📄 sqllecture.html
字号:
<BR><SpiderMan> UnHaFox: uh...depends on what it is
<BR><UnHaFox> can i ask?
<BR><AZTEK> well d4jinx isn't here for perl :(
<BR><Mikkkeee> well reptile said he was late but shit lets do my section
and then do one or two of his lectures
<BR><UnHaFox> its not a stupid one
<BR><reptile> juz ask UnHaFox
<BR><pixel_chomp> did anyone log this ?
<BR><Mikkkeee> i got the log
<BR><freakOVER[away]> i did
<BR><freakOVER[away]> i got the logs
<BR><freakOVER[away]> i'll send'em to u
<BR><freakOVER[away]> :P
<BR><_ciR_> k
<BR><AZTEK> this will be one huge ass log
<BR><Mikkkeee> okay i'll cut up the log
<BR><AZTEK> and i will probably end up converting it
<BR><Mikkkeee> shit 3 lectures
<BR><Mikkkeee> lol
<BR><SpiderMan> hahah
<BR><freakOVER[away]> yea
<BR><SpiderMan> there is so much more to cover
<BR><freakOVER[away]> we'll have to divide it
<BR><Mikkkeee> i'll spend the weekend doing that
<BR><freakOVER[away]> :P
<BR>*** AZTEK sets mode: +m
<BR><Mikkkeee> lol
<BR><AZTEK> yea spidys right
<BR><SpiderMan> UnHaFox never got to ask his question
<BR>*** SpiderMan sets mode: -m
<BR><AZTEK> we barely scratched the surface
<BR><SpiderMan> ask quickly
<BR><UnHaFox> ok, how can i change the version reply of mirc? successfully
changed one of the version replies, but not the first one..... (where it
say micr 5.81) or soemthing like that?
<BR><UnHaFox> thx
<BR><SpiderMan> heh with my I just hex it
<BR><reptile> UnHaFox:wait for the mirc scriptin lecture
<BR><reptile> :)
<BR><mezzano> off topic! ;)
<BR><Mikkkeee> what version reply? read the irc war tutorial
<BR><UnHaFox> ok
<BR><UnHaFox> sorry
<BR><Mikkkeee> i covered that section
<BR><Mikkkeee> okay let me do my section then reptile can do his lecture
<BR><reptile> *maybe* ill cover hexing the mirc client
<BR><Mikkkeee> which are you doing reptile?
<BR><SpiderMan> heh
<BR><Mikkkeee> heh
<BR><SpiderMan> guys for more info on php+sql go to www.php.net
<BR><SpiderMan> and look at their docs
<BR><UnHaFox> ok only use a hex editor, and find this entry, ok thx
guys
<BR><Mikkkeee> lol
<BR><reptile> Mikkkeee:vb,vb advanced,vb super advanced,api and shit,mirc
scriptin,*maybe* haxoring the mirc ckuebt
<BR><SpiderMan> UnHaFox: for an example version me
<BR><Mikkkeee> okay lets do the cracking sql section
<BR><freakOVER[away]> lol
<BR><reptile> *client
<BR>*** Mikkkeee sets mode: +m
<BR>*** Mikkkeee sets mode: +v reptile
<BR><Mikkkeee> okay iam going to talk a bit about breaking into ms sql
servers for versions 6.5 and 7.0
<BR><reptile> tankies
<BR><Mikkkeee> via tcp/ip on port 1433.
<BR><Mikkkeee> many ms sql servers run on port 1433,
<BR><Mikkkeee> if they are not configured to run on another tcp
port. Many scanners can
<BR><Mikkkeee> tell you the running sevice on the open port
<BR><Mikkkeee> and what service is running
<BR><Mikkkeee> ie- Retina from eEye and whatever you use.
<BR><Mikkkeee> so now
<BR><Mikkkeee> lets begin with the brute force attack
<BR><Mikkkeee> - many or most databases have some default and well known
passwords.
<BR><Mikkkeee> usually the system admin accounts can not be changed
in many of the commercial databases,
<BR><Mikkkeee> so thats a good thing for us. "sys" for ORACLE and "sa"
for SQL server cannot be changed.
<BR>*** Azido has quit IRC (Ping timeout: 180 seconds)
<BR><Mikkkeee> There is no password lockout that is avaiable for sql
server.
<BR><Mikkkeee> one fault that is quite amusing is that sql sever doesn't
not require a strong password.
<BR><Mikkkeee> While we know this for a fact its is very trivial and
at the same time eazy to use brute force attacks against the database
<BR><Mikkkeee> server with nothing standing in our way that can prevent
us from trying to break it to the highest lvl.
<BR><Mikkkeee> -okay let me name one good brute forcer.
