This course provides an overview of MS SQL Server security focusing on topics such as Windows Authentication Mode, SQL Server Security Modes, privilege escalation, account acquisition, SQL Server discovery, and SQL code injection best practices. The learning outcomes include understanding potential security pitfalls, learning about privilege escalation techniques, and implementing sensible configuration management for securing SQL Server. The course teaches skills such as identifying security vulnerabilities, implementing security best practices, and conducting network scans. The teaching method involves a lecture-style presentation by the instructor. The intended audience for this course includes IT professionals, database administrators, cybersecurity enthusiasts, and individuals interested in enhancing their knowledge of MS SQL Server security.
Overview
Syllabus
Intro
BLACK HAT WINDOWS 2000 SECURITY
Biztalk Server 2000 Commerce Server 2000 Application Center Server 2000 Third-Party Apps (MSDE)
Windows Authentication Mode Requires user to be authenticated by Windows NT/2000 This is the new default for SQL Server 2000
SQL Server Security Modes (cont.) Mixed Mode Both SQL Server and Windows Authentication -Lacks strong authentication controls such as password complexity, expiration, lockout, or history when using SQL Server logins Provided for backwards compatibility and Windows 98/Me installations Personal
Good Idea - What's the problem? Microsoft recommends Windows Authentication Mode - Sounds like a no-brainer The Problems
C2 Style Auditing exec sp_configure 'C2 Audit Mode', 1
Microsoft has made some great strides to improve the security of SQL Server Some ideas for future releases
Fingerprinting/Discovery Acquiring Access Privilege Escalation Potential Pitfalls Custom DLL - Application Requirements - Source Disclosure
SQL Server Discovery Multiple instancing capabilities of SQL Server 2000 make enumeration a functional requirement A specially formed UDP packet directed at port 1434 will cause the SQL 2K listener service to divulge information about every instance of SQL
Since the listener may exist on multiple machines, it is possible to send a broadcast UDP packet to port 1434 to discover all instances of SQL Server 2000 on a subnet - Osql-L (will return a raw listing) Capture returned packets
Account Acquisition (cont.) Sniffing (mixed or NT security mode) -LOphtcrack (to obtain NT account) TCP 1433 traffic (non SSL) Connection strings (mixed mode) - Client registry (regedit) - Imbedded in ASP source or client-side script (RDS) Config files (global asa, connectine, etc.)
Privilege Escalation xp_cmdshell -- Extended stored procedure that allows access to the operating system
Create a backdoor account Trojan sp_password to capture passwords to use on operating system Use tftp to pull a trojan extended stored procedure Use this SQL Server to launch attacks against other hosts
Sensible configuration management will help secure SQL Server itself Take the time to scan your networks and determine what people on the inside and the
SQL Code Injection Best Practices .NET Beta Functionality The Future "What can I do TODAY?"
Ability of an attacker to inject unintended SQL statements into application - Consequences
Scope of SQL Injection SQL injection attacks rarely alerts IDS systems especially over SSL Difficult to track down all the areas of exploitation since the only real solution is manual code review No amount OS security, firewalls, patch diligence will stop SQL injection. The solution is good coding practices
Taught by
Black Hat
