From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Mon Sep 19 2005 - 13:14:21 EDT
I'll add to the response below and say there are two things to do:
1. ) If you are local admin you own the box; just
either dump and crack the local SAM, or use LSADump
and find the account the SQL Server service is
running under.
2. ) Use SQL-native authentication (which they may
be doing) and since natively there is no way to enforce
password security requirements, I have yet to find a
MSSQL box that doesn't have accounts with db_owner
or db_admin roles that have passwords which are one
of the following:
*blank
*username
*username + number
*trivial dictionary list (cat)
Tools like AppSecInc's AppDetective come with some
good dictionary lists, and I usually customize users with
ones I can guess (or know) from the organization, as they
are often the same.
For simply enumerating MSSQL and brute forcing, a great
free utility is SQLPing2. I usually set DBAs up with it to
keep track of their SQL instances and how many have SA=blank
-ae
>-----Original Message-----
>From: Jeroen [mailto:jeroen@isvet.nl]
>Sent: Friday, September 16, 2005 12:41 PM
>To: pen-test@securityfocus.com
>Subject: Re: MS SQL Server
>
>
>xyberpix wrote:
>
><SNAP>
>> I have been able to
>> successfully add myself to the local Administrators group, and can
>> now TS into the box in question. I have absolutely no rights on the
>> SQL server though, so any pointers here would be greatly appreciated!
>
>Hi xyberpix,
>
>Most of the time, MSSQL-boxes use a "hybrid" authentication model; a
>combination of SQL authentication and NT authentication is
>used. So probably
>you can already connect to the database. The easiest ways to check:
>
>- start isql.exe while logged on as an Administrator;
>- install and start the MSSQL enterprise manager on _a_ box
>and connect to
>the MSSQL-box you've found using NT credentials. Enterprise
>manager makes it
>possible to view databases, data and to maintain them (backups etc.).
>
>If they use MSSQL authentication only:
>
>- try user SA with a blank password (*lol*);
>- run a pwdump on the NT-box and crack the password of the users found
>(LC5/rainbowtables). Most of the time found logon names and
>passwords are
>also used on SQL.
>
>Have fun and please let us know how the story ended ;)
>
>
>Greets,
>
>Jeroen
>
>
>
>---------------------------------------------------------------
>---------------
>Audit your website security with Acunetix Web Vulnerability Scanner:
>
>Hackers are concentrating their efforts on attacking
>applications on your
>website. Up to 75% of cyber attacks are launched on shopping
>carts, forms,
>login pages, dynamic content etc. Firewalls, SSL and
>locked-down servers are
>futile against web application hacking. Check your website for
>vulnerabilities
>to SQL injection, Cross site scripting and other web attacks
>before hackers do!
>Download Trial at:
>
>http://www.securityfocus.com/sponsor/pen-test_050831
>---------------------------------------------------------------
>----------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:56 EDT