I configured Wireshark to use a display filter “tds.query”. It started capturing traffic on the primary interface. Once logged in, I launched Wireshark 2.0 on the SQL Server box. If my experiments were successful, I could do a lot of fun things with the SA account’s privileges. The SA account is the system admin account in SQL Server and can do anything. In order to make this test more interesting, I used the “SA” account to log in. The first thing I needed to do was to look at the MSSQL query traffic. This allows the attacker to not only see all of the data between the victims but potentially also to manipulate that traffic. The typical setup is to perform some kind of redirect, like an ARP cache poison (which is still possible in some environments), which forces traffic between two systems to be redirected through the attacker’s computer. Anitian does these a lot, as we have a lot of expertise on hacking infrastructure devices. This type of attack is known as a man-in-the-middle (MITM) attack. This was nearly identical to the setup I had at the client site. All of these systems are on the same subnet, simulating an attacker on the internal network. My attack machine was a relatively new installation of Kali 2.0 Linux.
#Sql server client for ipos windows 10#
The client machine was a Windows 10 system running MSSQL Management Studio 2014. For my investigation, I was running MSSQL Server 2014 Express on Windows Server 2012 R2. What I found was that with a little packet hacking, I could take control of a Microsoft SQL Server box without having any stolen credentials using a Man in the Middle style attack.īack in my lab, I began to research this more. Was there a way to attack an SQL Server box without any credentials? I decided to take my hypothesis to the lab and try some experiments.
However, I could not help thinking I was on to something. So, I had to set my curiosity aside for the time being and complete the penetration test for the client. Unfortunately, for this particular client engagement, cracking SQL Server encryption was beyond the scope of the project. If the installation uses a self-signed certificate, that is fairly easy to crack.
#Sql server client for ipos crack#
However, MSSQL encrypts login traffic which meant I would have to crack the encryption to get credentials. At first, I thought this might be a way to capture some authentication credentials. During a recent penetration test, I was hacking away at some packet captures and noticed unencrypted Microsoft SQL Server (MSSQL) traffic.