zcgonvh/SSMSPwd zcgonvh/SSMSPwd

  • Stars
    star
    107
  • Rank 321,969 (Top 7 %)
  • Language
    C#
  • Created over 7 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
zcgonvh/SSMSPwd
github

zcgonvh

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SQL Server Management Studio(SSMS) saved password dumper

SQL Server Management Studio(SSMS) saved password dumper

by using DPAPI,program MUST be run on USER CONTEXT.

(use impersonate to do it.)

Bulid

#for .net 2.0
%systemroot%\microsoft.net\framework\v2.0.50727\csc.exe SSMSPwd.cs
#for .net 4.0
%systemroot%\microsoft.net\framework\v4.0.30319\csc.exe /out:SSMSPwd40.exe SSMSPwd.cs

Usage

SSMSPwd [-f file] [-p path] [-all]
   -f: decrypt from specified file
   -p: path of SSMS installation
   -a: dump all saved info(only dump password information default)

Remarks

SSMS save password to a binary file using BinaryFormatter,and the type was defined on private assembly in the installation directory.

This file saved in %appdata%\Microsoft\Microsoft SQL Server\(VERSION)\Tools\Shell on SSMS2005 or SSMS2008, %appdata%\Microsoft\Microsoft SQL Server\(VERSION)\Tools\ShellSEM on Express Version,%appdata%\Microsoft\SQL Server Management Studio on others.its named mru.dat on SSMS2005,SqlStudio.bin on SSMS2008 to last release.

SSMS2005 saved a IDirectory named stringTable in file,the key like this:

[email protected]\SQLEXPRESS@1@sa@Password
[email protected]\SQLEXPRESS@1@sa@ET

Split by @,we can get instance,user.

If the key ends with Password,the value will be encrypted password using DPAPI and Base64Encode.

Other versions,binary file saved a big tree like:

SqlStudio
└─SSMS
  └─ConnectionOptions
      ├─ServerTypes-1
      │  ├─Servers-1
      │  │  │  Instance
      │  │  │
      │  │  ├─Connections-1
      │  │  │      Password
      │  │  │      UserName
      │  │  │
      │  │  └─Connections-2
      │  │          Password
      │  │          UserName
      │  │
      │  └─Servers-2
      │      │  Instance
      │      │
      │      └─Connections-1
      │              Password
      │              UserName
      │
      └─ServerTypes-2
          ├─Servers-1
          │  │  Instance
          │  │
          │  ├─Connections-1
          │  │      Password
          │  │      UserName
          │  │
          │  └─Connections-2
          │          Password
          │          UserName
          │
          └─Servers-2
              │  Instance
              │
              └─Connections-1
                      Password
                      UserName

We can get IDirectory and IEnumerable on nodes,the pseudocode was:

foreach ServerType in SqlStudio['SSMS']['ConnectionOptions']['ServerTypes']
{
  foreach Server in ServerType['Servers']
  {
    print Server.Instance
    foreach Connection in Server['Connections']
    {
      print Connection.UserName,Connection.Password
    }
  }
}

The Password use DPAPI and Base64Encode too.Using ProtectedData::Uprotect to decrypt it.

DONOT forget,run program on USER CONTEXT.

More Repositories

1

EfsPotato

Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
C#
709
star
2

DCOMPotato

Some Service DCOM Object and SeImpersonatePrivilege abuse.
C#
347
star
3

CVE-2020-0688

Exploit and detect tools for CVE-2020-0688
C#
347
star
4

TaskSchedulerMisc

Misc TaskScheduler Plays
C#
222
star
5

NTDSDumpEx

NTDS.dit offline dumper with non-elevated
C
211
star
6

CVE-2020-17144

weaponized tool for CVE-2020-17144
C#
157
star
7

cve-2017-7269

fixed msf module for cve-2017-7269
Ruby
133
star
8

cve-2017-7269-tool

CVE-2017-7269 to webshell or shellcode loader
C#
86
star
9

MS16-032

MS16-032(CVE-2016-0099) for SERVICE ONLY
C++
79
star
10

CVE-2017-0213

CVE-2017-0213 for command line
C++
57
star
11

POPFuckProxy

POP3 MITM example
C#
27
star
12

JavaTimeAgent

fix time for java application using javaAgent
C++
23
star
13

LinkedServerPwdDumper

SqlServer Linked Password Dumper.
JavaScript
16
star