<BR><Mikkkeee> goto packetstorm and search for sqlbf
<BR><Mikkkeee> if there are any better ones then try those.
<BR><Mikkkeee> Lets say you have cracked into the database, well once
your in the game begins.
<BR><Mikkkeee> lets start with system compromise by using extended procedure,
for v6.5
<BR><Mikkkeee> Many systems have very powerful feature
<BR><Mikkkeee> s
<BR><Mikkkeee> convieniet to DATABASES
<BR><Mikkkeee> but are going to be our backdoors into the database server
host.
<BR><Mikkkeee> =usually many databases because of lazy admins have no
password,
<BR><Mikkkeee> this case the "sa" account, usually the admin is a lazy
bum and has not put a password.
<BR>*** pixel_chomp has quit IRC (Quit: type /quit newbie status to become
an op)
<BR><Mikkkeee> -so now anyway once we get the password our aim moves
to takeing over the os, which usually is an nt box.
<BR><AZTEK> hi-ho hi-ho its off to code i go
<BR>*** AZTEK is now known as AZTEK[coding]
<BR><Mikkkeee> hehe
<BR><Mikkkeee> -by logging in as "sa" the attacker has the use of the
extended stored procedure which is "xp_cmdshell",
<BR><Mikkkeee> this will allows an sql server user or attacker to run
an dos cammand as if he is that person running the cammand at the console.
<BR><Mikkkeee> one thing the attacker can do
<BR><Mikkkeee> is add a user into windows nt account
<BR><Mikkkeee> and then can do it to the admin group.
<BR>*** Artist has joined #bsrf
<BR><Mikkkeee> to do this
<BR><Mikkkeee> they would type
<BR><Mikkkeee> :
<BR><Mikkkeee> Xp_cmdshell'net user hacker 678re0 /ADD'
<BR><Mikkkeee> now the attacker
<BR>*** Shadow_Stalker has quit IRC (Quit: May the force be with you :-))
<BR><Mikkkeee> just added a user hacker with the password 678re0
<BR><Mikkkeee> hehe nice password.
<BR><reptile> how cool
<BR><reptile> wouldnt this be cracking?
<BR><Mikkkeee> now lets add it to the administrators group.
<BR><Mikkkeee> there in
<BR><Mikkkeee> already they are backdooring the box
<BR><Mikkkeee> they would type:
<BR><Mikkkeee> Xp_cmdshell 'net localgroup /ADD Administrators hacker;
<BR><Mikkkeee> haha now hacker has become an NT administrator,
<BR><Mikkkeee> the reason this has worked is because the commnads are
being sumbitted to the os using the nt account under which the sql server
is being run,
<BR><Mikkkeee> this is local system account
<BR><Mikkkeee> which is the most powerful local account on the nt box.
<BR><Mikkkeee> -Another very good attack is to compromise the nt box
by reading the sam._ file
<BR><Mikkkeee> under the winnt/repair/sam._ and
<BR><Mikkkeee> cracking the hashed password using the cracking tool
<BR><Mikkkeee> l0phtCrack
<BR><Mikkkeee> that tool is a work of art
<BR><Mikkkeee> Lets do this then,
<BR><Mikkkeee> we will need to use the exteded stored procedurer,
<BR><Mikkkeee> xp_regread which is from the registry.
<BR><Mikkkeee> so what are we waiting for lets get that little sam file.
<BR><Mikkkeee> xp_regread'HKEY_LOCAL_MACHINE;,'SECURITY\SAM\DOMAINS\ACCOUNT'.'F
<BR><Mikkkeee> we were going to read the passord out of the registry
<BR><Mikkkeee> so now if your a lazy attacker
<BR><Mikkkeee> you might want to use a canned tool, ahh let me name
a good one, goto
<BR><Mikkkeee> packetstrom and d/l SQLPOKE.
<BR><Mikkkeee> now lets talk about other procedures
<BR><Mikkkeee> -attacking the database/ gaining the password local compromise.
<BR><Mikkkeee> well the sa password is stored in clear text
<BR><Mikkkeee> so if you got local access goto
<BR><Mikkkeee> HKEY_CURRENT_USER\SOFTWARE\MICROSHIT\ oops
<BR><Mikkkeee> lol
<BR><Mikkkeee> HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\MSSQLServe\SQLEW\REGISTERED
SERVER\SQL 6.5
<BR><reptile> mikkkeee is there a way to determine if a server is runnin
SQL?
<BR>*** elite has quit IRC (Quit: )
<BR><Mikkkeee> above i talked about the scanner from eEye
<BR><reptile> retina?
