Penetration Testing mailing list archives

Re: [PEN-TEST] SQL Server blank account

From: "M. Burnett" <mburnett () XATO NET>
Date: Tue, 29 Aug 2000 11:44:39 -0600

You may also be interested in our new tool that is currently in beta called
Squelch.  It simulates a command-line and also allows for registry edits via
sql server.  The final version that will be released later this week will
include a brute-force option.

Anyone interested in a beta preview of this tool can download it here:
http://www.xato.net/downloads/squelch.zip



Mark Burnett
Xato Network Security, Inc.
www.xato.net






----- Original Message -----
From: "Marc Maiffret" <marc () eeye com>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Tuesday, August 29, 2000 3:05 AM
Subject: Re: [PEN-TEST] SQL Server blank account

http://www.ntsecurity.nu/toolbox/sqldict/ <-- neato tool for some sql

brute

forcing.

and if you luck out then use linsql.c:

http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-08-15&m

sg=200008150352.UAA09523 () user3 hushmail com

Quote from linsql.c:
"Note that these commands
are executed with the privileges of the MSSQL service - usually `NT
Authority\System'.
"
"
 * A simple command-line client for MS SQL server.
 * Designed for executing commands on the underlying operating system

rather

than SQL engine.
 * That said, it has the ability to perform SQL queries on the server.
 * Also added file upload system - usually works ;-) if it fails, try

again.

 * Setup to login as the user 'sa' with no password by default, although
this can be changed.
"

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com


| -----Original Message-----
| From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
| Of Seth Georgion
| Sent: Tuesday, August 29, 2000 5:20 PM
| To: PEN-TEST () SECURITYFOCUS COM
| Subject: SQL Server blank account
|
|
| Okay, so here is a question that we've encountered, internally, that

seems

| to have been made more relevant by the recent Napster related

defacements.

| Specifically, how is it that a hacker can subvert a system, i.e.
| deface web
| pages, change user accounts, on a system with a SQL installation
| and a known
| username and password. For example let's say you have a Windows
| machine with
| an IIS install and a SQL install, given an attacker with a valid,
| administrator SQL username and password how would they be able to take
| control of the server?
|

Current thread:

Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
  - [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)