Penetration Testing mailing list archives

[PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)

From: ritter dan <pentester () YAHOO COM>
Date: Wed, 17 Jan 2001 13:41:46 -0800

While conducting a pen test, internal user scenario, I
came across the following:

tested machines are NT 4.0 sp5 or higher

I am a local user with no special authority (domain
users group only).  I have the ability to perform
"remote registry edits" on many machines.  (I know -
this is bad & will be corrected asap!! & I know how to
do so)

but -

while looking through a DBA machine's registry I found
the following:

All sql servers are 6.5 with a mix of std security &
some integrated. the servers pointed to below are all
std security 6.5 models  (1 is actually a 7.0 test
srv)

In the registry...

hklm\software\microsoft

  SQL PROBE
        machine name
                logon           sa
                Password
60990991041181110490505

Through other means I already know the above password
- but I do not know how to derive it from the above
data

This pattern is repeated for each server the DBA seems
to manage!

Several questions come to mind:

Is the above an encrypted password for the SA account
??

What type of encryption algorithm is used (NT md4,
Lanman hash, other ...)

If I can decrypt the SA password - I am certain that I
can use the sql exploit xp_cmdshell "NT cmd" to issue
any nt command as local system.  This is a big
exposure!!

Does anyone know the encryption used for the above
passwords ?

I also want to find out what software (poor config,
feature, bug..) put these passwords in the registry.

Also - the machine in question has Oracle installed on
it - anyone know of any other passwords or data that
can be gleaned from the registry -  I already can run
& use dumpacl to get services & userids, groups ....
since I am in the "domain users" group.  therefore the
biggest exposure is that other users could gain
control of the SQL servers - if they viewed this dba's
regisry. Yes - - I know that the first hole to close
is the remote reg edit but ... what software/user/...
stored passwords like this in the registry in the
first place.

pentester



__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/

Current thread:

[PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) ritter dan (Jan 17)
- Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 17)
  - Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Aaron C. Newman (Jan 17)
  - Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Todd Sabin (Jan 17)
    - Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Attonbitus Deus (Jan 18)
    - Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0) Aaron C. Newman (Jan 18)