Top hacker tricks to exploit SQL Server systems

Top hacker tricks to exploit SQL Server systems

Whether through manual poking and prodding or the use of security testing tools, malicious attackers employ a variety of tricks to break into SQL Server systems -- both inside and outside your firewall. It stands to reason then, if the bad guys are doing it, you need to carry out the same attacks to test the security strength of your systems.

Here are nine hacker tricks used to gain access and abuse systems running Microsoft SQL Server.

1. Direct connections via the Internet

These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). I don't understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchSQLServer.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSQLServer.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Premium Access

Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in April 2010

in my assessments. We occasionally hear about such incidents in the media. Nevertheless, these direct attacks can lead to denial of service, buffer overflows, remote control, and more.

2. Uncovering hidden and overlooked systems on the internal network

The bad guys are crafty at not only uncovering default SQL Server installations, but also “hidden” SQL Server instances such as those running on odd ports, located on systems running Windows Firewall or other host-based protection. Chip Andrews' SQLPing is a great tool for finding all live SQL Server systems regardless of the configuration. Many of these non-default systems are overlooked and under-protected, providing the ideal attack scenario for an insider with ill intent. 


Why ethical hacking?

We recently spoke with Kevin about the importance of making ethical hacking a part of system security assessments. Check out this short podcast to learn more about hacking techniques, the flaws they often uncover, and the best tools available for testing.

PODCAST: Ethical hacking -- Words to live by

3. Vulnerability scanning

Vulnerability scanning often reveals weaknesses in the underlying operating system (OS), the Web application or the database system itself. Everything from missing SQL Server patches to Internet Information Services (IIS) configuration weaknesses can be uncovered by attackers, compromising the database server.

The bad guys may use open source, home-grown or commercial vulnerability scanners. Some are even savvy enough to carry out their hacks manually from a command prompt. In the interest of time (and minimal wheel spinning), I recommend using commercial vulnerability assessment tools like QualysGuard or Rapid7 (for general scanning), Acunetix Web Vulnerability Scanner or WebInspect (for Web application scanning) and NGSSquirrel for SQL Server or AppDetectivePro (for database-specific scanning). They're easy to use, offer the most comprehensive assessment and, in turn, provide the best results.

4. Cracking passwords

Deciphering Software Assurance and Windows domain passwords is also used by attackers to get into SQL Server systems. In many cases, cracking is not needed since no password has been assigned, providing yet another use for the handy-dandy SQLPing tool mentioned earlier. AppDetectivePro, NGSSQLCrack, and SQLdict -- the freebie tool that’s also packaged in the BackTrack toolset -- also have this capability. Furthermore, if physical access is available, an attacker can use a tool like Proactive System Password Recovery to gain control.

5. Direct-exploit attacks

Direct exploitation tools such as Metasploit  can be used to exploit certain vulnerabilities found during normal scanning. This is typically the silver-bullet hack for attackers because it can lead to complete remote access of the server and database environment with full administrative rights.

6. SQL injection

SQL injection attacks are executed via front-end Web applications that don't properly validate user input. SQL queries can be inserted directly into Web URLs and forms which can return informative errors that lead to enumeration of the SQL Server environment, and eventually, full database access. These attacks can be carried out manually if you have a lot of time, but it’s much wiser to use automated tools to your advantage.

Once you discover that a server has a SQL injection vulnerability using a Web application vulnerability scanner, you can use an automated SQL injection tool such as Absinthe or the SQL Injector tool built into WebInspect to carry out the process.

7. Reverse engineering the system

The reverse engineering trick looks for software exploits, memory corruption weaknesses and so on. In this sample chapter from the excellent book, Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw, you'll find a discussion about reverse engineering ploys and how you can use them to root out SQL Server vulnerabilities.

8. Google hacks

Google hacks use the extraordinary power of the Google search engine to ferret out SQL Server errors, such as "Incorrect syntax near" leaking from publicly accessible systems. Several Google queries are available at Johnny Long's Google Hacking Database (GHDB). (Look in the sections titled, Error Messages and Files containing passwords.)

The bad guys use Google to find passwords, vulnerabilities in Web servers, underlying operating systems, publicly available procedures and more that they can use to further compromise a SQL Server system. Combining these queries with website names via Google's 'site:' operator often turns up juicy info you never imagined you could unearth. The same concept can be carried out using text/PII search tools, such as FileLocator Pro and Identity Finder on network shares inside the network as discussed in this article on unstructured information.

9. Perusing website source code

Source code can also turn up information that may lead to a SQL Server break-in. Specifically, hard-coded SQL Server configuration and authentication information may be stored in ASP scripts, Flash files, etc. for simplicity’s sake. Through a manual assessment, using Google or a tool such as SWFScan you can uncover this information quickly and easily.

ABOUT THE AUTHOR
Kevin Beaver (CISSP), is an information security consultant, expert witness, as well as a seminar leader and keynote speakerwith Atlanta-based Principle Logic, LLC. Kevin can be reached at www.principlelogic.com.

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top