From: Aaron Oh (aaron.oh@gmail.com)
Date: Tue Jun 07 2005 - 20:02:30 EDT
First, you have to follow proper methodology. Running automated tools
and expecting to be successful is bad practice. Try to do perform
manual testing on these ports. Looks as though one could potentially
find out a lot from this box.
To start you off, try to identify valid userids through 25. Try to do
zone transfer through 53. Find out MSSQL has blank SA password. If so,
you can gain system acceess to the host OS. For more on this
vulnerability :
http://www.securiteam.com/windowsntfocus/5EP0O0K2AS.html
Cheers.
-Aaron
On 6/7/05, Hugo Vinicius Garcia Razera <hviniciusg@gmail.com> wrote:
> Hi every one, I'm doing a pen test on a client, and have found that he
> have a windows 2003 server box on one segment of his public addresses
> this is his dns/web/mail server:
>
> - mssql :1433
> - terminal services :3389
> - iis 6 :80
> - smtp :25
> - pop3 :110
> - dns : 53
> - ftp : filtered
>
> ports opened, i logged on the terminal services port whit the winxp
> remote desktop utility and it connects perfectly.
>
> i tried a dictionari atack on mssql server whit the "sa" account and
> others user names i collected.
> Hydra from THC was the tool, but no succes on this atack.
> also tried the tsgrinder for terminal services , but no success.
>
>
> well here come some questions:
>
> - What others Usernames should i try for sql and terminal services?
> i tried whit "sa" for sql and "Administrator" for TS
>
> - Any one knows how could i identify what version of sql server is running.
> - What other services of this host can be exploited?
>
> any comments, ideas, suggestions would be greatly appreciated.
>
> Hugo Vinicius Garcia Razera
>
-- "For I know the plans I have for you, plans to prosper you and not to harm you, plans to give you hope and a future."
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:23 EDT