You can get a win32 port of dsniff at http://www.datanerds.net/~mike/dsniff.html. I don't think this version has support for NTLM authentication but it's my experience that people reuse the same passwords for many services/boxes.
Does the SQL server authenticate via trusted connections? Provided you can sniff/snarf for NTLM you should be able to get domain credentials when ever someone authenticates to the server (unless NTLMv2 auth is used, I don't think I've seen a tool for this, anyone?) Have you tried to nbtdump/enum the other winboxen? Aside from names of share and users I've seen admins actually put passwords in the Comment field for user accounts that pertain to specific services. Seriously. While your at it, try out talkntlm and the methods described in http://www.atstake.com/research/advisories/2000/a091400-1.txt. Couldn't hurt. If all else fails brute force accounts using nat http://www.cotse.com/tools/sw/nat10bin.zip. Just some thoughts. Blake Frantz MCSE, CCNA Network Security Analyst mc.net 720 Industrial Drive #121 Cary, IL 60013 phn: (847)-594-5111 x5734 fax: (847)-639-0097 mailto:[EMAIL PROTECTED] http://www.mc.net -----Original Message----- From: Jason [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 3:49 AM To: [EMAIL PROTECTED] Subject: hacking a NT domain after the member server Currently doing a penetration test and managed to compromise a development SQL server (W2K/SQL 2000) that is a member of the domain. I am trying to gather additional information from this host that will allow me to compromise the domain. There are no accounts on this host that are the same as the domain. LSA secrets revealed nothing interesting. Does anyone have any other ideas? I would like to install a command line NTLM password sniffer. Does anyone know of one? However, people rarely use this server and I am unlikely to get any domain passwords this way. Any other ideas? Any help appreciated. ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
