Introduction

During a pentest I encountered an MSSQL backup (.bak) and I wanted to extract the password hash for the master database. This turned out to be harder than expected so I'd like to share my findings in this blog.

Steps

  • Install MSSQL server
  • Run sqlcmd
  • Get database names from backup file
    • RESTORE FILELISTONLY
FROM DISK = 'C:\Foo\Full\Path\To\Backup.bak'
GO
  • Extract the .bak file to its mdf and ldf files
    • RESTORE DATABASE master_copy
FROM DISK = 'C:\Foo\Full\Path\To\Backup.bak'
WITH MOVE 'master' TO 'C:\Foo\master.mdf',
MOVE 'master_log' TO 'C:\Foo\master_log.ldf'
GO
  • Download the PowerShell script from XPN to extract the hash from the mdf
  • Open PowerShell, fix execution policy
    • Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
  • cd to module directory, import the module
    • Import-Module .\Get-MDFHashes.ps1
  • Run module
    • Get-MDFHashes | Out-GridView
  • Enter path to mdf file -> copy hash for sa user

    • Background

    The bak file for MSSQL is an archive that contains the mdf and the ldf file for some database. You can use MSSQL with SSMS to simply import a normal database backup by right-clicking on Databases -> Restore backup. However, the master database is a special database that doesn't like to be restored this way.

    After some messing around I asked on DBA Stackexchange about my issue. It turned out that you can just change the name of the database - using sqlcmd - and it will work fine.

    Next, the awesome script from XPN can extract the password hashes for you. Note that you need to shut down your MSSQL server because the server is using the files. Also, you can use SSMS to simply browse the copy of the master database.