August 14, 2018 at 12:01 am
Comments posted to this topic are about the item Using pw-inspector in Brute Force attack on SQL Server
August 14, 2018 at 5:59 am
Hi Anil,
You stated:
Since we have several passwords that do not meet the minimum security standard of SQL Server, we will now use pw-inspector to generate a new word list to perform the attack, meeting the criteria of minimum password length of 6 characters and containing numbers:
cat attack_hydra.txt | pw-inspector -m 6 -n > passwords.txtThe new word list is created, and we already have the IP of the SQL Server server.
Based on your original word list, what does the new one look like? Does it filter out all of the passwords that don't meet the complexity requirements, or does it actually re-write them to meet the requirements? If you have an example, that'd be great.
Thanks,
Mike
Mike Scalise, PMP
https://www.michaelscalise.com
August 14, 2018 at 7:49 am
default install of SQL will have "Failed Logins" logging enabled.
Right Click the server name, and then click Properties. Under the Security page....
Only pointing this out because if you were to run a HUGE password file and user name file for testing purposes, you will kill you current Error Log in SQL server.
have fun but be careful
August 14, 2018 at 10:12 am
I always thought the weakest link was the person on the other side of the door, who can just open the door and let you in. A disgruntled or careless admin can open that door pretty easily, with or without a strong password strategy
August 15, 2018 at 8:32 am
For this to work against SQL Server, it assumes that:
- The user's accounts is not domain authenticated
https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx
- The sysadmin doesn't have 'enforce password policy' enabled on the account
https://support.microsoft.com/en-us/help/2028712/understanding-password-policy-for-sql-server-logins
- The user's password is relatively simple
https://it.ucsf.edu/policies/bad-passwords
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 23, 2020 at 8:21 am
For this to work it presumes that the SQL Server has not been locked down with standard practices and that it's a Linux box or Windows with WSL installed.
If your job is a DBA or sysadmin I'd say you're about to get fired if this attack worked.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply