RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services
From: Leandro Reox (lmet5on_at_fibertel.com.ar)
To: "'Hugo Vinicius Garcia Razera'" <firstname.lastname@example.org> Date: Thu, 9 Jun 2005 07:19:29 -0200
Sql inject it's a good practice with web based applications interconnected
with databases, especially M$ ;), maybe you can play with some forms at his
Always suggest a frontend (webserver) backend (db server) structure, db
services must not be published ( like your case ) to internet, this is a
HUGE risk for the customer.
Here is a good paper of Hernan M. Racciatti about SqlInjetct
Hope it helps
From: Andres Riancho [mailto:email@example.com]
Sent: Wednesday, June 08, 2005 12:42 AM
To: Hugo Vinicius Garcia Razera
Subject: Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal
If they have a web site online , and also a mssql i guess that the web
uses some of the database content. I would try some SQL Injection on
Hugo Vinicius Garcia Razera wrote:
>Hi every one, I'm doing a pen test on a client, and have found that he
>have a windows 2003 server box on one segment of his public addresses
>this is his dns/web/mail server:
>- mssql :1433
>- terminal services :3389
>- iis 6 :80
>- smtp :25
>- pop3 :110
>- dns : 53
>- ftp : filtered
>ports opened, i logged on the terminal services port whit the winxp
>remote desktop utility and it connects perfectly.
>i tried a dictionari atack on mssql server whit the "sa" account and
>others user names i collected.
> Hydra from THC was the tool, but no succes on this atack.
>also tried the tsgrinder for terminal services , but no success.
>well here come some questions:
>- What others Usernames should i try for sql and terminal services?
> i tried whit "sa" for sql and "Administrator" for TS
>- Any one knows how could i identify what version of sql server is running.
>- What other services of this host can be exploited?
>any comments, ideas, suggestions would be greatly appreciated.
>Hugo Vinicius Garcia Razera