Hacking Microsoft SQL Server

So you have spent a lot of time and effort in securing your database instance using documentation from Microsoft and read a ton of best practice research to make sure you are taking the correct security approach. Is your server really secure? Have you done everything you can to protect your data and the business that pays your salary?

In this interesting article by Rick Osgood we get step-by-step instructions with code examples on how he used basic tools to hack his way into a default database instance he was using to test this technique.

During a recent penetration test, I was performing some packet captures and noticed  some unencrypted Microsoft SQL Server (MSSQL) traffic.  The syntax was unmistakable.  At first I thought this might be a way to capture some authentication credentials.  However, that proved to be a dead-end since MSSQL encrypts login traffic by default.  The more I pondered what I could do with this data, the more curious I became.

Unfortunately, for this particular client engagement, the SQL Server was out of scope.  So, I had to set this investigation aside and complete the test for the client.  However, I could not help thinking there was some potential here.  I decided to take my research home and try some experiments.

What I found was that with a little hacking, I could take control of a Microsoft SQL Server box without having any stolen credentials using a Man in the Middle style attack.

By the way, the first thing you want to do to prevent this type of attack is to require encrypted connections to your database server, but that is an incomplete solution to a determined hacker.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s