Manage Learn to apply best practices and optimize your operations.

Port scanning for SQL Server services

Learn about port scanning for SQL Server services in this excerpt from "The Database Hacker's Handbook: Defending Database Servers" by David Litchfield, Chris Anley, John Heasman and Bill Grindlay.

 
The following excerpt, courtesy of Wiley Publishing, is from Chapter 22 of the book "The Database Hacker's Handbook: Defending Database Servers" written by David Litchfield, Chris Anley, John Heasman and Bill Grindlay. Click for the complete book excerpt series or purchase the book.



Port scanning

The OPENROWSET command can be utilized as a rudimentary port scanner that can be used to determine services running on other hosts within the SQL Server's network. The query

select * from OPENROWSET('SQLOLEDB',
'uid=sa;pwd=foobar;Network=DBMSSOCN;Address=192.168.0.1,80;timeout=5',
'')

will return the message "General network error. Check your network documentation," if the port is found to be open. A closed port gives "SQL Server does not exist or access denied." Whether or not the five-second timeout is expended depends on the behavior of the listening service.

It would obviously be extremely time consuming to map an entire subnet using this method, although it is useful for pinpointing specific services. Because SQL Server will repeatedly attempt connections for the duration of the timeout period, this technique can also be used as a denial-of-service attack. The same query with an extended timeout value will make rapid connections to the service on the specified port, and could prevent legitimate users from connecting.

Batched Queries

SQL Server supports query batching, which allows a number of semicolon separated queries to be submitted for execution in a single request. Although this is a convenient feature that is unavailable in other database servers such as Oracle and MySQL, it does increase SQL Server's exposure to SQL injection attacks. This is because the Web application's query can be terminated with an injected semicolon followed by an additional query that will be executed subsequently.

Click for the next excerpt in this series: Defending against SQL injection

Click for the complete book excerpt series.

Dig Deeper on SQL Server Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchBusinessAnalytics

SearchDataCenter

SearchDataManagement

SearchAWS

SearchOracle

SearchContentManagement

SearchWindowsServer

Close