SQL injection

From: Faisal Khan (faisal_at_netxs.com.pk)
Date: 06/09/05

Next message: Todd Towles: "RE: SQL injection"

Previous message: DUBRAWSKY, IDO (CALLISMA): "RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
Next in thread: Todd Towles: "RE: SQL injection"
Maybe reply: Todd Towles: "RE: SQL injection"
Reply: Joel Esler: "Re: SQL injection"
Reply: ilaiy: "Re: SQL injection"
Reply: Christian Martorella: "Re: SQL injection"
Maybe reply: Davi Ottenheimer: "Re: SQL injection"
Maybe reply: Bénoni MARTIN: "RE: SQL injection"
Reply: Richard Barrell: "Re: SQL injection"
Reply: Aric Perminter: "RE: SQL injection"
Maybe reply: Ofer Shezaf: "RE: SQL injection"
Maybe reply: Todd Towles: "RE: SQL injection"
Maybe reply: Faisal Khan: "RE: SQL injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 09 Jun 2005 20:37:38 +0500
To: pen-test@securityfocus.com

Pardon the ignorance, but is there any hardware/software based device that
can outright prevent/mitigate (detect?) SQL injections? Would an IDS be
able to prevent this?

At 08:29 PM 6/9/2005, you wrote:
>Another option you could try is to use ettercap to insert your
>laptop/pen-test system in as a Man-in-the-Middle between the SQL server
>and client systems and then capture the port 1433 traffic using
>tcpdump/ethereal/your favorite packet capturing program. This will
>definitely yield the 'sa' password (as well as others).
>
>If you're using Windows on your attack platform, consider using Cain &
>Abel as it can do the Man-in-the-Middle/SQL password capture all in one.
>
>Ido
>--
>Ido Dubrawsky, CISSP
>Senior Security Consultant
>SBC/Callisma
>(571) 633-9500 (Office)
>(202) 213-9029 (Mobile)
>
>
> > -----Original Message-----
> > From: Erik Pace Birkholz [mailto:erik@specialopssecurity.com]
> > Sent: Thursday, June 09, 2005 4:06 AM
> > To: Hugo Vinicius Garcia Razera; pen-test@securityfocus.com
> > Cc: Erik Pace Birkholz
> > Subject: RE: pen-test on a windows 2003 server box whit
> > MS-SQL and Terminal Services
> >
> >
> > Hugo,
> >
> > Based on the limited info you have provided, here is my advice.
> >
> > Have you done UDP port scans? If you haven't done so, scan to
> > determine
> > what UDP ports are open. Depending on what you find this could be
> > helpful. For example, if SNMP is available with a default or guessable
> > community name it will provide usernames among other goodies.
> >
> > Re: obtaining the SQL version; since the OS is Win3k the SQL
> > server will
> > likely be SQL 2000 with SP3 or later. If you really want to
> > find out try
> > SQLVer (www.sqlsecurity.com) as Chip already mentioned and
> > try SQLRecon
> > (www.SpecialOpsSecurity.com -click on LABS).
> >
> > With that said don't give up on the SQL "SA" brute force
> > attacks. There
> > is no account lock out for SA so rock and roll. SQLDict.exe
> > works pretty
> > well if you have a big dictionary file. Another option is ForceSQL.exe
> > because it brute forces an account (sa) based on a user specified
> > character set (charset.txt) up to a user specified max
> > password length.
> >
> > You also mentioned DNS: 53. Not sure if you are referring to
> > UDP or TCP?
> > If it is TCP then you should try a zone transfer.
> >
> > Also don't forget full (1-65535) TCP port scans and source port scans
> > (SRC=20,53,88,80,etc...)
> >
> > Finally use tracerouting, hping2, tcpdump, etc to determine if the
> > blocking ACLs are on the host or a network device. Something is
> > facilitating the firewalling that is hiding juicy MS specific
> > ports like
> > TCP 135 and 445. Is it ICF, IPSec, a personal firewall, network
> > firewall, perimeter router or what? Once you know this it will help
> > direct your attempts to subvert that protection and get
> > exposure to more
> > ports on the target.
> >
> > Let us know how it goes!
> >
> > Good luck,
> >
> > Erik Pace Birkholz
> > www.SpecialOpsSecurity.com
> >
> >
> >
> > -----Original Message-----
> > From: Hugo Vinicius Garcia Razera [mailto:hviniciusg@gmail.com]
> > Sent: Tuesday, June 07, 2005 4:01 PM
> > To: pen-test@securityfocus.com
> > Subject: pen-test on a windows 2003 server box whit MS-SQL
> > and Terminal
> > Services
> >
> > Hi every one, I'm doing a pen test on a client, and have found that he
> > have a windows 2003 server box on one segment of his public addresses
> > this is his dns/web/mail server:
> >
> > - mssql :1433
> > - terminal services :3389
> > - iis 6 :80
> > - smtp :25
> > - pop3 :110
> > - dns : 53
> > - ftp : filtered
> >
> > ports opened, i logged on the terminal services port whit the winxp
> > remote desktop utility and it connects perfectly.
> >
> > i tried a dictionari atack on mssql server whit the "sa" account and
> > others user names i collected.
> > Hydra from THC was the tool, but no succes on this atack.
> > also tried the tsgrinder for terminal services , but no success.
> >
> >
> > well here come some questions:
> >
> > - What others Usernames should i try for sql and terminal services?
> > i tried whit "sa" for sql and "Administrator" for TS
> >
> > - Any one knows how could i identify what version of sql server is
> > running.
> > - What other services of this host can be exploited?
> >
> > any comments, ideas, suggestions would be greatly appreciated.
> >
> > Hugo Vinicius Garcia Razera
> >

Faisal Khan
CEO
Net Access Communication
Systems (Private) Limited
_____________________________
1107 Park Avenue, 24-A, Block 6,
PECHS, Main Shahrah-e-Faisal,
Karachi 74500 (Pakistan)
Board: +92 (21) 111 222 377
Direct: +92 (21) 454-346
Fax: +92 (21) 454-4347
Cell: +92 (333) 216-1291
Email: faisal@netxs.com.pk
Web: <http://www.netxs.com.pk/>www.netxs.com.pk

Next message: Todd Towles: "RE: SQL injection"

Previous message: DUBRAWSKY, IDO (CALLISMA): "RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
Next in thread: Todd Towles: "RE: SQL injection"
Maybe reply: Todd Towles: "RE: SQL injection"
Reply: Joel Esler: "Re: SQL injection"
Reply: ilaiy: "Re: SQL injection"
Reply: Christian Martorella: "Re: SQL injection"
Maybe reply: Davi Ottenheimer: "Re: SQL injection"
Maybe reply: Bénoni MARTIN: "RE: SQL injection"
Reply: Richard Barrell: "Re: SQL injection"
Reply: Aric Perminter: "RE: SQL injection"
Maybe reply: Ofer Shezaf: "RE: SQL injection"
Maybe reply: Todd Towles: "RE: SQL injection"
Maybe reply: Faisal Khan: "RE: SQL injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: What UDP port to open to enable w2k server to surf the web using domain names
... You need to set the DNS send port in the registry. ... What UDP port to open to enable w2k server to surf the web ... not-filtering UDP ports isn't much of a problem. ... I have a w2k web server and have TCP/IP filtering enabled. ...
(Focus-Microsoft)
Re: SQL injection
... All relational databases are susceptible to SQL injection attacks. ... >> Have you done UDP port scans? ... >> what UDP ports are open. ...
(Pen-Test)
SUMMARY: UDP Port Utilization
... consensus solution was to utilize the lsof utility which can be ... to determine what processes are consuming ports. ... It was also suggested that I utilize the rpcinfo -p command which would ... By issuing a netstat -na command, we typically see a range of udp port ...
(Tru64-UNIX-Managers)
Re: How did it get through?
... > UDP Port 137 - NetBios DataGram Services ... > These are common ports and services that are made available with the MS ... > The protection of the machine is a process and is not a given! ...
(comp.security.firewalls)
Firewalling
... Subject: Firewalling ... Ok, I've been fooling around with stateful firewalls, and when I portscan ... I'm not sure if I'm generating false ... FIN packet scan tells me that ALL my ports are open. ...
(Focus-Linux)