So you have spent a lot of time and effort in securing your database instance using documentation from Microsoft and read a ton of best practice research to make sure you are taking the correct security approach. Is your server really secure? Have you done everything you can to protect your data and the business that pays your salary?
In this interesting article by Rick Osgood we get step-by-step instructions with code examples on how he used basic tools to hack his way into a default database instance he was using to test this technique.
During a recent penetration test, I was performing some packet captures and noticed some unencrypted Microsoft SQL Server (MSSQL) traffic. The syntax was unmistakable. At first I thought this might be a way to capture some authentication credentials. However, that proved to be a dead-end since MSSQL encrypts login traffic by default. The more I pondered what I could do with this data, the more curious I became.
Unfortunately, for this particular client engagement, the SQL Server was out of scope. So, I had to set this investigation aside and complete the test for the client. However, I could not help thinking there was some potential here. I decided to take my research home and try some experiments.
What I found was that with a little hacking, I could take control of a Microsoft SQL Server box without having any stolen credentials using a Man in the Middle style attack.
By the way, the first thing you want to do to prevent this type of attack is to require encrypted connections to your database server, but that is an incomplete solution to a determined hacker.