Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: MS SQL Server (cracking accounts)
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 19 Sep 2005 12:14:21 -0500

I'll add to the response below and say there are two things to do:

1. ) If you are local admin you own the box; just
either dump and crack the local SAM, or use LSADump
and find the account the SQL Server service is
running under.

2. ) Use SQL-native authentication (which they may
be doing) and since natively there is no way to enforce
password security requirements, I have yet to find a
MSSQL box that doesn't have accounts with db_owner
or db_admin roles that have passwords which are one
of the following:

*blank
*username
*username + number
*trivial dictionary list (cat)

Tools like AppSecInc's AppDetective come with some
good dictionary lists, and I usually customize users with
ones I can guess (or know) from the organization, as they
are often the same.

For simply enumerating MSSQL and brute forcing, a great
free utility is SQLPing2. I usually set DBAs up with it to
keep track of their SQL instances and how many have SA=blank

-ae

-----Original Message-----
From: Jeroen [mailto:jeroen () isvet nl] 
Sent: Friday, September 16, 2005 12:41 PM
To: pen-test () securityfocus com
Subject: Re: MS SQL Server


xyberpix wrote:

<SNAP>
I have been able to
successfully add myself to the local Administrators group, and can
now TS into the box in question. I have absolutely no rights on the
SQL server though, so any pointers here would be greatly appreciated!

Hi xyberpix,

Most of the time, MSSQL-boxes use a "hybrid" authentication model; a
combination of SQL authentication and NT authentication is 
used. So probably
you can already connect to the database. The easiest ways to check:

- start isql.exe while logged on as an Administrator;
- install and start the MSSQL enterprise manager on _a_ box 
and connect to
the MSSQL-box you've found using NT credentials. Enterprise 
manager makes it
possible to view databases, data and to maintain them (backups etc.).

If they use MSSQL authentication only:

- try user SA with a blank password (*lol*);
- run a pwdump on the NT-box and crack the password of the users found
(LC5/rainbowtables). Most of the time found logon names and 
passwords are
also used on SQL.

Have fun and please let us know how the story ended ;)


Greets,

Jeroen 



---------------------------------------------------------------
---------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking 
applications on your 
website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are 
futile against web application hacking. Check your website for 
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks 
before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
---------------------------------------------------------------
----------------



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • RE: MS SQL Server (cracking accounts) Evans, Arian (Sep 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault