Now that I know something about the SQL environment, may be I can gain access to that SQL system. For every SQL installation, SQL server created the default system administrator account, sa with the default blank password. Many times due to sloppy control or ignorance, the default blank password was not converted to a strong password. You can simply fire up the Query Analyzer (isqlw.exe). Put in the SQL server’s IP address with an user name of sa and a blank password, bang you are in the SQL server with full system administrator authority! What happen if there is a password associated with sa. Well, there is a program called SQLDict which will employ a dictionary attack against a single user account. In this case, it the sa account! SQLDict written by Arne Vidstrom is a GUI program. Nothing fancy but simply a brute force password breaking utility using a dictionary of popular passwords. As illustrated in the image below by SQLDict, SQL hacking is now a point and click operation. If one server is exposed, it is just matter of time before your whole organization is compromised.
This makes SQLPing2 a full pledge hacking tool now. This test run was done using 11 user ids, and 29,157 passwords. Because I have a strong password, Thank God, the password was not revealed. Another interesting utility is called SQLPOKE written by xaphan. SQLPoke does not use brute force password breaking technique but merely look for SQL server with account sa and a blank password. It has an added twist here. It can execute up to 32 commands. The consequence is unbelievable if you allow that to execute! C:\SQLTOOLS>SQLPOKE 192.168.2.220 192.168.2.225 1433 (Script to Alert Hacker or plant Trojan)So this is clearly a wakeup call to the administrator! This is only the beginning and there are many different ways to attack an SQL server. After I experimented with SQLPing, SQLDict, SQLPoke and other software, I realized how important it is to have your SQL server secured, firewall properly configured, your system patched with up to date hotfixes. Don’t let your guard down, or else you have an unwanted visitor in your backyard!
SQLPing
Since SQL server supports multiple instances, the server must communicate with the client the instance information and detail. It operates on the UDP port 1434 and generally known as instance mapper. A sample output from SQLping 1.3 looks like this:C:\SQLTOOLS>SQLPING 192.168.2.255SQLPinging...Response from 192.168.2.202-----------------------------ServerName : SNOOPYSQL1InstanceName : MSSQLSERVERIsClustered : NoVersion : 8.00.194np : \\SNOOPYSQL1\pipe\sql\querytcp : 1433True Version : 8.0.766rpc : SNOOPYSQL1SQLPing Complete.As you can see, SQLPing revealed some interesting information:SQL Server nameInstance name (the default instance is MSSQLSERVER)Cluster information and statusVersion or the base versionNetlib supporting detail such as Name Pipe, TCP port, RPC name,etc)Patched Version
Looking at the based version and patched version number, you can tell whether the administrator keep the SQL Server patching up to date or not. Many security vulnerabilities are well known for unpatched system without hotfixes and service packs. Another item of interest is the whether clustering technology employed in this server. Clustered technology is generally used to provide high availability and for mission critical system. In this particular example, we see that TCP/IP, Name Pipe and Multiprotocol network libraries are used here. This information could be used to create a disaster if it falls in the hands of skillful hacker.
Looking at the based version and patched version number, you can tell whether the administrator keep the SQL Server patching up to date or not. Many security vulnerabilities are well known for unpatched system without hotfixes and service packs. Another item of interest is the whether clustering technology employed in this server. Clustered technology is generally used to provide high availability and for mission critical system. In this particular example, we see that TCP/IP, Name Pipe and Multiprotocol network libraries are used here. This information could be used to create a disaster if it falls in the hands of skillful hacker.
SQLPing
Since SQL server supports multiple instances, the server must communicate with the client the instance information and detail. It operates on the UDP port 1434 and generally known as instance mapper. A sample output from SQLping 1.3 looks like this:C:\SQLTOOLS>SQLPING 192.168.2.255SQLPinging...Response from 192.168.2.202-----------------------------ServerName : SNOOPYSQL1InstanceName : MSSQLSERVERIsClustered : NoVersion : 8.00.194np : \\SNOOPYSQL1\pipe\sql\querytcp : 1433True Version : 8.0.766rpc : SNOOPYSQL1SQLPing Complete.As you can see, SQLPing revealed some interesting information:
SQL Server name
Instance name (the default instance is MSSQLSERVER)
Cluster information and status
Version or the base version
Netlib supporting detail such as Name Pipe, TCP port, RPC name,etc)
Patched Version Looking at the based version and patched version number, you can tell whether the administrator keep the SQL Server patching up to date or not. Many security vulnerabilities are well known for unpatched system without hotfixes and service packs. Another item of interest is the whether clustering technology employed in this server. Clustered technology is generally used to provide high availability and for mission critical system. In this particular example, we see that TCP/IP, Name Pipe and Multiprotocol network libraries are used here. This information could be used to create a disaster if it falls in the hands of skillful hacker.
SQL Server name
Instance name (the default instance is MSSQLSERVER)
Cluster information and status
Version or the base version
Netlib supporting detail such as Name Pipe, TCP port, RPC name,etc)
Patched Version Looking at the based version and patched version number, you can tell whether the administrator keep the SQL Server patching up to date or not. Many security vulnerabilities are well known for unpatched system without hotfixes and service packs. Another item of interest is the whether clustering technology employed in this server. Clustered technology is generally used to provide high availability and for mission critical system. In this particular example, we see that TCP/IP, Name Pipe and Multiprotocol network libraries are used here. This information could be used to create a disaster if it falls in the hands of skillful hacker.
Port Scanning
The first step in SQL Server discovery is to scan the port used by SQL. Many port scan software are available for this purpose. However, if the firewall is configured correctly, this will yield a little fruit. But in many cases, administrators leave SQL Server ports open for developers or remote users to access that Client Relationship Management System. If you must remotely access that Client Relationship Management System, consider using VPN or IPSec!SQL port scanner starts with TCP port 1433 and UDP port 1434. They are the default listening ports installed on SQL Server 2000 installation. If you notice the port sweeps on 1433 and 1434 on your border router or firewall logs, you better be prepare for hackers trying to penetrate into your site.
How hackers see your SQL Servers
Until SQL Slammer, Microsoft had taken a severe beating on IIS securities and vulnerabilities, but yet SQL servers had somehow evaded and disappeared from the radar screen. Perhaps because it is due to lack of automated tools and in order to hack a SQL server, a cursory knowledge of SQL is needed to attack the SQL server successfully. What ever the reasons, with the arrival of SQL Slammer and other worms the scenery is now changing. More and more automated tools are available to fully exploit the SQL vulnerabilities. A little knowledge with SQL can go a long way to break into corporate data bases. This article will explore some of software used to find holes in your SQL Server setup. It is not the intent to teach you how to hack a SQL server but rather use the tools to harden your SQL Server. Most experienced hackers will do some extensive information gathering about a particular site before making any direct moves. This is called footprinting. They need to employ the right technology without alerting the intrusion detection systems. One common source of information is in the Internet News Groups. In discussing problems and resolutions, security information may be inadvertently disclosed with information such as ADO connection string or SQL Server Security setting! Company administrative web pages and coupled with search engines, there is plenty of information available for hackers.
Electricity Grid in U.S. Penetrated By Spies
April 8, 2009
WASHINGTON (CNN) -- Computer hackers have embedded software in the United States' electricity grid and other infrastructure that could potentially disrupt service or damage equipment, two former federal officials told CNN.The ex-officials say code also has been found in computer systems of oil and gas distributors.
The ex-officials say code also has been found in computer systems of oil and gas distributors.
The code in the power grid was discovered in 2006 or 2007, according to one of the officials, who called it "the 21st century version of Cold War spying."
The U.S. power grid isn't the only system at risk. The former officials said malicious code has been found in the computer systems of oil and gas distributors, telecommunications companies and financial services industries.
Security experts say such computer hacking could be the work of a foreign government -- possibly Russia or China -- seeking to compromise U.S. security in the event of a future military conflict.
WASHINGTON (CNN) -- Computer hackers have embedded software in the United States' electricity grid and other infrastructure that could potentially disrupt service or damage equipment, two former federal officials told CNN.The ex-officials say code also has been found in computer systems of oil and gas distributors.
The ex-officials say code also has been found in computer systems of oil and gas distributors.
The code in the power grid was discovered in 2006 or 2007, according to one of the officials, who called it "the 21st century version of Cold War spying."
The U.S. power grid isn't the only system at risk. The former officials said malicious code has been found in the computer systems of oil and gas distributors, telecommunications companies and financial services industries.
Security experts say such computer hacking could be the work of a foreign government -- possibly Russia or China -- seeking to compromise U.S. security in the event of a future military conflict.
HACKER'S TRUTH
"...let me tell you what this all means. You're going to get busted, lose everything you own, not get out on bail, snitch on your enemies, get even more time than you expected and have to put up with a bunch of idiots in prison. Sounds fun? Keep hacking.
Self Defense against Computer Crime!
1) Download either Kapersky Internet Security, which offers a free 30 day trial, or F-Secure's Complete Internet security suite, which offers a free thirty day trial 2) Disconnect from the Internet.
3) Uninstall your current antivirus. This is absolutely essential because otherwise it and F-Secure or Kapersky will fight each other and might crash your computer. It isn't good enough to just turn off your old antivirus because it probably has been crippled by your virus infection.
4) Install your Internet Security product. Download any updates available.
5) Run a complete scan of your computer. Follow any instructions it might give you.
6) Reboot.
If this works, you can either keep your new Internet Security product or uninstall it and reinstall your old antivirus from either a download of the latest version from their website (if that's how they sell it) or from the disk it was on when you bought it. Be sure to get all the latest updates right away. Usually antivirus companies are pretty good about updating their programs whenever some new attack becomes able to evade or cripple their product.
If you weren't running an antivirus program that includes antispyware protection and a firewall, then I recommend that you not reinstall your old program. Nowadays we need total protection, and this includes antispyware and a firewall.
7) To prevent future infections, don't use Internet Explorer, as it is susceptible to introducing viruses, adware and spyware into your computer. Instead you could use Firefox, free from Mozilla.org . Instead of using Outlook for email, you could use Thunderbird, free from Mozilla.org, or Eudora, free from Eudora.com .
3) Uninstall your current antivirus. This is absolutely essential because otherwise it and F-Secure or Kapersky will fight each other and might crash your computer. It isn't good enough to just turn off your old antivirus because it probably has been crippled by your virus infection.
4) Install your Internet Security product. Download any updates available.
5) Run a complete scan of your computer. Follow any instructions it might give you.
6) Reboot.
If this works, you can either keep your new Internet Security product or uninstall it and reinstall your old antivirus from either a download of the latest version from their website (if that's how they sell it) or from the disk it was on when you bought it. Be sure to get all the latest updates right away. Usually antivirus companies are pretty good about updating their programs whenever some new attack becomes able to evade or cripple their product.
If you weren't running an antivirus program that includes antispyware protection and a firewall, then I recommend that you not reinstall your old program. Nowadays we need total protection, and this includes antispyware and a firewall.
7) To prevent future infections, don't use Internet Explorer, as it is susceptible to introducing viruses, adware and spyware into your computer. Instead you could use Firefox, free from Mozilla.org . Instead of using Outlook for email, you could use Thunderbird, free from Mozilla.org, or Eudora, free from Eudora.com .
Subscribe to:
Posts (Atom)