Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services

[Chip Andrews <chip () sqlsecurity com>]

You could also run SQLVer (www.sqlsecurity.com) against the box to see
what version of SQL Server is likely running.  It detects the current
ssnetlib version which is 80% likely the same as the true SQL Server
version.

If it's old enough, then you can probably find plenty of exploit code
(which I will not publish - see Google).  (I am assuming from your post
that you are authorized for this activity - keep in mind that you can
cause a denial of service if you smash the stack)

The common passwords I see for sa are:

(blank)
sa
password
admin
as
sysadmin
root
system
manager

Chip Andrews, CISSP, MCDBA
chip () sqlsecurity com
http://www.sqlsecurity.com


Hugo Vinicius Garcia Razera wrote:
> Hi every one, I'm doing a pen test on a client, and have found that he
> have a windows 2003 server box on one segment of his public addresses
> this is his dns/web/mail server:
>
> - mssql :1433
> - terminal services :3389
> - iis 6 :80
> - smtp :25
> - pop3 :110
> - dns : 53
> - ftp : filtered
>
> ports opened, i logged on the terminal services port whit the winxp
> remote desktop utility and it connects perfectly.
>
> i tried a dictionari atack on mssql server whit the "sa" account and
> others user names i collected.
>  Hydra from THC was the tool, but no succes on this atack.
> also tried the tsgrinder for terminal services , but no success.
>
>
> well here come some questions:
>
> - What others Usernames should i try for sql and terminal services?
>   i tried whit "sa" for sql and "Administrator" for TS
>
> - Any one knows how could i identify what version of sql server is running.
> - What other services of this host can be exploited?
>
> any comments, ideas, suggestions would be greatly appreciated.
>
> Hugo Vinicius Garcia Razera