<BR><Mikkkeee> yup
<BR><reptile> that costs $30k dude
<BR>*** Lone[Star] has joined #bsrf
<BR><reptile> ;(
<BR><Mikkkeee> haha pay
<BR><Mikkkeee> lol
<BR><Mikkkeee> the VER might be different well thats the path and the
password is stored as clear txt so you shouldn't have a hard time to obtain
it.
<BR><Mikkkeee> - another attack if the system is not secured usually
its not.
<BR><Mikkkeee> one method is to scan the host for smb ports (tcp 139,
udp, 137 and 138)
<BR><Mikkkeee> nt uses them for smb ports to communicate.
<BR><reptile> tankies
<BR><Mikkkeee> these should be closed by a firewall but you can belucky.
<BR><reptile> im off to writing a simple scanner for this
<BR><Mikkkeee> to attack the nt box using this attack you can chk out
rhino9
<BR><reptile> ;)
<BR><Mikkkeee> tutorial called "THE WINDOWS NT WARDOC, A STUDY IN REMOTE
PENETRATION"/
<BR>*** d3molisher has joined #bsrf
<BR><Mikkkeee> i belive we got an nt tutorial at the tuts page in blacksun
<BR><Mikkkeee> -well now you know that both usernames/passwords and
<BR><reptile> Another good hole in very bad nt machines is the front
page vti thing
<BR><Mikkkeee> data is usually sent unencrypted so that means you guessed
it can be sniffeed.
<BR>*** Devil_Panther has quit IRC (Quit: LOL = Lamers On-Line (®©,
and all the other lame legal shit))
<BR><Mikkkeee> nice /quit msg
<BR><Mikkkeee> yah the chances are slim
<BR><Mikkkeee> like finding phf vul pages
<BR><Mikkkeee> but you never know
<BR><Mikkkeee> Another method is keyloggers,
<BR><Mikkkeee> god blessssss the loggers
<BR><angel> hi Mikkkeee:)))
<BR><Mikkkeee> get a good one from www.keyloggers.com
<BR><Mikkkeee> hey angel
<BR><angel> whats up?
<BR><Mikkkeee> the best one against nt is called i think stealth keyloger
its the best well the sharewares ones kick ass. get those.
<BR><Mikkkeee> usually the shareware ones are called legit loggers so
i don't think AV scanners pick up those
<BR><Mikkkeee> but they might
<BR><Mikkkeee> .
<BR>*** BaGeL has quit IRC (Quit: Twenty-two points, plus triple word score,
plus 50 points for using all my letters. Game's over, I'm outta here. -Kwyjibo)
<BR><Mikkkeee> now let me talk a little about securing and we can goto
the other lecture
<BR><Mikkkeee> well one thing you can do to protect your self if your
running a dbs is to \:
<BR><Mikkkeee> 1-click the encyption option,
<BR><Mikkkeee> that isn't done by default so you got to do that in order
to encytp it so that could make snifferes useless,
<BR><Mikkkeee> 2- make sure your got a good firewall setup this is good
for the smb ports and against the portscanners.
<BR><Mikkkeee> 3-multi protocol
<BR><Mikkkeee> will let you use random tcp ports by default or you can
use fixed ports to ease firewall rulz.
<BR>*** _acid519- has quit IRC (Ping timeout: 180 seconds)
<BR><Mikkkeee> 4-if you can try to use muti protocol and enable encryption
<BR><Mikkkeee> if not then try to use ip sockest,
<BR><Mikkkeee> change the default ports and install some good firewall.
<BR>*** Artist has quit IRC (Quit: Leaving)
<BR><SpiderMan> Checkpoint Firewall-1 is a good choice
<BR><Mikkkeee> 5-Use a COM component or a webserver,
<BR><Mikkkeee> as the business obj layer.
<BR><Mikkkeee> okay done
<BR><Mikkkeee> any questions
<BR>*** Mikkkeee sets mode: -m
<BR><suspect> *clap *clap *clap *clap *clap *clap *clap *clap
<BR><S7> nope
<BR><Mikkkeee> if none reptile which are you going to do next?
<BR><freakOVER[away]> VB!
<BR><freakOVER[away]> :)
<BR>*** freakOVER[away] is now known as freakOVER
<BR><SySt3mShk> bv
<BR><SySt3mShk> vb
<BR><reptile> w00t
<BR><SpiderMan> aw, AZTEK and I didn't get a nice thing like that
<BR><TCL> nooooo! not VB!
<BR><reptile> now
<BR><freakOVER> :)
<BR><reptile> what do u ppl wanna start with vb/mirc scripting?
<BR><Mikkkeee> so if no questions this is the end of the sql lecture
<BR><reptile> *clap *clap *clap *clap *clap *clap *clap *clap
<BR><Mikkkeee> --------------------END OF LECTURE----------------
</BODY>
</HTML>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -