Penetration Testing mailing list archives

Re: [PEN-TEST] SQL Server blank account

From: Attonbitus Deus <thor () HAMMEROFGOD COM>
Date: Tue, 29 Aug 2000 10:13:36 -0700

xp_cmdshell is a SQL stored procedure that allows you to execute commands
via a cmd shell, and in the context of the local system authority.

One is really only limited by imagination when afforded this type of power.
It basically equates to full compromise.  Recently, while penetrating a
network (with permission, of course!) I found a SQL server with an open SA
password.  Though all Server and Workstation services were disabled, I was
able to (easily) create a .sql script that created a ftp script file,
launched the ftp command line against the script file, and downloaded
serveral files to the server (reg.exe, netcat, etc).  I could then launch
these files to do thing like creating a backup of the SAM which I simply
ftp'd back to myself and ran l0pht against it (One system had syskey on the
reg, but I dumped the hash with passdump2). Walah, I had all the local
usernames and passwords.  I could then easily access all other 'bulletproof'
systems they had as they used the same usernames and passwords for access to
those 'closed' systems, including some intellegence gathering on all the
'internal' systems that 'no one has access to'.

There are many other things that I did that I won't go into, but the point
is that with a little creativity, you can basically do whatever you want to
one of these systems.  Even when otherwise secured, you can typically gather
enough information to socially engineer your way into other areas.

Please email me directly if you would like any other information, or if you
would like for me to illustrate some other techniques for you.
----------------------------------------------------------------
Attonbitus Deus
thor () hammerofgod com



----- Original Message -----
From: "Seth Georgion" <sgeorgion () E-CLOSER COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Tuesday, August 29, 2000 9:19 AM
Subject: [PEN-TEST] SQL Server blank account

Okay, so here is a question that we've encountered, internally, that seems
to have been made more relevant by the recent Napster related defacements.
Specifically, how is it that a hacker can subvert a system, i.e. deface

web

pages, change user accounts, on a system with a SQL installation and a

known

username and password. For example let's say you have a Windows machine

with

an IIS install and a SQL install, given an attacker with a valid,
administrator SQL username and password how would they be able to take
control of the server?

Current thread:

Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
  - [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)