Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/zcgonvh/SSMSPwd

SQL Server Management Studio(SSMS) saved password dumper
https://github.com/zcgonvh/SSMSPwd

Last synced: about 1 month ago
JSON representation

SQL Server Management Studio(SSMS) saved password dumper

Host: GitHub
URL: https://github.com/zcgonvh/SSMSPwd
Owner: zcgonvh
Created: 2017-04-28T16:08:34.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2022-07-22T07:16:14.000Z (about 2 years ago)
Last Synced: 2024-04-12T18:14:15.783Z (5 months ago)
Language: C#
Size: 3.91 KB
Stars: 103
Watchers: 6
Forks: 29
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - zcgonvh/SSMSPwd - SQL Server Management Studio(SSMS) saved password dumper (C# #)

README

# SQL Server Management Studio(SSMS) saved password dumper

**by using [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx),program MUST be run on USER CONTEXT.**

(use *impersonate* to do it.)

### Bulid

#for .net 2.0
%systemroot%\microsoft.net\framework\v2.0.50727\csc.exe SSMSPwd.cs
#for .net 4.0
%systemroot%\microsoft.net\framework\v4.0.30319\csc.exe /out:SSMSPwd40.exe SSMSPwd.cs

### Usage

SSMSPwd [-f file] [-p path] [-all]
-f: decrypt from specified file
-p: path of SSMS installation
-a: dump all saved info(only dump password information default)

### Remarks

SSMS save password to a binary file using [BinaryFormatter](https://msdn.microsoft.com/en-us/library/system.runtime.serialization.formatters.binary.binaryformatter.aspx),and the type was defined on **private assembly** in the installation directory.

This file saved in `%appdata%\Microsoft\Microsoft SQL Server\(VERSION)\Tools\Shell` on SSMS2005 or SSMS2008, `%appdata%\Microsoft\Microsoft SQL Server\(VERSION)\Tools\ShellSEM` on **Express Version**,`%appdata%\Microsoft\SQL Server Management Studio` on others.its named `mru.dat` on SSMS2005,`SqlStudio.bin` on SSMS2008 to last release.

SSMS2005 saved a `IDirectory` named `stringTable` in file,the key like this:

[email protected]\SQLEXPRESS@1@sa@Password
[email protected]\SQLEXPRESS@1@sa@ET

Split by `@`,we can get `instance`,`user`.

If the key ends with `Password`,the value will be encrypted password using [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) and `Base64Encode`.

Other versions,binary file saved a big tree like:

SqlStudio
└─SSMS
└─ConnectionOptions
├─ServerTypes-1
│ ├─Servers-1
│ │ │ Instance
│ │ │
│ │ ├─Connections-1
│ │ │ Password
│ │ │ UserName
│ │ │
│ │ └─Connections-2
│ │ Password
│ │ UserName
│ │
│ └─Servers-2
│ │ Instance
│ │
│ └─Connections-1
│ Password
│ UserName
│
└─ServerTypes-2
├─Servers-1
│ │ Instance
│ │
│ ├─Connections-1
│ │ Password
│ │ UserName
│ │
│ └─Connections-2
│ Password
│ UserName
│
└─Servers-2
│ Instance
│
└─Connections-1
Password
UserName

We can get `IDirectory` and `IEnumerable` on nodes,the pseudocode was:

foreach ServerType in SqlStudio['SSMS']['ConnectionOptions']['ServerTypes']
{
foreach Server in ServerType['Servers']
{
print Server.Instance
foreach Connection in Server['Connections']
{
print Connection.UserName,Connection.Password
}
}
}
The `Password` use [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) and `Base64Encode` too.Using [ProtectedData::Uprotect](https://msdn.microsoft.com/en-us/library/xh68ketz(v=vs.110).aspx) to decrypt it.

DONOT forget,**run program on USER CONTEXT**.