If you have access to the server but you would like to recover sa password or a user’s password you can use this simple technique:
On the server execute
SELECT password_hash FROM sys.sql_logins where name=’sa’
The output will look like this:
0x0200DD732FAC8AC8EEEFAEBA79CDFEE8A873C3F99576A7…….
Copy this to the Kali Linux machine to a text file – only one row. After that is up to you to decide which tool you can use – hashcat, johnny or john, and also which technique – Single crack, Wordlist, Incremental or something else. I will use Johnny, as the easiest one – only thing you need is to Open Password File and Start Attack
Good luck!