Penetration Testing mailing list archives
Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)
From: Attonbitus Deus <Thor () HAMMEROFGOD COM>
Date: Wed, 17 Jan 2001 14:25:31 -0800
Todd Sabin discovered this and reported on it over 3 years ago... For SQL 6.5, the username is clear, and the password is hashed via PKZip's crypto using a fixed key. This should be in the Bugtraq archives. 7.0 uses a different hash, and though dbsecure allows you to brute it via dictionary, I have not found a tool that cracks SQL 7.0 sa password when mixed mode is used. HTH AD ----- Original Message ----- From: "ritter dan" <pentester () YAHOO COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Wednesday, January 17, 2001 1:41 PM Subject: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)
While conducting a pen test, internal user scenario, I came across the following: tested machines are NT 4.0 sp5 or higher I am a local user with no special authority (domain users group only). I have the ability to perform "remote registry edits" on many machines. (I know - this is bad & will be corrected asap!! & I know how to do so) but - while looking through a DBA machine's registry I found the following: All sql servers are 6.5 with a mix of std security & some integrated. the servers pointed to below are all std security 6.5 models (1 is actually a 7.0 test srv) In the registry... hklm\software\microsoft SQL PROBE machine name logon sa Password 60990991041181110490505 Through other means I already know the above password - but I do not know how to derive it from the above data This pattern is repeated for each server the DBA seems to manage! Several questions come to mind: Is the above an encrypted password for the SA account ?? What type of encryption algorithm is used (NT md4, Lanman hash, other ...) If I can decrypt the SA password - I am certain that I can use the sql exploit xp_cmdshell "NT cmd" to issue any nt command as local system. This is a big exposure!! Does anyone know the encryption used for the above passwords ? I also want to find out what software (poor config, feature, bug..) put these passwords in the registry. Also - the machine in question has Oracle installed on it - anyone know of any other passwords or data that can be gleaned from the registry - I already can run & use dumpacl to get services & userids, groups .... since I am in the "domain users" group. therefore the biggest exposure is that other users could gain control of the SQL servers - if they viewed this dba's regisry. Yes - - I know that the first hole to close is the remote reg edit but ... what software/user/... stored passwords like this in the registry in the first place. pentester __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Current thread:
- [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) ritter dan (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Aaron C. Newman (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Todd Sabin (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 18)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Aaron C. Newman (Jan 18)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 17)