Penetration Testing mailing list archives
Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)
From: "Aaron C. Newman" <aaron () NEWMAN-FAMILY COM>
Date: Thu, 18 Jan 2001 17:39:43 -0500
Yes, there is clearly two issues here - passwords stored on a client through Enterprise Manager, which is what Pentester is referring to, are stored in clear text (6.5) or with a bad encryption algorithm (7.0). The issue you raise is cracking passwords stored in the database tables on the server. Encryption of these passwords was added after version 4.2. If you'd like to crack sql server passwords there are several ways out there to accomplish this. Go to Chip Andrew's website, www.sqlsecurity.com, click on downloads and then audit.sql. ISS also has a free prototype called SQL Cracker written by Jon Larimer that cracks 6.x passwords - you can download it from http://xforce.iss.net/protoworx/index.php. -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Attonbitus Deus Sent: Thursday, January 18, 2001 12:51 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) <snip> Now, this was for the passwords stored in sysxlogins that linked to the users in sysusers- I think this 'stored in the clear' business was regarding EnterpriseManager as Todd pointed out in his reply. Does anyone have any more info on this? I have penetrated many SQL boxes and retrieved the master db, but have never been able to crack the passwords in sysxlogins to get further down range. I think that if it really were simple, there would be crackers out there for it. Additionally, if the 6.5 system users and pwds really are in the clear, why would Pentester be asking us for the crypto? ----- Original Message ----- From: "Todd Sabin" <tas () webspan net> To: "Penetration Testers" <PEN-TEST () SECURITYFOCUS COM> Cc: "Attonbitus Deus" <Thor () HAMMEROFGOD COM> Sent: Wednesday, January 17, 2001 8:54 PM Subject: Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)
Attonbitus Deus <Thor () HAMMEROFGOD COM> writes:Todd Sabin discovered this and reported on it over 3 years ago... For
SQL
6.5, the username is clear, and the password is hashed via PKZip's
crypto
using a fixed key. This should be in the Bugtraq archives. 7.0 uses a different hash, and though dbsecure allows you to brute it
via
dictionary, I have not found a tool that cracks SQL 7.0 sa password when mixed mode is used.Actually, there were two separate issues, one of which was mine. What I found was that when you install SQL Server 6.5, it creates an NT account (not a sql one) named SQLExecutiveCmdExec or something like that, and stores the password in an Everyone:Read part of the registry, encrypted with PKZip's encryption with a fixed key. Since you normally need credentials to read the registry in the first place, it didn't get you all that much, really. MS seems to have fixed this in later versions, but I haven't looked at it too deeply. At around the same time, someone else (don't remember, sorry) reported that SQL Enterprise Manager stored (under the SQLEW key) the passwords to SQL accounts that you used to register servers. In that case, the passwords were stored plaintext, although it was in the midst of a blob of REG_BINARY data, so you had to look for it. Depending on configuration, it would put them either under HKCU or HKLM. Haven't seen the particular thing the original poster was asking about, though it looks like a similar problem. Todd
Current thread:
- [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) ritter dan (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Aaron C. Newman (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Todd Sabin (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 18)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Aaron C. Newman (Jan 18)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 17)