RE: MS SQL Server (cracking accounts)

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

I'll add to the response below and say there are two things to do:

1. ) If you are local admin you own the box; just
either dump and crack the local SAM, or use LSADump
and find the account the SQL Server service is
running under.

2. ) Use SQL-native authentication (which they may
be doing) and since natively there is no way to enforce
password security requirements, I have yet to find a
MSSQL box that doesn't have accounts with db_owner
or db_admin roles that have passwords which are one
of the following:

*blank
*username
*username + number
*trivial dictionary list (cat)

Tools like AppSecInc's AppDetective come with some
good dictionary lists, and I usually customize users with
ones I can guess (or know) from the organization, as they
are often the same.

For simply enumerating MSSQL and brute forcing, a great
free utility is SQLPing2. I usually set DBAs up with it to
keep track of their SQL instances and how many have SA=blank

-ae

> -----Original Message-----
> From: Jeroen [mailto:jeroen () isvet nl] 
> Sent: Friday, September 16, 2005 12:41 PM
> To: pen-test () securityfocus com
> Subject: Re: MS SQL Server
>
>
> xyberpix wrote:
>
> <SNAP>
> > I have been able to
> > successfully add myself to the local Administrators group, and can
> > now TS into the box in question. I have absolutely no rights on the
> > SQL server though, so any pointers here would be greatly appreciated!
>
> Hi xyberpix,
>
> Most of the time, MSSQL-boxes use a "hybrid" authentication model; a
> combination of SQL authentication and NT authentication is 
> used. So probably
> you can already connect to the database. The easiest ways to check:
>
> - start isql.exe while logged on as an Administrator;
> - install and start the MSSQL enterprise manager on _a_ box 
> and connect to
> the MSSQL-box you've found using NT credentials. Enterprise 
> manager makes it
> possible to view databases, data and to maintain them (backups etc.).
>
> If they use MSSQL authentication only:
>
> - try user SA with a blank password (*lol*);
> - run a pwdump on the NT-box and crack the password of the users found
> (LC5/rainbowtables). Most of the time found logon names and 
> passwords are
> also used on SQL.
>
> Have fun and please let us know how the story ended ;)
>
>
> Greets,
>
> Jeroen 
>
>
>
> ---------------------------------------------------------------
> ---------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking 
> applications on your 
> website. Up to 75% of cyber attacks are launched on shopping 
> carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers are 
> futile against web application hacking. Check your website for 
> vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks 
> before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ---------------------------------------------------------------
> ----------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------