Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Checking UserId's / Passwords Strength

Posted on 2006-07-18
10
Medium Priority
?
276 Views
Last Modified: 2007-12-19
I received a request from management to scan users on a SQL Server to see if they have strong passwords.  I don't know of a tool that can do this so I am needed advice.  Is there any tool or application that can do this? (Free / Open Source would be great!)
0
Comment
Question by:SECGRAD
  • 5
  • 3
10 Comments
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133488
0
 

Author Comment

by:SECGRAD
ID: 17133534
Excellent! It mentions that it works on MS SQL Server 7 or 2000. Have you tried it successfully in MS SQL 2005?
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133564
It won't work in 2005 as is. Not that it really needs to, because you can actually enforce strong passwords through ALTER LOGIN in 2005.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:SECGRAD
ID: 17133617
So, I should rephrase my question. Is there any tools, scripts, or application that can scan user accounts against SQL 2005 to determine if they have strong passwords? (Free / Open Source would be great!)
0
 
LVL 18

Accepted Solution

by:
SjoerdVerweij earned 2000 total points
ID: 17133692
/*
This script originally lived at http://evolvedcode.net/

For the original version of this script and a wide variety
of other code and scripts, please visit the site.

- EvolvedCode.net staff


Changes:
26.10.2002
Included simplified dictionary loader
Included smart temporary table deletion

*/

--Check if any of our temporary objects already exist
IF (OBJECT_ID('tempdb..#tLogins') IS NOT NULL)
  DROP TABLE #tLogins;
IF (OBJECT_ID('tempdb..#tBruteDict') IS NOT NULL)
  DROP TABLE #tBruteDict;
IF (OBJECT_ID('tempdb..#tUserDict') IS NOT NULL)
  DROP TABLE #tUserDict;
GO

--Variables for use throughout the script
DECLARE @Counter INT;
DECLARE @WordList VARCHAR(1000);

SET @WordList = 'E:\Wordlists\QuickDict.txt';

SET NOCOUNT ON

--Create tables to hold temporary data
CREATE TABLE #tLogins(
  [UID]           INT IDENTITY(1,1) NOT NULL,
  [Login]         SYSNAME NOT NULL,
  [SID]           VARBINARY(85) NOT NULL,
  [Password]      SYSNAME NULL,
  [PasswordHash]  VARBINARY(256) NULL,

  [IsAdmin]       BIT DEFAULT(0) NOT NULL,
  [BlankPass]     BIT DEFAULT(0) NOT NULL,
  [SamePass]      BIT DEFAULT(0) NOT NULL,
  [BrutePass]     BIT DEFAULT(0) NOT NULL
);
CREATE TABLE #tBruteDict(
  [RawText] SYSNAME NOT NULL
);
CREATE TABLE #tBruteCS(
  [RawText] SYSNAME NOT NULL
);
CREATE TABLE #tUserDict(
  [RawText] SYSNAME NOT NULL
);

--Create a list of the regular (non-nt) users
INSERT INTO #tLogins( [SID], [Login], [IsAdmin], [PasswordHash] )
SELECT
L.[sid],
L.[name],
CASE
 WHEN L.[sysadmin] = 1 OR L.[securityadmin] = 1 OR L.[serveradmin] = 1 OR L.[setupadmin] = 1 OR L.[processadmin] = 1 OR L.[diskadmin] = 1 THEN 1
 ELSE 0
END,
LX.[password_hash]
FROM [master]..[syslogins] AS L
  LEFT JOIN sys.sql_logins LX ON L.sid = LX.sid
WHERE L.[isntname] = 0;

--Identify users with blank passwords
UPDATE #tLogins
SET [BlankPass] = 1
FROM #tLogins
WHERE [PasswordHash] IS NULL;

--Identify users with password = username
UPDATE #tLogins
SET [SamePass] = 1, [Password] = [Login]
WHERE PWDCOMPARE( [Login], [PasswordHash] ) = 1;

--Identify users with one or two character (ASCII 0-255) passwords
SET @Counter = 0;

WHILE @Counter <= 255
BEGIN

  INSERT INTO #tBruteCS( [RawText] )
  VALUES( CHAR(@Counter) );

  SET @Counter = @Counter + 1;

END

INSERT INTO #tBruteDict( [RawText] )
SELECT Src.[RawText]
FROM #tBruteCS AS Src

INSERT INTO #tBruteDict( [RawText] )
SELECT Src.[RawText]+New.[RawText]
FROM #tBruteDict AS Src, #tBruteCS AS New;

DROP TABLE #tBruteCS;

UPDATE #tLogins
SET [BrutePass] = 1, [Password] = Dict.[RawText]
FROM #tLogins AS Src
  LEFT JOIN #tBruteDict AS Dict ON PWDCOMPARE( Dict.[RawText], Src.[PasswordHash] ) = 1
WHERE Dict.[RawText] IS NOT NULL AND Src.[BrutePass] = 0 AND Src.[BlankPass] = 0 AND Src.[SamePass] = 0;

DROP TABLE #tBruteDict;

--Identify users with passwords from our dictionary
IF @WordList IS NOT NULL
BEGIN
  BULK INSERT #tUserDict FROM 'E:\WordLists\QuickDict.txt';

  UPDATE #tLogins
  SET [BrutePass] = 1, [Password] = Dict.[RawText]
  FROM #tLogins AS Src
    LEFT JOIN #tUserDict AS Dict ON PWDCOMPARE( Dict.[RawText], Src.[PasswordHash] ) = 1
  WHERE Dict.[RawText] IS NOT NULL AND Src.[BrutePass] = 0 AND Src.[BlankPass] = 0 AND Src.[SamePass] = 0;
END

DROP TABLE #tUserDict;

--Reset nocount
SET NOCOUNT OFF

--Report any users whose logins were weak
SELECT
 [Login] AS [Username],
 ISNULL( [Password], '-- currently unknown --' ) AS [Password],
 CASE
   WHEN [BlankPass] = 1 OR [SamePass] = 1 OR [BrutePass] = 1 THEN 1
   ELSE 0
 END AS [Cracked?],
 [IsAdmin] AS [Admin User?],
 [BlankPass] AS [Blank Password?],
 [SamePass] AS [Username = Password?],
 [BrutePass] AS [Password Bruteforced?]
FROM #tLogins
ORDER BY [Login];

DROP TABLE #tLogins;

0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133698
(Note the changes: sysxlogins becomes sys.sql_logins, et cetera)
0
 

Author Comment

by:SECGRAD
ID: 17133746
Good. Where is the QuickDict.txt mentioned in SET @WordList = 'E:\Wordlists\QuickDict.txt'; ?

Shouldn't this be imported to test against a dictionary?
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133769
The script imports it (BULK INSERT). You can download an example one from the link I sent above. Make sure to change the path and file name accordingly. Keep in mind that it is a path ON THE SERVER, not the machine you run the script from.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question