Re: [PEN-TEST] SQL 6.5 & 7.0 passwords in the registry (NT 4.0)

[Todd Sabin <tas () WEBSPAN NET>]

Attonbitus Deus <Thor () HAMMEROFGOD COM> writes:

> Todd Sabin discovered this and reported on it over 3 years ago... For SQL
> 6.5, the username is clear, and the password is hashed via PKZip's crypto
> using a fixed key.  This should be in the Bugtraq archives.
>
> 7.0 uses a different hash, and though dbsecure allows you to brute it via
> dictionary, I have not found a tool that cracks SQL 7.0 sa password when
> mixed mode is used.

Actually, there were two separate issues, one of which was mine.

What I found was that when you install SQL Server 6.5, it creates an
NT account (not a sql one) named SQLExecutiveCmdExec or something like
that, and stores the password in an Everyone:Read part of the
registry, encrypted with PKZip's encryption with a fixed key.  Since
you normally need credentials to read the registry in the first place,
it didn't get you all that much, really.  MS seems to have fixed this
in later versions, but I haven't looked at it too deeply.

At around the same time, someone else (don't remember, sorry) reported
that SQL Enterprise Manager stored (under the SQLEW key) the passwords
to SQL accounts that you used to register servers.  In that case, the
passwords were stored plaintext, although it was in the midst of a
blob of REG_BINARY data, so you had to look for it.  Depending on
configuration, it would put them either under HKCU or HKLM.

Haven't seen the particular thing the original poster was asking
about, though it looks like a similar problem.


Todd