Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)

[Attonbitus Deus <Thor () HAMMEROFGOD COM>]

Todd Sabin discovered this and reported on it over 3 years ago... For SQL
6.5, the username is clear, and the password is hashed via PKZip's crypto
using a fixed key.  This should be in the Bugtraq archives.

7.0 uses a different hash, and though dbsecure allows you to brute it via
dictionary, I have not found a tool that cracks SQL 7.0 sa password when
mixed mode is used.

HTH
AD

----- Original Message -----
From: "ritter dan" <pentester () YAHOO COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, January 17, 2001 1:41 PM
Subject: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)


> While conducting a pen test, internal user scenario, I
> came across the following:
>
> tested machines are NT 4.0 sp5 or higher
>
> I am a local user with no special authority (domain
> users group only).  I have the ability to perform
> "remote registry edits" on many machines.  (I know -
> this is bad & will be corrected asap!! & I know how to
> do so)
>
> but -
>
> while looking through a DBA machine's registry I found
> the following:
>
> All sql servers are 6.5 with a mix of std security &
> some integrated. the servers pointed to below are all
> std security 6.5 models  (1 is actually a 7.0 test
> srv)
>
> In the registry...
>
> hklm\software\microsoft
>
>   SQL PROBE
>         machine name
>                 logon           sa
>                 Password
> 60990991041181110490505
>
> Through other means I already know the above password
> - but I do not know how to derive it from the above
> data
>
> This pattern is repeated for each server the DBA seems
> to manage!
>
> Several questions come to mind:
>
> Is the above an encrypted password for the SA account
> ??
>
> What type of encryption algorithm is used (NT md4,
> Lanman hash, other ...)
>
> If I can decrypt the SA password - I am certain that I
> can use the sql exploit xp_cmdshell "NT cmd" to issue
> any nt command as local system.  This is a big
> exposure!!
>
> Does anyone know the encryption used for the above
> passwords ?
>
> I also want to find out what software (poor config,
> feature, bug..) put these passwords in the registry.
>
> Also - the machine in question has Oracle installed on
> it - anyone know of any other passwords or data that
> can be gleaned from the registry -  I already can run
> & use dumpacl to get services & userids, groups ....
> since I am in the "domain users" group.  therefore the
> biggest exposure is that other users could gain
> control of the SQL servers - if they viewed this dba's
> regisry. Yes - - I know that the first hole to close
> is the remote reg edit but ... what software/user/...
> stored passwords like this in the registry in the
> first place.
>
> pentester
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/