Open .SDF file without SQL Server Management

As part of any post exploitation in a security auditing or testing engagement you will want to gather as much info as you want about the victim to be able to target your next victim in the chain.

Having said that sometimes you stumble upon strange files, encrypted data, and network traffic that you don’t know what to do with it. One of these was an .sdf file related to hmailserver. The last is an open source mail server, you can read more about it here.

When gaining access to this server you will want to read this file:

A sample output would look something like this:


  1. Copy the SQL server database hash, we will get back to that in a bit
  2. You have the admin password hash for the hMailAdmin.exe (an application that allows you to manage the mail server)

hMailServer is generous enough to offer us a bin tool to decrypt the SQL server hash for us if you know the admin password.
Read this article, STEP1 to know how to decrypt the sql password.

Once the SQL server password is in your pocket, you can now read the sdf file and get the accounts hashes. These steps were the easy part for me, I struggled A LOT with opening the .sdf file. Luckily I found a tool called SQL Compact Query Analyzer; which will do the job!

Happy hacking


legal note: I’m not responsible how you use these techniques, I presented them assuming you’re legally using them.

One comment to Open .SDF file without SQL Server Management

  • tryingharder  says:

    john –wordlist=/root/password/rockyou.txt /temp/pass.txt –format=Raw-MD5
    to crack admin hash

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

This site uses Akismet to reduce spam. Learn how your comment data is processed.