RSS

Monthly Archives: March 2013

Non-Standard SQL Port

As a DBA, I have heard of a defensive maneuver that is supposed to help throw the hackers off your scent. That maneuver is configuring a non-standard port for the database engine, something other than 1433.

We first need to understand a standard configuration. If you select only the database engine on install, the default instance listens on TCP port 1433. No firewall changes are made so that is something you have to do post install. The SQL Browser service is disabled because it is not required. UDP/1434 was used by the SQL Slammer worm and took advantage of poor network packet handling of the SQL Browser service. I recommend you leave this service disabled.

In previous attacks I have demonstrated, during the information gathering phase, we locate a SQL Server using nmap or zenmap. We assume this is a SQL Server because port 1433 is open. You can find a good listing of default ports on wikipedia. You can also find a good list of windows ports in your services file usually located in c:\windows\system32\drivers\etc\

Rather than discuss whether we should or should not change the SQL Port what I want to do it test out the effectiveness of the tools if the port is changed. To change what port SQL listens on for remote connections, there are three spots in the SQL Server configuration manager we have to change.

First, I like to change the listen all setting to no.
change_sql_port_01

Then, find your IPv4 address and enable listening on it and change the port.
change_sql_port_02

Now, we have to change the firewall. I’ve added an extra rule, then verified I could connect using the “IP,port” in SSMS.

change_sql_port_03

Penetration Testing

The only thing a port change will defend against is the information gathering phase of a hack. If we do a quick scan with zenmap, I noticed that this change is at least partially effective. The ms-sql port doesn’t light up green like we are used to. In fact, no open port is identified by a quick scan.

change_sql_port_06

What we have to do is open up our scan. The intense all TCP ports is very time consuming. I doubt a hacker would wait this long for a single host, I sure didn’t.

change_sql_port_04

nmap has a lot options and switches we can experiment with. I did notice the option “-p T:” which will try TCP ports within the range supplied. This completes in a reasonable amount of time.

change_sql_port_05

However, the service identification is missing. By changing the command a bit we can identify that the service is SQL, just not the exact version.

change_sql_port_07

As you can see the port change was ultimately ineffective. The fact that the host is always easily identified as online will draw the attention of an attacker. With a small amount of persistence, the attacker can identify the target as a SQL Server.

 
Leave a comment

Posted by on March 25, 2013 in Security, SQL Admin

 

#SQLPASS #SQLSatDetroit recap

I attended my third SQL Saturday event March 16th, 2013. This was the first one I decided to submit an abstract to and I am really glad I did. I’ve been geeked out on my presentation topic the last 6 months so that helped me push past any nerves.

I also volunteered but the hard work of others didn’t leave much leftover. After 200+ of these SQL Saturday events the community has a pretty good handle on how to make it a success. This was Detroit’s first so were plenty of unknowns. Lawrence Tech turned out to be a great location. There was plenty of open space between all of the classrooms for discussion and sponsors. The cafeteria simplified setup, delivery and cleanup of lunch. We were able to access the facility early and staff was onsite to help. 4G service was good and wifi was open.

lti

There was 5 tracks two with larger rooms and 3 with smaller rooms. I got one of the smaller rooms which was fine with me. I don’t like microphones and my voice doesn’t project particularly well. However, I did hear that some folks would have like to attend but the room was already packed.

me_at_sqlsatdetroit

Slides: https://nujakcities.files.wordpress.com/2013/03/security0315.pptx

And some older demo steps: https://nujakcities.files.wordpress.com/2013/03/demo_steps0216.docx

I was very happy with my delivery. I’m definitely not a natural but I can sense that I am getting a little better each time. I have to give a big thanks to the developers of Kali Linux. They shipped a solid product that demoed nicely. I was very concerned jumping into the new hotness with only 2 nights of practice but it worked out for the best. Of about 40 attendees, I received 21 reviews for an average score of 4.57/5.

Speaking did distract from attending other sessions. I was a complete zombie after my session and almost missed lunch. That said I think I will give speaking another shot. The #SQLFamily made it an enjoyable and valuable experience. Especially this evaluation comment that made my day and gave me the energy to go get a drink after the event.

million_dollar_reveiw

 
1 Comment

Posted by on March 20, 2013 in PASS, Security, SQL Admin

 

I’m Speaking at #SQLSatDetroit March 16th

What a great way to use up my 100th blog post. I could not think of a better way to pass that milestone than to announce my upcoming session.

one_down

Ok, I didn’t really delete that session next to mine but what a great way to get in the mood!

Hacking SQL Server
The best defense is a good offence. Learn how to practice hacking without going to jail or getting fired. In this presentation we’ll be going over how to exploit weak SQL servers with actual tools of the penetration testing trade. You will learn why the SQL Service is a popular target on your network and how to defend against basic attacks. We will also attempt to snag some credentials from the SAM cache so we can go galavanting across the rest of the network.

If you are attending, I encourage you to get a few things installed so you can play along. It’s just more fun that way. VMWare player and BackTrack should get you started. You may want to setup a victim virtual machine as well, or just hack your host computer. Make sure to turn off your host NIC so you don’t make any mistakes and touch the network that you don’t have permission to use inappropriately.

 
1 Comment

Posted by on March 6, 2013 in PASS, Security, SQL Admin

 

Tags: