Penetration Testing mailing list archives
RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services
From: "DUBRAWSKY, IDO (CALLISMA)" <id3878 () sbc com>
Date: Thu, 9 Jun 2005 10:29:26 -0500
Another option you could try is to use ettercap to insert your laptop/pen-test system in as a Man-in-the-Middle between the SQL server and client systems and then capture the port 1433 traffic using tcpdump/ethereal/your favorite packet capturing program. This will definitely yield the 'sa' password (as well as others). If you're using Windows on your attack platform, consider using Cain & Abel as it can do the Man-in-the-Middle/SQL password capture all in one. Ido -- Ido Dubrawsky, CISSP Senior Security Consultant SBC/Callisma (571) 633-9500 (Office) (202) 213-9029 (Mobile)
-----Original Message----- From: Erik Pace Birkholz [mailto:erik () specialopssecurity com] Sent: Thursday, June 09, 2005 4:06 AM To: Hugo Vinicius Garcia Razera; pen-test () securityfocus com Cc: Erik Pace Birkholz Subject: RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Hugo, Based on the limited info you have provided, here is my advice. Have you done UDP port scans? If you haven't done so, scan to determine what UDP ports are open. Depending on what you find this could be helpful. For example, if SNMP is available with a default or guessable community name it will provide usernames among other goodies. Re: obtaining the SQL version; since the OS is Win3k the SQL server will likely be SQL 2000 with SP3 or later. If you really want to find out try SQLVer (www.sqlsecurity.com) as Chip already mentioned and try SQLRecon (www.SpecialOpsSecurity.com -click on LABS). With that said don't give up on the SQL "SA" brute force attacks. There is no account lock out for SA so rock and roll. SQLDict.exe works pretty well if you have a big dictionary file. Another option is ForceSQL.exe because it brute forces an account (sa) based on a user specified character set (charset.txt) up to a user specified max password length. You also mentioned DNS: 53. Not sure if you are referring to UDP or TCP? If it is TCP then you should try a zone transfer. Also don't forget full (1-65535) TCP port scans and source port scans (SRC=20,53,88,80,etc...) Finally use tracerouting, hping2, tcpdump, etc to determine if the blocking ACLs are on the host or a network device. Something is facilitating the firewalling that is hiding juicy MS specific ports like TCP 135 and 445. Is it ICF, IPSec, a personal firewall, network firewall, perimeter router or what? Once you know this it will help direct your attempts to subvert that protection and get exposure to more ports on the target. Let us know how it goes! Good luck, Erik Pace Birkholz www.SpecialOpsSecurity.com -----Original Message----- From: Hugo Vinicius Garcia Razera [mailto:hviniciusg () gmail com] Sent: Tuesday, June 07, 2005 4:01 PM To: pen-test () securityfocus com Subject: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Hi every one, I'm doing a pen test on a client, and have found that he have a windows 2003 server box on one segment of his public addresses this is his dns/web/mail server: - mssql :1433 - terminal services :3389 - iis 6 :80 - smtp :25 - pop3 :110 - dns : 53 - ftp : filtered ports opened, i logged on the terminal services port whit the winxp remote desktop utility and it connects perfectly. i tried a dictionari atack on mssql server whit the "sa" account and others user names i collected. Hydra from THC was the tool, but no succes on this atack. also tried the tsgrinder for terminal services , but no success. well here come some questions: - What others Usernames should i try for sql and terminal services? i tried whit "sa" for sql and "Administrator" for TS - Any one knows how could i identify what version of sql server is running. - What other services of this host can be exploited? any comments, ideas, suggestions would be greatly appreciated. Hugo Vinicius Garcia Razera
Attachment:
DUBRAWSKY, IDO (CALLISMA).vcf
Description: DUBRAWSKY, IDO (CALLISMA).vcf
Current thread:
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services, (continued)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Andres Riancho (Jun 07)
- Injecting commands into a mainframe through a servlet Frederic Charpentier (Jun 08)
- RE: Injecting commands into a mainframe through a servlet Jason Muskat (Jun 08)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Leandro Reox (Jun 09)
- Injecting commands into a mainframe through a servlet Frederic Charpentier (Jun 08)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Tomasz Piotr Palarz (Jun 09)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Hugo Vinicius Garcia Razera (Jun 10)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Geoff Varosky (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services mike king (Jun 07)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Erik Pace Birkholz (Jun 09)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services DUBRAWSKY, IDO (CALLISMA) (Jun 09)
- Message not available
- SQL injection Faisal Khan (Jun 09)
- Re: SQL injection Joel Esler (Jun 09)
- Re: SQL injection ilaiy (Jun 09)
- Re: SQL injection Christian Martorella (Jun 09)
- Re: SQL injection Richard Barrell (Jun 09)
- Re: SQL injection Faisal Khan (Jun 09)
- Re: SQL injection Matt Davis (Jun 09)
- Message not available
- RE: SQL injection Aric Perminter (Jun 09)