password-hashes\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/dionach.com\/nl\/"},{"@type":"ListItem","position":2,"name":"Grabbing Microsoft SQL Server Password Hashes"}]},{"@type":"WebSite","@id":"https:\/\/dionach.com\/nl\/#website","url":"https:\/\/dionach.com\/nl\/","name":"Dionach","description":"Real Security in a Virtual World","publisher":{"@id":"https:\/\/dionach.com\/nl\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/dionach.com\/nl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"nl-NL"},{"@type":"Organization","@id":"https:\/\/dionach.com\/nl\/#organization","name":"Dionach","url":"https:\/\/dionach.com\/nl\/","logo":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/","url":"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","contentUrl":"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","width":512,"height":512,"caption":"Dionach"},"image":{"@id":"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/dionachcyber","https:\/\/x.com\/dionachcyber","https:\/\/uk.linkedin.com\/company\/dionach-ltd","https:\/\/www.instagram.com\/dionachcyber\/"]},{"@type":"Person","@id":"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8","name":"Dionach Admin","image":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","caption":"Dionach Admin"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/ph4Ojq-Kp","_links":{"self":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts\/2877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/comments?post=2877"}],"version-history":[{"count":0,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts\/2877\/revisions"}],"wp:attachment":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/media?parent=2877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/categories?post=2877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/tags?post=2877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}