Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

AW: SQL injection

From: "Julian Totzek" <julian.totzek () bristol de>
Date: Fri, 10 Jun 2005 08:53:29 +0200
Hi Faisal,

take a look at imperva. They have a real good model with securing sql databases. We advise this product if there is the 
special need for a customer to secure his sql databases.

If you say you are using Toplayer, I don't know which one you have but the new models (IPS5500 series) also have the 
ability to mitigate sql injections by pattern! But as my previous speakers the mitigation of sql injections is a hard 
thing to do by pattern.

Best regrads

Julian Totzek
Consultant

THE BRISTOL GROUP Deutschland GmbH
Robert-Bosch-Straße 11
63225 Langen
Telefon +49 (0) 6103 20 55 300
Telefax +49 (0) 6103 70 27 87
Emergency Phone 0190/858 979 000 (1,86€/min)
julian.totzek () bristol de 
www.bristol.de 


HTTPS, HTTP, SMTP, IMAP, POP3 und FTP
Kostenloser 14-Tage-Test einer CP Secure Antivirus Appliance
http://www.bristol.de/testing.htm

-----Ursprüngliche Nachricht-----
Von: Faisal Khan [mailto:faisal () netxs com pk]
Gesendet: Donnerstag, 9. Juni 2005 17:38
An: pen-test () securityfocus com
Betreff: SQL injection



Pardon the ignorance, but is there any hardware/software based device that
can outright prevent/mitigate (detect?) SQL injections? Would an IDS be
able to prevent this?






At 08:29 PM 6/9/2005, you wrote:

Another option you could try is to use ettercap to insert your
laptop/pen-test system in as a Man-in-the-Middle between the SQL server
and client systems and then capture the port 1433 traffic using
tcpdump/ethereal/your favorite packet capturing program.  This will
definitely yield the 'sa' password (as well as others).

If you're using Windows on your attack platform, consider using Cain &
Abel as it can do the Man-in-the-Middle/SQL password capture all in one.

Ido
--
Ido Dubrawsky, CISSP
Senior Security Consultant
SBC/Callisma
(571) 633-9500 (Office)
(202) 213-9029 (Mobile)



-----Original Message-----
From: Erik Pace Birkholz [mailto:erik () specialopssecurity com]
Sent: Thursday, June 09, 2005 4:06 AM
To: Hugo Vinicius Garcia Razera; pen-test () securityfocus com
Cc: Erik Pace Birkholz
Subject: RE: pen-test on a windows 2003 server box whit
MS-SQL and Terminal Services


Hugo,

Based on the limited info you have provided, here is my advice.

Have you done UDP port scans? If you haven't done so, scan to
determine
what UDP ports are open. Depending on what you find this could be
helpful. For example, if SNMP is available with a default or guessable
community name it will provide usernames among other goodies.

Re: obtaining the SQL version; since the OS is Win3k the SQL
server will
likely be SQL 2000 with SP3 or later. If you really want to
find out try
SQLVer (www.sqlsecurity.com) as Chip already mentioned and
try SQLRecon
(www.SpecialOpsSecurity.com -click on LABS).

With that said don't give up on the SQL "SA" brute force
attacks. There
is no account lock out for SA so rock and roll. SQLDict.exe
works pretty
well if you have a big dictionary file. Another option is ForceSQL.exe
because it brute forces an account (sa) based on a user specified
character set (charset.txt) up to a user specified max
password length.

You also mentioned DNS: 53. Not sure if you are referring to
UDP or TCP?
If it is TCP then you should try a zone transfer.

Also don't forget full (1-65535) TCP port scans and source port scans
(SRC=20,53,88,80,etc...)

Finally use tracerouting, hping2, tcpdump, etc to determine if the
blocking ACLs are on the host or a network device. Something is
facilitating the firewalling that is hiding juicy MS specific
ports like
TCP 135 and 445. Is it ICF, IPSec, a personal firewall, network
firewall, perimeter router or what? Once you know this it will help
direct your attempts to subvert that protection and get
exposure to more
ports on the target.

Let us know how it goes!

Good luck,

   Erik Pace Birkholz
      www.SpecialOpsSecurity.com



-----Original Message-----
From: Hugo Vinicius Garcia Razera [mailto:hviniciusg () gmail com]
Sent: Tuesday, June 07, 2005 4:01 PM
To: pen-test () securityfocus com
Subject: pen-test on a windows 2003 server box whit MS-SQL
and Terminal
Services

Hi every one, I'm doing a pen test on a client, and have found that he
have a windows 2003 server box on one segment of his public addresses
this is his dns/web/mail server:

- mssql :1433
- terminal services :3389
- iis 6 :80
- smtp :25
- pop3 :110
- dns : 53
- ftp : filtered

ports opened, i logged on the terminal services port whit the winxp
remote desktop utility and it connects perfectly.

i tried a dictionari atack on mssql server whit the "sa" account and
others user names i collected.
 Hydra from THC was the tool, but no succes on this atack.
also tried the tsgrinder for terminal services , but no success.


well here come some questions:

- What others Usernames should i try for sql and terminal services?
  i tried whit "sa" for sql and "Administrator" for TS

- Any one knows how could i identify what version of sql server is
running.
- What other services of this host can be exploited?

any comments, ideas, suggestions would be greatly appreciated.

Hugo Vinicius Garcia Razera





Faisal Khan
CEO
Net Access Communication
Systems (Private) Limited
_____________________________
1107 Park Avenue, 24-A, Block 6,
PECHS, Main Shahrah-e-Faisal,
Karachi 74500 (Pakistan)
Board: +92 (21) 111 222 377
Direct: +92 (21) 454-346
Fax: +92 (21) 454-4347
Cell: +92 (333) 216-1291
Email: faisal () netxs com pk
Web: <http://www.netxs.com.pk/>www.netxs.com.pk



------------------------------
email scanned
filename: mailbody --> clean
SCANMODULE: Ikarus vdb: 09.06.2005(66563) version: 0.2.57.0
------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: