Re: SQL injection

From: Joel Esler (eslerj_at_gmail.com)
Date: 06/09/05

  • Next message: ilaiy: "Re: SQL injection"
    Date: Thu, 9 Jun 2005 11:57:52 -0400
    To: Faisal Khan <faisal@netxs.com.pk>
    
    

    Could.. if the IDS had a signature to do so, and it was in-line.
    Theoretically it's possible.

    On 6/9/05, Faisal Khan <faisal@netxs.com.pk> wrote:
    >
    >
    > Pardon the ignorance, but is there any hardware/software based device that
    > can outright prevent/mitigate (detect?) SQL injections? Would an IDS be
    > able to prevent this?
    >
    >
    >
    >
    >
    >
    > At 08:29 PM 6/9/2005, you wrote:
    > >Another option you could try is to use ettercap to insert your
    > >laptop/pen-test system in as a Man-in-the-Middle between the SQL server
    > >and client systems and then capture the port 1433 traffic using
    > >tcpdump/ethereal/your favorite packet capturing program. This will
    > >definitely yield the 'sa' password (as well as others).
    > >
    > >If you're using Windows on your attack platform, consider using Cain &
    > >Abel as it can do the Man-in-the-Middle/SQL password capture all in one.
    > >
    > >Ido
    > >--
    > >Ido Dubrawsky, CISSP
    > >Senior Security Consultant
    > >SBC/Callisma
    > >(571) 633-9500 (Office)
    > >(202) 213-9029 (Mobile)
    > >
    > >
    > > > -----Original Message-----
    > > > From: Erik Pace Birkholz [mailto:erik@specialopssecurity.com]
    > > > Sent: Thursday, June 09, 2005 4:06 AM
    > > > To: Hugo Vinicius Garcia Razera; pen-test@securityfocus.com
    > > > Cc: Erik Pace Birkholz
    > > > Subject: RE: pen-test on a windows 2003 server box whit
    > > > MS-SQL and Terminal Services
    > > >
    > > >
    > > > Hugo,
    > > >
    > > > Based on the limited info you have provided, here is my advice.
    > > >
    > > > Have you done UDP port scans? If you haven't done so, scan to
    > > > determine
    > > > what UDP ports are open. Depending on what you find this could be
    > > > helpful. For example, if SNMP is available with a default or guessable
    > > > community name it will provide usernames among other goodies.
    > > >
    > > > Re: obtaining the SQL version; since the OS is Win3k the SQL
    > > > server will
    > > > likely be SQL 2000 with SP3 or later. If you really want to
    > > > find out try
    > > > SQLVer (www.sqlsecurity.com) as Chip already mentioned and
    > > > try SQLRecon
    > > > (www.SpecialOpsSecurity.com -click on LABS).
    > > >
    > > > With that said don't give up on the SQL "SA" brute force
    > > > attacks. There
    > > > is no account lock out for SA so rock and roll. SQLDict.exe
    > > > works pretty
    > > > well if you have a big dictionary file. Another option is ForceSQL.exe
    > > > because it brute forces an account (sa) based on a user specified
    > > > character set (charset.txt) up to a user specified max
    > > > password length.
    > > >
    > > > You also mentioned DNS: 53. Not sure if you are referring to
    > > > UDP or TCP?
    > > > If it is TCP then you should try a zone transfer.
    > > >
    > > > Also don't forget full (1-65535) TCP port scans and source port scans
    > > > (SRC=20,53,88,80,etc...)
    > > >
    > > > Finally use tracerouting, hping2, tcpdump, etc to determine if the
    > > > blocking ACLs are on the host or a network device. Something is
    > > > facilitating the firewalling that is hiding juicy MS specific
    > > > ports like
    > > > TCP 135 and 445. Is it ICF, IPSec, a personal firewall, network
    > > > firewall, perimeter router or what? Once you know this it will help
    > > > direct your attempts to subvert that protection and get
    > > > exposure to more
    > > > ports on the target.
    > > >
    > > > Let us know how it goes!
    > > >
    > > > Good luck,
    > > >
    > > > Erik Pace Birkholz
    > > > www.SpecialOpsSecurity.com
    > > >
    > > >
    > > >
    > > > -----Original Message-----
    > > > From: Hugo Vinicius Garcia Razera [mailto:hviniciusg@gmail.com]
    > > > Sent: Tuesday, June 07, 2005 4:01 PM
    > > > To: pen-test@securityfocus.com
    > > > Subject: pen-test on a windows 2003 server box whit MS-SQL
    > > > and Terminal
    > > > Services
    > > >
    > > > Hi every one, I'm doing a pen test on a client, and have found that he
    > > > have a windows 2003 server box on one segment of his public addresses
    > > > this is his dns/web/mail server:
    > > >
    > > > - mssql :1433
    > > > - terminal services :3389
    > > > - iis 6 :80
    > > > - smtp :25
    > > > - pop3 :110
    > > > - dns : 53
    > > > - ftp : filtered
    > > >
    > > > ports opened, i logged on the terminal services port whit the winxp
    > > > remote desktop utility and it connects perfectly.
    > > >
    > > > i tried a dictionari atack on mssql server whit the "sa" account and
    > > > others user names i collected.
    > > > Hydra from THC was the tool, but no succes on this atack.
    > > > also tried the tsgrinder for terminal services , but no success.
    > > >
    > > >
    > > > well here come some questions:
    > > >
    > > > - What others Usernames should i try for sql and terminal services?
    > > > i tried whit "sa" for sql and "Administrator" for TS
    > > >
    > > > - Any one knows how could i identify what version of sql server is
    > > > running.
    > > > - What other services of this host can be exploited?
    > > >
    > > > any comments, ideas, suggestions would be greatly appreciated.
    > > >
    > > > Hugo Vinicius Garcia Razera
    > > >
    >
    >
    >
    > Faisal Khan
    > CEO
    > Net Access Communication
    > Systems (Private) Limited
    > _____________________________
    > 1107 Park Avenue, 24-A, Block 6,
    > PECHS, Main Shahrah-e-Faisal,
    > Karachi 74500 (Pakistan)
    > Board: +92 (21) 111 222 377
    > Direct: +92 (21) 454-346
    > Fax: +92 (21) 454-4347
    > Cell: +92 (333) 216-1291
    > Email: faisal@netxs.com.pk
    > Web: <http://www.netxs.com.pk/>www.netxs.com.pk
    >
    >
    >
    >

    -- 
    Joel Esler
    BASE Project Lead
    http://sourceforge.net/projects/secureideas
    

  • Next message: ilaiy: "Re: SQL injection"