Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)

["Aaron C. Newman" <aaron () NEWMAN-FAMILY COM>]

Taken straight from the Database Scanner product (I'm assuming you mean
Database Scanner when you say dbsecure, dbsecure was the company that
originally built the product):

"In SQL Server 6.5, the passwords are stored unencrypted in the registry. In
SQL Server 7.0, the passwords are stored using a simple substitution
encryption method which can easily be deciphered by a skilled attacker."

Database Scanner does not actually attempt to figure out the password, it
simply detects that someone has placed a password there and lets you know.

I know of no one outside of ISS and Microsoft that is aware of the
algorithm, although I'm sure that it's because no one has made an effort. As
stated above, it's a simple substitution algorithm.



-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Attonbitus Deus
Sent: Wednesday, January 17, 2001 5:26 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)


Todd Sabin discovered this and reported on it over 3 years ago... For SQL
6.5, the username is clear, and the password is hashed via PKZip's crypto
using a fixed key.  This should be in the Bugtraq archives.

7.0 uses a different hash, and though dbsecure allows you to brute it via
dictionary, I have not found a tool that cracks SQL 7.0 sa password when
mixed mode is used.

HTH
AD

----- Original Message -----
From: "ritter dan" <pentester () YAHOO COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, January 17, 2001 1:41 PM
Subject: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)


> While conducting a pen test, internal user scenario, I
> came across the following:
>
> tested machines are NT 4.0 sp5 or higher
>
> I am a local user with no special authority (domain
> users group only).  I have the ability to perform
> "remote registry edits" on many machines.  (I know -
> this is bad & will be corrected asap!! & I know how to
> do so)
>
> but -
>
> while looking through a DBA machine's registry I found
> the following:
>
> All sql servers are 6.5 with a mix of std security &
> some integrated. the servers pointed to below are all
> std security 6.5 models  (1 is actually a 7.0 test
> srv)
>
> In the registry...
>
> hklm\software\microsoft
>
>   SQL PROBE
>         machine name
>                 logon           sa
>                 Password
> 60990991041181110490505
>
> Through other means I already know the above password
> - but I do not know how to derive it from the above
> data
>
> This pattern is repeated for each server the DBA seems
> to manage!
>
> Several questions come to mind:
>
> Is the above an encrypted password for the SA account
> ??
>
> What type of encryption algorithm is used (NT md4,
> Lanman hash, other ...)
>
> If I can decrypt the SA password - I am certain that I
> can use the sql exploit xp_cmdshell "NT cmd" to issue
> any nt command as local system.  This is a big
> exposure!!
>
> Does anyone know the encryption used for the above
> passwords ?
>
> I also want to find out what software (poor config,
> feature, bug..) put these passwords in the registry.
>
> Also - the machine in question has Oracle installed on
> it - anyone know of any other passwords or data that
> can be gleaned from the registry -  I already can run
> & use dumpacl to get services & userids, groups ....
> since I am in the "domain users" group.  therefore the
> biggest exposure is that other users could gain
> control of the SQL servers - if they viewed this dba's
> regisry. Yes - - I know that the first hole to close
> is the remote reg edit but ... what software/user/...
> stored passwords like this in the registry in the
> first place.
>
> pentester
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/