RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services

From: Sash (swissc@blueyonder.co.uk)
Date: Wed Jun 08 2005 - 17:08:32 EDT

• Next message: Jason Muskat: "RE: Injecting commands into a mainframe through a servlet"
• Previous message: Frederic Charpentier: "Injecting commands into a mainframe through a servlet"
• In reply to: Chip Andrews: "Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Next in thread: Geoff Varosky: "RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If it's a 2k3 box running SQL - then you can bet your bottom dollar its SQL
2000 > Sp2 and then some.
 
Check the web app coz unless you have something up your sleeve, not much
happening at infrastructure level on that 2k3 box unless as stated before -
unless there are some dodgy SA's,POP,tsgrind et al to have fun with.

-----Original Message-----
From: Chip Andrews [mailto:chip@sqlsecurity.com]
Sent: 08 June 2005 01:22
To: Hugo Vinicius Garcia Razera
Cc: pen-test@securityfocus.com
Subject: Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal
Services

You could also run SQLVer (www.sqlsecurity.com) against the box to see
what version of SQL Server is likely running. It detects the current
ssnetlib version which is 80% likely the same as the true SQL Server
version.

If it's old enough, then you can probably find plenty of exploit code
(which I will not publish - see Google). (I am assuming from your post
that you are authorized for this activity - keep in mind that you can
cause a denial of service if you smash the stack)

The common passwords I see for sa are:

(blank)
sa
password
admin
as
sysadmin
root
system
manager

Chip Andrews, CISSP, MCDBA
chip@sqlsecurity.com
http://www.sqlsecurity.com

Hugo Vinicius Garcia Razera wrote:
> Hi every one, I'm doing a pen test on a client, and have found that he
> have a windows 2003 server box on one segment of his public addresses
> this is his dns/web/mail server:
>
> - mssql :1433
> - terminal services :3389
> - iis 6 :80
> - smtp :25
> - pop3 :110
> - dns : 53
> - ftp : filtered
>
> ports opened, i logged on the terminal services port whit the winxp
> remote desktop utility and it connects perfectly.
>
> i tried a dictionari atack on mssql server whit the "sa" account and
> others user names i collected.
> Hydra from THC was the tool, but no succes on this atack.
> also tried the tsgrinder for terminal services , but no success.
>
>
> well here come some questions:
>
> - What others Usernames should i try for sql and terminal services?
> i tried whit "sa" for sql and "Administrator" for TS
>
> - Any one knows how could i identify what version of sql server is
running.
> - What other services of this host can be exploited?
>
> any comments, ideas, suggestions would be greatly appreciated.
>
> Hugo Vinicius Garcia Razera
>
>

• Next message: Jason Muskat: "RE: Injecting commands into a mainframe through a servlet"
• Previous message: Frederic Charpentier: "Injecting commands into a mainframe through a servlet"
• In reply to: Chip Andrews: "Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Next in thread: Geoff Varosky: "RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:23 EDT