From: Chip Andrews (chip@sqlsecurity.com)
Date: Tue Jun 07 2005 - 20:22:09 EDT
You could also run SQLVer (www.sqlsecurity.com) against the box to see
what version of SQL Server is likely running. It detects the current
ssnetlib version which is 80% likely the same as the true SQL Server
version.
If it's old enough, then you can probably find plenty of exploit code
(which I will not publish - see Google). (I am assuming from your post
that you are authorized for this activity - keep in mind that you can
cause a denial of service if you smash the stack)
The common passwords I see for sa are:
(blank)
sa
password
admin
as
sysadmin
root
system
manager
Chip Andrews, CISSP, MCDBA
chip@sqlsecurity.com
http://www.sqlsecurity.com
Hugo Vinicius Garcia Razera wrote:
> Hi every one, I'm doing a pen test on a client, and have found that he
> have a windows 2003 server box on one segment of his public addresses
> this is his dns/web/mail server:
>
> - mssql :1433
> - terminal services :3389
> - iis 6 :80
> - smtp :25
> - pop3 :110
> - dns : 53
> - ftp : filtered
>
> ports opened, i logged on the terminal services port whit the winxp
> remote desktop utility and it connects perfectly.
>
> i tried a dictionari atack on mssql server whit the "sa" account and
> others user names i collected.
> Hydra from THC was the tool, but no succes on this atack.
> also tried the tsgrinder for terminal services , but no success.
>
>
> well here come some questions:
>
> - What others Usernames should i try for sql and terminal services?
> i tried whit "sa" for sql and "Administrator" for TS
>
> - Any one knows how could i identify what version of sql server is running.
> - What other services of this host can be exploited?
>
> any comments, ideas, suggestions would be greatly appreciated.
>
> Hugo Vinicius Garcia Razera
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:23 EDT