Penetration Testing mailing list archives
Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)
From: "Aaron C. Newman" <aaron () NEWMAN-FAMILY COM>
Date: Wed, 17 Jan 2001 20:33:35 -0500
Taken straight from the Database Scanner product (I'm assuming you mean Database Scanner when you say dbsecure, dbsecure was the company that originally built the product): "In SQL Server 6.5, the passwords are stored unencrypted in the registry. In SQL Server 7.0, the passwords are stored using a simple substitution encryption method which can easily be deciphered by a skilled attacker." Database Scanner does not actually attempt to figure out the password, it simply detects that someone has placed a password there and lets you know. I know of no one outside of ISS and Microsoft that is aware of the algorithm, although I'm sure that it's because no one has made an effort. As stated above, it's a simple substitution algorithm. -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Attonbitus Deus Sent: Wednesday, January 17, 2001 5:26 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Todd Sabin discovered this and reported on it over 3 years ago... For SQL 6.5, the username is clear, and the password is hashed via PKZip's crypto using a fixed key. This should be in the Bugtraq archives. 7.0 uses a different hash, and though dbsecure allows you to brute it via dictionary, I have not found a tool that cracks SQL 7.0 sa password when mixed mode is used. HTH AD ----- Original Message ----- From: "ritter dan" <pentester () YAHOO COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Wednesday, January 17, 2001 1:41 PM Subject: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)
While conducting a pen test, internal user scenario, I came across the following: tested machines are NT 4.0 sp5 or higher I am a local user with no special authority (domain users group only). I have the ability to perform "remote registry edits" on many machines. (I know - this is bad & will be corrected asap!! & I know how to do so) but - while looking through a DBA machine's registry I found the following: All sql servers are 6.5 with a mix of std security & some integrated. the servers pointed to below are all std security 6.5 models (1 is actually a 7.0 test srv) In the registry... hklm\software\microsoft SQL PROBE machine name logon sa Password 60990991041181110490505 Through other means I already know the above password - but I do not know how to derive it from the above data This pattern is repeated for each server the DBA seems to manage! Several questions come to mind: Is the above an encrypted password for the SA account ?? What type of encryption algorithm is used (NT md4, Lanman hash, other ...) If I can decrypt the SA password - I am certain that I can use the sql exploit xp_cmdshell "NT cmd" to issue any nt command as local system. This is a big exposure!! Does anyone know the encryption used for the above passwords ? I also want to find out what software (poor config, feature, bug..) put these passwords in the registry. Also - the machine in question has Oracle installed on it - anyone know of any other passwords or data that can be gleaned from the registry - I already can run & use dumpacl to get services & userids, groups .... since I am in the "domain users" group. therefore the biggest exposure is that other users could gain control of the SQL servers - if they viewed this dba's regisry. Yes - - I know that the first hole to close is the remote reg edit but ... what software/user/... stored passwords like this in the registry in the first place. pentester __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Current thread:
- [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) ritter dan (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Aaron C. Newman (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Todd Sabin (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 18)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Aaron C. Newman (Jan 18)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 17)