User List problems > Discussions

July 30, 2010 Login |

Home
FAQs
       SQL Server FAQ
       SQL Injection FAQ
       SQL Security Checklist
       SQL Server-Related Products
       SQL Server/MSDE-Based Applications
       SQL Server Version Database
Tools
       Lockdown Script
       Free Tools
       Free Analysis
       Group Policy Templates
       Commercial Tools
Community
       Discussions
       Links
About
Search

SQL Security Forums

Note: SQLSecurity.com does not allow nor require registration due to privacy concerns for users. SQLSecurity.com is open and anonymous for all. Please report any abuse or profanity.

Unanswered

Active Topics

Forums

Forums > Discussions > SQL Server Security

Subject: User List problems

Prev Next

Add Reply

Author

Messages

SQLPing2 (guest)

03/09/2006 6:56 AM	Quote Reply Alert
Hi all, This is my first post to this site, but great work for all of the tools you make available! I am currently having a problem using SQLPing2 to perform a wordlist attack against the usernames for a SQL 2000 box. I know the IP, so I enter that in the range. I know the usernames on the SQL server, so I have created a text file with the following syntax: username1 username2 username2 And I have a dictionary file, in which I know that the password exist (this is for testing purposes). The problem I have is that SQLPing2 only seems to dictionary attack the first username in the user list! It then correctly displays the password, but it does not seem to continue to the subsequent usernames. It does say the following: 00:00:00 Scanning Initiated 00:00:00 Loading UserList 00:00:00 Loaded 6 users 00:00:00 Loading PassList 00:00:00 Loaded 1687 passwords 00:00:00 Scanning host : 192.168.1.200 192.168.001.200 VWIN2K No 8.00.194 1433 00:00:00 Server: 192.168.1.200 Port:1433 UserName:username1 Password:mountain 00:00:01 Scan Complete ** Can anyone help me here?

Chip Andrews
Posts:10

03/09/2006 10:25 AM	Quote Reply Alert
You are quite right - that's a bug. I'm very surprised no one reported it before now! I've fixed it and reposted SQLPing2 version 2.6. That should resolve the issue. Please let me know one way or the other.

Chip Andrews (guest)

03/09/2006 10:36 AM	Quote Reply Alert
PS- Be sure to remove the old version before installing this one

Chip Andrews (guest)

03/09/2006 1:30 PM	Quote Reply Alert
FYI - It was actually going through the other names but it would STOP if it found a matching username and password. Of course - we want it to stop looking for that account - but it needs to keep going through the rest of the accounts. I have made this change and tested that it does keep going through the account list - even when it finds a match for an account.

SQLPing2 (guest)

03/11/2006 12:50 AM	Quote Reply Alert
Perfect! I am using it to demonstrate to security professionals how easy it is to compromise a server with weak passwords! Thanks Chip.

Add Reply

Forums > Discussions > SQL Server Security > User List problems

Quick Reply

Username:
Subject:
Body:

ActiveForums 3.6