RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services

From: Leandro Reox (lmet5on@fibertel.com.ar)
Date: Thu Jun 09 2005 - 05:19:29 EDT

• Next message: DUBRAWSKY, IDO (CALLISMA): "RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Previous message: Frederic Charpentier: "Re: Injecting commands into a mainframe through a servlet"
• In reply to: Andres Riancho: "Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Next in thread: Erik Pace Birkholz: "RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sql inject it's a good practice with web based applications interconnected
with databases, especially M$ ;), maybe you can play with some forms at his
website.
Always suggest a frontend (webserver) backend (db server) structure, db
services must not be published ( like your case ) to internet, this is a
HUGE risk for the customer.

Here is a good paper of Hernan M. Racciatti about SqlInjetct
http://www.hernanracciatti.com.ar/papers_and_download.html

Hope it helps

Cheers

-----Original Message-----
From: Andres Riancho [mailto:andres.riancho@gmail.com]
Sent: Wednesday, June 08, 2005 12:42 AM
To: Hugo Vinicius Garcia Razera
Cc: pen-test@securityfocus.com
Subject: Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal
Services

If they have a web site online , and also a mssql i guess that the web
uses some of the database content. I would try some SQL Injection on
their site.

Cheers,

Andres Riancho

Hugo Vinicius Garcia Razera wrote:

>Hi every one, I'm doing a pen test on a client, and have found that he
>have a windows 2003 server box on one segment of his public addresses
>this is his dns/web/mail server:
>
>- mssql :1433
>- terminal services :3389
>- iis 6 :80
>- smtp :25
>- pop3 :110
>- dns : 53
>- ftp : filtered
>
>ports opened, i logged on the terminal services port whit the winxp
>remote desktop utility and it connects perfectly.
>
>i tried a dictionari atack on mssql server whit the "sa" account and
>others user names i collected.
> Hydra from THC was the tool, but no succes on this atack.
>also tried the tsgrinder for terminal services , but no success.
>
>
>well here come some questions:
>
>- What others Usernames should i try for sql and terminal services?
> i tried whit "sa" for sql and "Administrator" for TS
>
>- Any one knows how could i identify what version of sql server is running.
>- What other services of this host can be exploited?
>
>any comments, ideas, suggestions would be greatly appreciated.
>
>Hugo Vinicius Garcia Razera
>
>

• Next message: DUBRAWSKY, IDO (CALLISMA): "RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Previous message: Frederic Charpentier: "Re: Injecting commands into a mainframe through a servlet"
• In reply to: Andres Riancho: "Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Next in thread: Erik Pace Birkholz: "RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:23 EDT