background image

Fast-Track

169

Here’s the initial attack:

Microsoft SQL Attack Tools

Pick a list of the tools from below:

1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage

Enter your choice : 

2

  Enter the IP Address and Port Number to Attack.

  Options: (a)ttempt SQL Ping and Auto Quick Brute Force
           (m)ass scan and dictionary brute
           (s)ingle Target (Attack a Single Target with big dictionary)
           (f)ind SQL Ports (SQL Ping)
           (i) want a command prompt and know which system is vulnerable
           (v)ulnerable system, I want to add a local admin on the box...

           

(e)nable xp_cmdshell if its disabled (sql2k and sql2k5)

After we select the 

MSSQL Bruter

 option, Fast-Track presents us with a list 

of various attacks that can be conducted. Not all of these will work in every 
situation, or even serve the same purpose, so it is important to be sure that 
you understand what is happening for each option.

Fast-Track has several options:

z

Attempt SQL Ping and Auto Quick Brute Force attempts to scan a range 
of IP addresses using the same syntax as 

nmap

 and a built-in predefined 

dictionary list of about 50 passwords.

z

Mass scan and dictionary brute scans a range of IP addresses and allows 
you to specify a word list of your own. Fast-Track comes with a decent 
word list located at 

bin/dict/wordlist.txt

.

z

Single Target allows you to brute force one specific IP address with a 
large word list.

z

Find SQL Ports (SQL Ping) only looks for SQL servers and will not 
attack them.

z

I want a command prompt . . . spawns a command prompt for you if you 
already know the 

sa

 password.

z

Vulnerable system . . . adds a new administrative user on a box that you 
know to be vulnerable.

z

Enable 

xp_cmdshell

 . . . is a stored procedure Fast-Track uses to execute 

underlying system commands. By default, it is disabled in SQL Server 
versions 2005 and later, but Fast-Track can automatically re-enable it. 
When attacking a remote system with any option, Fast-Track will auto-
matically attempt to re-enable 

xp_cmdshell

, just in case.