Piggy is another nice little dictionary-based attack tool for MS SQL
Server. It is command-line based and is dead easy to use and
supports attacks against multiple hosts/ accounts and passwords.
Another great tool from patrik.
It is available from
usage: piggy [options]
the options being:
-u <username> - Single username
-p <password> - Single password
-s <server> - Single server
-S <srvfile> - File containing ip/hostnames
-D <dicfile> - File containing passwords
-A <accounts> - File containing username;password combinations
-N - Do not check availability before scan
-v verbose - Verbose logging
C:\piggy -u sa -p password -s 126.96.36.199
Piggy v1.0.1 by email@example.com
[i] Loaded 1 dictionary items
[i] Checking server availability
Started scan against DB on '188.8.131.52'
As you can see from the above I only used a
single password attempt against the sa account, obviously if you were to
conduct a dictionary based attack you would use the -D option and supply
an appropriate wordlist.