! WARNING - blatant plugs !
On Thu, Jun 13, 2002 at 02:49:02PM -0500, Blake Frantz wrote: > > Does the SQL server authenticate via trusted connections? Provided you > can sniff/snarf for NTLM you should be able to get domain credentials > when ever someone authenticates to the server (unless NTLMv2 auth is > used, I don't think I've seen a tool for this, anyone?) huggorm[1] works fine with both old-style NTLM and new SSP exchanges, both on SMB/IP (tcp 445) and SMB/NB/IP (tcp 139) and will probably be able to sniff NT challenge-responses if the MSSQLserver uses named pipe transport. > Have you tried to nbtdump/enum the other winboxen? Aside from names of > share and users I've seen admins actually put passwords in the Comment > field for user accounts that pertain to specific services. Seriously. > If all else fails brute force accounts using nat > http://www.cotse.com/tools/sw/nat10bin.zip. Check out skravel and netu at http://olle.nxs.se/ I also recommend winfo at http://www.ntsecurity.nu/toolbox/winfo/ /olle, self-promoting bastard. [1] http://olle.nxs.se/software/huggorm/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
