I’ve written about SQL Sever security and mentioned that logins can be brute forced. https://nujakcities.wordpress.com/2012/03/20/building-up-to-sql-server-security/ Today I’m going to attempt a brute force attack on the latest and greatest SQL Server.
First I downloaded VMWare player. Its free and allows you to setup virtual machines easily. I installed the 180 day eval of Windows Server 2012. You will need to tell VMWare player that its Windows Server 2008 R2 but I assure you its 2012, see no start button.
In the screenshot you will also see the SQL Database engine install completing. Today we’re going to act like a developer and make it as easy as possible to connect to sql server. Our first misconfiguration, enabling SQL Authentication is on the left.
The other bonehead configuration move you will see is enabling the ‘sa’ account with a weak password. And mistake number three is unchecking “enforce password policy”. That will allow unlimited attempts at the password. I see this configuration frequently because business users don’t want the application to go offline if the SQL Login gets locked out.
To setup the attacker machine, download a BackTrack VM, login with root|toor and run “startx”. Then you pop a command shell and verify there is a service availabile at my target IP using a tool called ‘nmap’. This tool has been around for ages an still works like a charm to identify service listeners and open ports. Neo used it in the movie The Matrix.
After that I launched a tool called ‘SQLDict’, entered the IP, entered the target account ‘sa’ and then loaded up a password file. The file I used is in the John the Ripper folder which is used for cracking passwords but can also be used for our SQL Brute force attack.
I hit start and as you can see in fairly quickly (maybe 2 minutes @ ~30/sec) it is able to try enough passwords to figure out that my sa account password is ‘highland’. Just to make sure I connected with that account in SSMS. One catch is you will have a SQL Log that gets a little bloated. But that is ok, you can cycle it out of existance since you have sysadmin privlidges.
There is another tool called ‘sqlhf’. It can scan a range of IPs and will make three tries at the sa password. Those three tries are ”, ‘sa’, ‘password’. Don’t ever leave the sa password blank or one of the other two options.
Once you are in, there may be nothing in SQL of interest. I know my instance doesn’t have squat to steal. However, there is one last configuration mistake that I didn’t make. And that is running the service as a ‘root’ a.k.a ‘NT Authority/System’. Since you have ‘sa’ you can enable xp_commandshell and rain shells right inside of sql server. Fortunately there is at least one speed bump, I’m only the local user “sql” which has very limited privileges.