Pentesting MS SQL Server with SQLat, and Cain.

Ok, by now you probably now how much I enjoy hacking, ehm, ehm…sorry!, pentesting. Well for this tutorial I will be pentesting MS SQL Server with SQLat, Freetds, and Cain. Database store and provide access to information and information is power. Sensitive data such as bank account numbers, credit reports, and lots of other important information can be obtained from an insecure database, in this tutorial I will try to explain basic technology about MSSQL, like default install as well as demonstrate tools and techniques that can be use to exploit MSSQL server.

Important facts about MS SQL Server:
1- Ms SQL server users
SQL server creates the sa account, the system administrator of the SQL server instance and database owner(DBO) of all the databases on the SQL Server. The sa account is a login account that is mapped to the sysadmin role for the SQL server system. It is also the DBO for all the databases. This account by default is granted all privileges and permissions on the database and it can execute commands as SYSTEM on the server.
You can configure SQL server user authentication to use Windows credentials only or in combination with named SQL server login IDs and passwords, which is known as mixed mode authentication. Once the user is created this user can authenticate to the database and begin to operate within the bounds of his permissions and roles

2- Stored Procedures.
Stored Procedures are pieces of code written in Transact_SQL(T-SQL) that are compiled upon use. An example of a useful stored procedure is the sp_addlogin, which is used to create a new user. Extended Stored Procedures are similar to stored procedures except the contain dynamic link librareies(DLLs). Extended stored procedures run in the SQL server process space and are meant to extend the functionality of the database. One extended stored procedure useful to pentesters is the xp_cmdshell which allows the user to execute commands in a shell on the windows operating system. As you can see stores procedures also can create significant vulnerabilities in a database.

3- Communication.
After Database is installed user must be able to connect to the application to use it. TCP and UDP ports are associated with each database application, ports can be changed but for this tutorial I’m going to assume the defaults. By default SQL server uses port 1433 for connections to the database. As mentioned earlier this port can be changed but often it is not…also UDP port 1434 is the SQL server listener service that lets clients to browse the associated database instances installed on the server.

The Tools in action:
SQLat:
SQL auditing tools(SQLat) is a toolkit created by Patrik Karlsson for Microsoft SQL server penetration test. SQLat contains various tools to perform dictionary attacks and analysis; upload files, read the windows registry and dump the security account manager(SAM) database using pwdump. it also can be use to restore the xp_cmdshell extended stored procedure, if it has been removed and the DLL is still present on the system.
here are some of the utilities that come with SQLat and I will be using in this tutorial.

SQLat tools and utilities:

sqldict performs dictionary attacks against SQL server
sqlanlz creates a http report containing an analysis of the databases
sqlquery interactive command line SQL query tool

Once you have the target in sight, you can begin by using sqldict which will perform a dictionary attack against the victim, you have to provide the lists of users and passwords files. You can see in the next figure.

Once you have privilege access to the SQL server, you should proceed to obtain and crack the passwords hashes, this newly obtained accounts could give you access to other machines on the network as administrators often use same passwords in more than one machine, and the use of imaging software like Ghost replicate exacts copies of the entire machine along with the administrator passwords. MS SQL server 2000 stores its passwords in the master database, passwords hashes are generated using the psdencrypt() function in the form of Salted Secure Hash algorithm in the sysxlogins table.
You can retrieve username, and hashes from MS SQL servers database using the following T-SQL statement.
SELECT name, password FROM master..sysxlogins
Next we query the SQL server database for username and password stored in the sysxlogins table as shown in the next figure.

You can also retrieve username and password information from MS SQL 2005 using one of the following T-SQL statement.

SELECT name, password FROM sys.sql_logins

SELECT name, cast (password as varbinary(256)) FROM sys.syslogins

Next we dump the username and hashes into cain, for that we launch cain and go to the cracker tab and click MS SQL Hashes, and select the plus sing at the top, to insert the hashes. Before actually inserting the hashes into cain we have to break it into acceptable format.

The next figure shows the hashes already imported into cain…

Once the hashes have been imported you can right click and select either dictionary or brute force attack…

Obtaining access to the host operating System.

Now that we’ve obtained sysadmin privileges to the MSSQL server, we will try to get access to the local operating system using xp_cmdshell extended stored procedure. The xp_cmdshell is stored in the master database and allows you to issue commands directly to the operating system using T-SQL queries. Sometimes administrators will disable this extended stored procedure, in MSSQL 2000, and in MSSQL 2005 is disabled by default; you can use the following SQL queries to enable it back.

sp_addextededproc ‘xp_cmdshell’,’xp_log70.dll’

EXEC master..sp_configure ‘show advance options’, 1

RECONFIGURE WITH OVERRIDE

EXEC master..sp_configure ‘xp_cmdshell’, 1

RECONFIGURE WITH OVERRIDE

EXEC master..sp_configure ‘show advance options’, 0

Next we use the xp_cmdshell extended stored procedure to with SQLat’s sqlquery to create a user “hack” with password “password”…

Adding the newly created user to the administrators localgroup…

Next we will try to dump the hashes for the local administrator account for that we fire up tftpd on the local machine to transfer pwdump to our target machine user the xp_cmdshell E-stored procedure.

Once we’ve download pwdump to the target machine we dump the hashes, and later crack them using john or cain….

Once you have cracked the hashes make sure to use them throughout the target’s environment Windows as well as MSSQL server

Share This!

2 thoughts on “Pentesting MS SQL Server with SQLat, and Cain.

  1. Security Guy

    I hope you changed the password since you posted the password hashes (especially the local administrator)

Leave a Reply

Your email address will not be published.