Penetration Testing mailing list archives
RE: MS SQL Server (cracking accounts)
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 19 Sep 2005 12:14:21 -0500
I'll add to the response below and say there are two things to do: 1. ) If you are local admin you own the box; just either dump and crack the local SAM, or use LSADump and find the account the SQL Server service is running under. 2. ) Use SQL-native authentication (which they may be doing) and since natively there is no way to enforce password security requirements, I have yet to find a MSSQL box that doesn't have accounts with db_owner or db_admin roles that have passwords which are one of the following: *blank *username *username + number *trivial dictionary list (cat) Tools like AppSecInc's AppDetective come with some good dictionary lists, and I usually customize users with ones I can guess (or know) from the organization, as they are often the same. For simply enumerating MSSQL and brute forcing, a great free utility is SQLPing2. I usually set DBAs up with it to keep track of their SQL instances and how many have SA=blank -ae
-----Original Message----- From: Jeroen [mailto:jeroen () isvet nl] Sent: Friday, September 16, 2005 12:41 PM To: pen-test () securityfocus com Subject: Re: MS SQL Server xyberpix wrote: <SNAP>I have been able to successfully add myself to the local Administrators group, and can now TS into the box in question. I have absolutely no rights on the SQL server though, so any pointers here would be greatly appreciated!Hi xyberpix, Most of the time, MSSQL-boxes use a "hybrid" authentication model; a combination of SQL authentication and NT authentication is used. So probably you can already connect to the database. The easiest ways to check: - start isql.exe while logged on as an Administrator; - install and start the MSSQL enterprise manager on _a_ box and connect to the MSSQL-box you've found using NT credentials. Enterprise manager makes it possible to view databases, data and to maintain them (backups etc.). If they use MSSQL authentication only: - try user SA with a blank password (*lol*); - run a pwdump on the NT-box and crack the password of the users found (LC5/rainbowtables). Most of the time found logon names and passwords are also used on SQL. Have fun and please let us know how the story ended ;) Greets, Jeroen --------------------------------------------------------------- --------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 --------------------------------------------------------------- ----------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: MS SQL Server (cracking accounts) Evans, Arian (Sep 19)