Fast-Track
169
Here’s the initial attack:
Microsoft SQL Attack Tools
Pick a list of the tools from below:
1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage
Enter your choice :
2
Enter the IP Address and Port Number to Attack.
Options: (a)ttempt SQL Ping and Auto Quick Brute Force
(m)ass scan and dictionary brute
(s)ingle Target (Attack a Single Target with big dictionary)
(f)ind SQL Ports (SQL Ping)
(i) want a command prompt and know which system is vulnerable
(v)ulnerable system, I want to add a local admin on the box...
(e)nable xp_cmdshell if its disabled (sql2k and sql2k5)
After we select the
MSSQL Bruter
option, Fast-Track presents us with a list
of various attacks that can be conducted. Not all of these will work in every
situation, or even serve the same purpose, so it is important to be sure that
you understand what is happening for each option.
Fast-Track has several options:
z
Attempt SQL Ping and Auto Quick Brute Force attempts to scan a range
of IP addresses using the same syntax as
nmap
and a built-in predefined
dictionary list of about 50 passwords.
z
Mass scan and dictionary brute scans a range of IP addresses and allows
you to specify a word list of your own. Fast-Track comes with a decent
word list located at
bin/dict/wordlist.txt
.
z
Single Target allows you to brute force one specific IP address with a
large word list.
z
Find SQL Ports (SQL Ping) only looks for SQL servers and will not
attack them.
z
I want a command prompt . . . spawns a command prompt for you if you
already know the
sa
password.
z
Vulnerable system . . . adds a new administrative user on a box that you
know to be vulnerable.
z
Enable
xp_cmdshell
. . . is a stored procedure Fast-Track uses to execute
underlying system commands. By default, it is disabled in SQL Server
versions 2005 and later, but Fast-Track can automatically re-enable it.
When attacking a remote system with any option, Fast-Track will auto-
matically attempt to re-enable
xp_cmdshell
, just in case.