From: Thor (thor@hammerofgod.com)
Date: Fri Sep 10 2004 - 00:11:44 EDT
Basically, this unattended install file specifies that both the server and
agent are started under a domain account (from the 61680 entry), with the
domain and user you "X'd" out. The password is encrypted though, and is not
resultant of the standard method used to generate the passwords found in
sysxlogins that you can decrypt with David's NGSCrack.
This from KB 233312:
<snip>
On Windows NT, you can autostart SQLServerAgent only if you autostart
MSSQLServer as well, because the SQLServerAgent service is dependent on
MSSQLServer. The remaining entries in this section (SQLDomain,
SQLDomainAcct, SQLDomainPwd,and so forth) specify which Windows NT
account(s) will be used if the Local-Domain entry indicates that one or both
services will use a Windows NT domain account instead of the LocalSystem
account. These entries are not present when LocalSystem is being used. The
password entries are encrypted, and can only be obtained by running SQL
Server setup interactively to generate a new .iss file. If this is not
possible or practical in your circumstances, you must install MSSQLServer
and SQLServerAgent to run under the LocalSystem account (Local-Domain=3855).
Windows NT users can later change the service startup accounts, if desired
(see the SQL Server Books Online articles "How to set up a SQL Server
service to log on under a different user account (Windows NT)" and "Creating
SQL Server Services User Accounts"). On Windows NT, the utility Scm.exe (in
the MSSQL7\BINN directory) can be used after installation to change the
service startup account from LocalSystem to a domain account, if it is
necessary that this be automated. For more information see the Microsoft
Knowledge Base article referenced previously for details
</snip>
hth
T
----- Original Message -----
From: "nobody" <pentester@yahoo.com>
To: <pen-test@securityfocus.com>
Sent: Wednesday, September 08, 2004 7:34 PM
Subject: Is this value the SQL password hash ?
> While doing a pen test I came across a Windows share
> that allowed anyone to read it. This share had an SQL
> SMS install input file of the form xxxx.iss
>
> In this file the follwing exists:
>
> [DlgServices-0]
> Local-Domain=61680
> AutoStart=15
> SQLDomain=XXXXX
> SQLDomainAcct=XXXSQL
> SQLDomainPwd=142e7e5da8cb39066a6f1759ec9aab
>
> The length of this entry versus the SQL sysxlogin data
> data that David Litchfield talks about (in his
> whitepaper on SQL passwords)is quite different. Also
> the CQURE tool (SQLBF) seems to expect a differnet
> length hash.
>
> from ccqure.net - sqlbf tools - demo hashes
> foobar,0x0100905BB15ECA1847296A79ADD350E3138D6D255BF9FA24964FCA1847296A79ADD350E3138D6D255BF9FA24964F
>
> Does anyone know what type of hash the data following
> the SQLDomainPwd is ?
>
> It cannot be an NTLM hash or a LANMAN hash. Just to
> be sure I plugged it into LC4 and it did not recognize
> the hash. I will also try John-16 using all modes but
> I am guessing at this point.
>
> Oh - I cannot get admin status (yet) on the SQl server
> that I think this file was installed on. If I did so
> I could dump the SAM and the SQl hahses and see what
> matches.
>
> Anyone seen this before ?
>
> Thanks
>
> pentester
>
>
>
>
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. All of our class sizes are
> guaranteed to be 12 students or less to facilitate one-on-one interaction
> with one of our expert instructors. Check out our Advanced Hacking course,
> learn to write exploits and attack security infrastructure. Attend a
> course
> taught by an expert instructor with years of in-the-field pen testing
> experience in our state of the art hacking lab. Master the skills of an
> Ethical Hacker to better assess the security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT