I'll add to the response below and say there are two things to do:
1. ) If you are local admin you own the box; just
either dump and crack the local SAM, or use LSADump
and find the account the SQL Server service is
running under.
2. ) Use SQL-native authentication (which they may
be doing) and since natively there is no way to enforce
password security requirements, I have yet to find a
MSSQL box that doesn't have accounts with db_owner
or db_admin roles that have passwords which are one
of the following:
*blank
*username
*username + number
*trivial dictionary list (cat)
Tools like AppSecInc's AppDetective come with some
good dictionary lists, and I usually customize users with
ones I can guess (or know) from the organization, as they
are often the same.
For simply enumerating MSSQL and brute forcing, a great
free utility is SQLPing2. I usually set DBAs up with it to
keep track of their SQL instances and how many have SA=blank
-ae
-----Original Message-----
From: Jeroen [mailto:jeroen@isvet.nl]
Sent: Friday, September 16, 2005 12:41 PM
To: pen-test@securityfocus.com
Subject: Re: MS SQL Server
xyberpix wrote:
<SNAP>
I have been able to
successfully add myself to the local Administrators group, and can
now TS into the box in question. I have absolutely no rights on the
SQL server though, so any pointers here would be greatly appreciated!
Hi xyberpix,
Most of the time, MSSQL-boxes use a "hybrid" authentication model; a
combination of SQL authentication and NT authentication is
used. So probably
you can already connect to the database. The easiest ways to check:
- start isql.exe while logged on as an Administrator;
- install and start the MSSQL enterprise manager on _a_ box
and connect to
the MSSQL-box you've found using NT credentials. Enterprise
manager makes it
possible to view databases, data and to maintain them (backups etc.).
If they use MSSQL authentication only:
- try user SA with a blank password (*lol*);
- run a pwdump on the NT-box and crack the password of the users found
(LC5/rainbowtables). Most of the time found logon names and
passwords are
also used on SQL.
Have fun and please let us know how the story ended ;)
Greets,
Jeroen
---------------------------------------------------------------
---------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking
applications on your
website. Up to 75% of cyber attacks are launched on shopping
carts, forms,
login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks
before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
---------------------------------------------------------------
----------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
