Password Security & Strength Audit
Description
T-SQL script for MS SQL Server, capable of performing a simple audit of password security across
all logins (apart from NT authenticated logins) on the SQL Server and then presents the information
discovered in a very simple report.
Very useful for quickly determining how many of your SQL Server logins (specifically the password
aspect) are dangerously insecure or might be vulnerable to simple brute force & dictionary
attacks.
This simple audit script includes;
- Checking for blank passwords/no password.
- Checking for passwords which are the same as the login.
- Checking for passwords made up of any two ASCII characters.
- Checking for passwords containing in an external wordlist.
Since a user-defined wordlist option is available
If you were wondering this script is useless as an attack script as it requires
sa level
permissions before a user can get access to the
sysxlogins table, so in order to use this
you must have high-level permissions. If someone unauthorised were to get that level of access
to the server then the threat of them running a password strength audit is the least of your
worries!
Lastly if you have any doubts about the security of the logins on your SQL Server installation
then I would recommend purchasing a more comprehensive package. Although this script offers some
very basic, but still extremely useful, tests it does not attempt to be a full security audit package
rather it merely offers a glimpse at where the most obvious weaknesses are.
Requirements
- MS SQL Server 7 or 2000
- sa (or equivalent) permissions
Single Compressed Download
Individual Components
Installation & Setup
-
Save the T-SQL script somewhere which will be easily accessible to you via the query analyser, naming
it sql_loginaudit.sql (as a suggestion).
User Guide
Open the script up in the query analyser, changing the variable
@WordList to contain the
full path to your wordlist (used to perform the dictionary tests). If you have no wordlist or do
not want to run the dictionary tests then this line should read
SET @WordList = NULL;.
Once you have configured the
@WordList variable you may then execute the script, the basic
script can take approximately 30 seconds to run. If you are using a large wordlist then this process
may take longer.
When it's complete, data should be returned reflecting the results of the process. For each login you
should find a record has been returned, each of which should contain the following columns;
- Username - the name of the login which this record relates to.
- Password - the password (if cracked? contains 1 then this is the correct password, otherwise this displays
-- currently unknown --)
- Cracked? - denotes if the login was cracked in any of the tests.
- Admin User? - contains 1 if the login possesses any admin-type priveledges, otherwise contains 0.
- Blank Password? - contains 1 if the login has no password, otherwise contains 0.
- Username = Password? - contains 1 if the login is identical to the password, otherwise contains 0.
- Password Bruteforced? - contains 1 if the login was broken by either dictionary or brute force methods, otherwise contains 0.
The key thing to pay attention to is the
cracked column as this will show you which logins were
insecure enough to be cracked by what is a very simple set of tests. Depending on what conditions the
login was discovered under you might want to consider assigning it a new password or even disabling it
if it's not required at the moment.
Word Lists
Althought a very simple wordlist has been included I would recommend building up your own as there are a
wide variety of sources for this material and you might well find that the inclusion of a wordlist more
suited to your industry, enviroment, culture or language yields far more results than mine would.
The current wordlist was built from a variety of wordlists, most of which were designed for cracking UNIX
passwords and includes (among other things) a list of common passwords.