RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services

Date: 06/09/05

  • Next message: Faisal Khan: "SQL injection"
    Date: Thu, 9 Jun 2005 10:29:26 -0500
    To: "Erik Pace Birkholz" <>, "Hugo Vinicius Garcia Razera" <>, <>

    Another option you could try is to use ettercap to insert your
    laptop/pen-test system in as a Man-in-the-Middle between the SQL server
    and client systems and then capture the port 1433 traffic using
    tcpdump/ethereal/your favorite packet capturing program. This will
    definitely yield the 'sa' password (as well as others).

    If you're using Windows on your attack platform, consider using Cain &
    Abel as it can do the Man-in-the-Middle/SQL password capture all in one.


    Ido Dubrawsky, CISSP
    Senior Security Consultant
    (571) 633-9500 (Office)
    (202) 213-9029 (Mobile)
    > -----Original Message-----
    > From: Erik Pace Birkholz [] 
    > Sent: Thursday, June 09, 2005 4:06 AM
    > To: Hugo Vinicius Garcia Razera;
    > Cc: Erik Pace Birkholz
    > Subject: RE: pen-test on a windows 2003 server box whit 
    > MS-SQL and Terminal Services
    > Hugo,
    > Based on the limited info you have provided, here is my advice.
    > Have you done UDP port scans? If you haven't done so, scan to 
    > determine
    > what UDP ports are open. Depending on what you find this could be
    > helpful. For example, if SNMP is available with a default or guessable
    > community name it will provide usernames among other goodies.
    > Re: obtaining the SQL version; since the OS is Win3k the SQL 
    > server will
    > likely be SQL 2000 with SP3 or later. If you really want to 
    > find out try
    > SQLVer ( as Chip already mentioned and 
    > try SQLRecon
    > ( -click on LABS). 
    > With that said don't give up on the SQL "SA" brute force 
    > attacks. There
    > is no account lock out for SA so rock and roll. SQLDict.exe 
    > works pretty
    > well if you have a big dictionary file. Another option is ForceSQL.exe
    > because it brute forces an account (sa) based on a user specified
    > character set (charset.txt) up to a user specified max 
    > password length.
    > You also mentioned DNS: 53. Not sure if you are referring to 
    > UDP or TCP?
    > If it is TCP then you should try a zone transfer.
    > Also don't forget full (1-65535) TCP port scans and source port scans
    > (SRC=20,53,88,80,etc...) 
    > Finally use tracerouting, hping2, tcpdump, etc to determine if the
    > blocking ACLs are on the host or a network device. Something is
    > facilitating the firewalling that is hiding juicy MS specific 
    > ports like
    > TCP 135 and 445. Is it ICF, IPSec, a personal firewall, network
    > firewall, perimeter router or what? Once you know this it will help
    > direct your attempts to subvert that protection and get 
    > exposure to more
    > ports on the target.
    > Let us know how it goes!
    > Good luck,
    >    Erik Pace Birkholz
    > -----Original Message-----
    > From: Hugo Vinicius Garcia Razera [] 
    > Sent: Tuesday, June 07, 2005 4:01 PM
    > To:
    > Subject: pen-test on a windows 2003 server box whit MS-SQL 
    > and Terminal
    > Services
    > Hi every one, I'm doing a pen test on a client, and have found that he
    > have a windows 2003 server box on one segment of his public addresses
    > this is his dns/web/mail server:
    > - mssql :1433
    > - terminal services :3389
    > - iis 6 :80
    > - smtp :25
    > - pop3 :110
    > - dns : 53
    > - ftp : filtered
    > ports opened, i logged on the terminal services port whit the winxp
    > remote desktop utility and it connects perfectly.
    > i tried a dictionari atack on mssql server whit the "sa" account and
    > others user names i collected.
    >  Hydra from THC was the tool, but no succes on this atack.
    > also tried the tsgrinder for terminal services , but no success.
    > well here come some questions:
    > - What others Usernames should i try for sql and terminal services?
    >   i tried whit "sa" for sql and "Administrator" for TS
    > - Any one knows how could i identify what version of sql server is
    > running.
    > - What other services of this host can be exploited?
    > any comments, ideas, suggestions would be greatly appreciated.
    > Hugo Vinicius Garcia Razera

  • Next message: Faisal Khan: "SQL injection"

    Relevant Pages

    • Re: client cant connect when instance on one particular node
      ... Best practice is to specify a specific port and then code the client to ... SQL 2000 SP4 for SQL version. ... Then server guys evicted ... cluster configuration. ...
    • Re: Connecting to an instance in a cluster
      ... "Geoff N. Hiten" wrote: ... you cannot reuse port numbers. ... Microsoft SQL Server MVP ...
    • Re: Remote ODBC connection to SQL Server 2005 Exp.
      ... Try scanning your Win2K server from the Internet to see if the port 1433 is ... I am using Access 2000 as the front end with SQL 2005 Exp. ... There is a Netgear RP 114 router for the office network. ...
    • Re: new server 2003 setup questions
      ... SQL I always put on another partition, ... > drives dedicated to that partition or does it just use ... > What would I need to run terminal services if I can't use ... > new server to run sql and terminal services on the same ...
    • Re: How do I have my app connect to a remote SQL Server that has port 1433 closed?
      ... I might look at using the server component like you ... >> connection to port 1433 on the server. ... The app then makes the connection to SQL Server from behind the ... >> It's worth pointing out that the client app is not freely available, ...