janvier
2011
Un article de zinzineti
Identifier les login/password non sécurisés
/*–=================================================================
– Description : Identifier les login/password non sécurisés
– Auteur : Etienne ZINZINDOHOUE
–=================================================================*/
DECLARE @PwdList TABLE(Pwd NVARCHAR(255))
– Liste probable de mot de passe. Cette liste n'est pas exhaustive. Vous pouvez la compléter.
INSERT INTO @PwdList(Pwd)
SELECT ''
UNION SELECT 'sa'
UNION SELECT 'sa123'
UNION SELECT 'Sa'
UNION SELECT 'Sa123'
UNION SELECT 'SA'
UNION SELECT 'SA123'
UNION SELECT 'admin'
UNION SELECT 'admin123'
UNION SELECT 'Admin'
UNION SELECT 'Admin123'
UNION SELECT 'administrateur'
UNION SELECT 'administrateur123'
UNION SELECT 'Administrateur'
UNION SELECT 'Administrateur123'
UNION SELECT 'administrator'
UNION SELECT 'administrator123'
UNION SELECT 'Administrator'
UNION SELECT 'Administrator123'
UNION SELECT '0123'
UNION SELECT '123'
UNION SELECT '01234'
UNION SELECT '1234'
UNION SELECT '12345'
UNION SELECT '012345'
UNION SELECT '123456'
UNION SELECT '0123456'
UNION SELECT 'abc'
UNION SELECT 'abc123'
UNION SELECT 'default'
UNION SELECT 'guest'
UNION SELECT 'guest123'
UNION SELECT 'Guest'
UNION SELECT 'Guest123'
UNION SELECT '@@Name'
UNION SELECT '@@Name123'
UNION SELECT '@@Name@@Name'
– Afficher Login/ Mot de passe faibles
SELECT s.name [Login]
, REPLACE(p.Pwd,'@@Name',s.name) As [Mot de passe]
FROM sys.sql_logins s
INNER JOIN @PwdList p ON (PWDCOMPARE(p.Pwd, password_hash) = 1 OR PWDCOMPARE(REPLACE(p.Pwd,'@@Name',s.name),password_hash) = 1)
—————————————————-
Etienne ZINZINDOHOUE
—————————————————-