Penetration Testing mailing list archives
SQL injection
From: Faisal Khan <faisal () netxs com pk>
Date: Thu, 09 Jun 2005 20:37:38 +0500
Pardon the ignorance, but is there any hardware/software based device that can outright prevent/mitigate (detect?) SQL injections? Would an IDS be able to prevent this?
At 08:29 PM 6/9/2005, you wrote:
Another option you could try is to use ettercap to insert your laptop/pen-test system in as a Man-in-the-Middle between the SQL server and client systems and then capture the port 1433 traffic using tcpdump/ethereal/your favorite packet capturing program. This will definitely yield the 'sa' password (as well as others). If you're using Windows on your attack platform, consider using Cain & Abel as it can do the Man-in-the-Middle/SQL password capture all in one. Ido -- Ido Dubrawsky, CISSP Senior Security Consultant SBC/Callisma (571) 633-9500 (Office) (202) 213-9029 (Mobile) > -----Original Message----- > From: Erik Pace Birkholz [mailto:erik () specialopssecurity com] > Sent: Thursday, June 09, 2005 4:06 AM > To: Hugo Vinicius Garcia Razera; pen-test () securityfocus com > Cc: Erik Pace Birkholz > Subject: RE: pen-test on a windows 2003 server box whit > MS-SQL and Terminal Services > > > Hugo, > > Based on the limited info you have provided, here is my advice. > > Have you done UDP port scans? If you haven't done so, scan to > determine > what UDP ports are open. Depending on what you find this could be > helpful. For example, if SNMP is available with a default or guessable > community name it will provide usernames among other goodies. > > Re: obtaining the SQL version; since the OS is Win3k the SQL > server will > likely be SQL 2000 with SP3 or later. If you really want to > find out try > SQLVer (www.sqlsecurity.com) as Chip already mentioned and > try SQLRecon > (www.SpecialOpsSecurity.com -click on LABS). > > With that said don't give up on the SQL "SA" brute force > attacks. There > is no account lock out for SA so rock and roll. SQLDict.exe > works pretty > well if you have a big dictionary file. Another option is ForceSQL.exe > because it brute forces an account (sa) based on a user specified > character set (charset.txt) up to a user specified max > password length. > > You also mentioned DNS: 53. Not sure if you are referring to > UDP or TCP? > If it is TCP then you should try a zone transfer. > > Also don't forget full (1-65535) TCP port scans and source port scans > (SRC=20,53,88,80,etc...) > > Finally use tracerouting, hping2, tcpdump, etc to determine if the > blocking ACLs are on the host or a network device. Something is > facilitating the firewalling that is hiding juicy MS specific > ports like > TCP 135 and 445. Is it ICF, IPSec, a personal firewall, network > firewall, perimeter router or what? Once you know this it will help > direct your attempts to subvert that protection and get > exposure to more > ports on the target. > > Let us know how it goes! > > Good luck, > > Erik Pace Birkholz > www.SpecialOpsSecurity.com > > > > -----Original Message----- > From: Hugo Vinicius Garcia Razera [mailto:hviniciusg () gmail com] > Sent: Tuesday, June 07, 2005 4:01 PM > To: pen-test () securityfocus com > Subject: pen-test on a windows 2003 server box whit MS-SQL > and Terminal > Services > > Hi every one, I'm doing a pen test on a client, and have found that he > have a windows 2003 server box on one segment of his public addresses > this is his dns/web/mail server: > > - mssql :1433 > - terminal services :3389 > - iis 6 :80 > - smtp :25 > - pop3 :110 > - dns : 53 > - ftp : filtered > > ports opened, i logged on the terminal services port whit the winxp > remote desktop utility and it connects perfectly. > > i tried a dictionari atack on mssql server whit the "sa" account and > others user names i collected. > Hydra from THC was the tool, but no succes on this atack. > also tried the tsgrinder for terminal services , but no success. > > > well here come some questions: > > - What others Usernames should i try for sql and terminal services? > i tried whit "sa" for sql and "Administrator" for TS > > - Any one knows how could i identify what version of sql server is > running. > - What other services of this host can be exploited? > > any comments, ideas, suggestions would be greatly appreciated. > > Hugo Vinicius Garcia Razera >
Faisal Khan CEO Net Access Communication Systems (Private) Limited _____________________________ 1107 Park Avenue, 24-A, Block 6, PECHS, Main Shahrah-e-Faisal, Karachi 74500 (Pakistan) Board: +92 (21) 111 222 377 Direct: +92 (21) 454-346 Fax: +92 (21) 454-4347 Cell: +92 (333) 216-1291 Email: faisal () netxs com pk Web: <http://www.netxs.com.pk/>www.netxs.com.pk
Current thread:
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services, (continued)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Andres Riancho (Jun 07)
- Injecting commands into a mainframe through a servlet Frederic Charpentier (Jun 08)
- RE: Injecting commands into a mainframe through a servlet Jason Muskat (Jun 08)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Leandro Reox (Jun 09)
- Injecting commands into a mainframe through a servlet Frederic Charpentier (Jun 08)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Tomasz Piotr Palarz (Jun 09)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Hugo Vinicius Garcia Razera (Jun 10)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Geoff Varosky (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services mike king (Jun 07)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Erik Pace Birkholz (Jun 09)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services DUBRAWSKY, IDO (CALLISMA) (Jun 09)
- Message not available
- SQL injection Faisal Khan (Jun 09)
- Re: SQL injection Joel Esler (Jun 09)
- Re: SQL injection ilaiy (Jun 09)
- Re: SQL injection Christian Martorella (Jun 09)
- Re: SQL injection Richard Barrell (Jun 09)
- Re: SQL injection Faisal Khan (Jun 09)
- Re: SQL injection Matt Davis (Jun 09)
- Message not available
- RE: SQL injection Aric Perminter (Jun 09)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Andres Riancho (Jun 07)