From: olle (olle@nxs.se)
Date: Mon Jun 17 2002 - 15:45:47 EDT
! WARNING - blatant plugs !
On Thu, Jun 13, 2002 at 02:49:02PM -0500, Blake Frantz wrote:
>
> Does the SQL server authenticate via trusted connections? Provided you
> can sniff/snarf for NTLM you should be able to get domain credentials
> when ever someone authenticates to the server (unless NTLMv2 auth is
> used, I don't think I've seen a tool for this, anyone?)
huggorm[1] works fine with both old-style NTLM and new SSP exchanges, both
on SMB/IP (tcp 445) and SMB/NB/IP (tcp 139) and will probably be able to
sniff NT challenge-responses if the MSSQLserver uses named pipe transport.
> Have you tried to nbtdump/enum the other winboxen? Aside from names of
> share and users I've seen admins actually put passwords in the Comment
> field for user accounts that pertain to specific services. Seriously.
> If all else fails brute force accounts using nat
> http://www.cotse.com/tools/sw/nat10bin.zip.
Check out skravel and netu at http://olle.nxs.se/
I also recommend winfo at http://www.ntsecurity.nu/toolbox/winfo/
/olle, self-promoting bastard.
[1] http://olle.nxs.se/software/huggorm/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT