Three Attack Vectors in SQL Server 2005

  • Br. Kenneth Igiri

    SSCarpal Tunnel

    Points: 4522

    An additional eye-opener for the intended Hardening in our environment.

    Thank you. 🙂

    Br. Kenneth Igiri
    www.scribblingsage.com
    All nations come to my light, all kings to the brightness of my rising

  • andy-513384

    SSC Rookie

    Points: 48

    Very useful post - I've used some of these methods on 2005 several times in the past due to instances not being set up correctly and with forgotten sa passwords. One question though - in the 3rd method, why not copy the LDF file(s) as well? As the instance has been cleanly shutdown, may as well copy them too and have a consistent/clean DB.

    Thanks for a great and useful post!

    Andy.

  • Joshua M Perry

    SSCrazy

    Points: 2655

    There is always a back door. Consider this...

    PsExec.exe -s -i

  • Eric M Russell

    SSC Guru

    Points: 125026

    SSIS connections should be using Windows authentication and use the encrypted option. However, you can at least try locating any .dtsConfig and .dtsx files and looking for properties called "ConnectionString".

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • derek.colley

    SSCrazy Eights

    Points: 8040

    Reported as spam.

    ---

    Note to developers:
    CAST(SUBSTRING(CAST(FLOOR(NULLIF(ISNULL(COALESCE(1,NULL),NULL),NULL)) AS CHAR(1)),1,1) AS INT) == 1
    So why complicate your code AND MAKE MY JOB HARDER??!:crazy:

    Want to get the best help? Click here https://www.sqlservercentral.com/articles/forum-etiquette-how-to-post-datacode-on-a-forum-to-get-the-best-help (Jeff Moden)
    My blog: http://uksqldba.blogspot.com
    Visit http://www.DerekColley.co.uk to find out more about me.

  • derek.colley

    SSCrazy Eights

    Points: 8040

    Just wanted to say thank you to all who replied, an interesting discussion and thanks for your positive comments.

    Scowls and dark looks to the spammer, though.

    ---

    Note to developers:
    CAST(SUBSTRING(CAST(FLOOR(NULLIF(ISNULL(COALESCE(1,NULL),NULL),NULL)) AS CHAR(1)),1,1) AS INT) == 1
    So why complicate your code AND MAKE MY JOB HARDER??!:crazy:

    Want to get the best help? Click here https://www.sqlservercentral.com/articles/forum-etiquette-how-to-post-datacode-on-a-forum-to-get-the-best-help (Jeff Moden)
    My blog: http://uksqldba.blogspot.com
    Visit http://www.DerekColley.co.uk to find out more about me.

  • john.moreno

    Default port

    Points: 1485

    Hugo Kornelis (3/7/2012)


    The three methods mentioned in the article all require (assuming that the domain and SQL Server have been setup wisely) that the person performing the "attack" has access to a domain account with elevated privileges.

    Right. A better name for the article would have been "Three Methods for regaining access SQL Server".

  • abounds

    Valued Member

    Points: 59

    Joshua M Perry (3/7/2012)


    There is always a back door. Consider this...

    PsExec.exe -s -i

    I was going to point this out as well. This method:

    A) Requires that you have local Admin rights

    B) utilizes the built-in principal permissions SQL attaches to itself

    C) Has no bias to Microsoft's decision to remove BUILTIN\Administrators from the default permissions group.

    I've become very used to using this when a customer in my line of work fails to properly keep up with their login info to SQL, a fairly regular occurrence. Just use this command to exec SSMS and auth a system. Done, add your perms and be on your merry, no SQL restart required, etc.

  • Rudy Panigas

    SSChampion

    Points: 10695

    Hello and thanks for writing the article.

    I have also written an article on how to get into a SQL server when completely locked out so I feel your pain when people say "how can you write about this, are you a hacker or terrorist?" Shame on them!

    There are many real world scenarios where you have no choice but to find a way into a SQL server. As long as you have perissions from the company you are fine.

    Here's another thought. If the SQL server is using Mixed Mode you can use a brute force tool to figure out the SA account.

    It's good for DBA's to know how to get into a SQL server so that you have help prevent from others doing the same thing. Also, if you don't have physical access or don't have server access then there isn't much you can do to get in unless you know of a user account that had access to the SQL server.

    If we DBA's don't talk about this topic, you can bet the house that the bad guys are.

    Thanks,

    Rudy

Viewing 9 posts - 16 through 24 (of 24 total)

You must be logged in to reply to this topic. Login to reply