Disclaimer:
The code in the article may cause harm to your system by exposing passwords and is meant to show you how to protect your system. Only run this code against a test server. This code is free for anyone to use. No one may sell it, lease it, rent it, or otherwise charge or collect fees for it. Also by using this code you release me and the people you downloaded this example code from, from any and all legal recourse for anything this code may do to your database or computer systems.
Definition
:brute force: /adj./ Describes a primitive programming style,
one in which the programmer relies on the computer’s processing
power instead of using his or her own intelligence to simplify the
problem, often ignoring problems of scale and applying naive
methods suited to small problems directly to large ones. The term
can also be used in reference to programming style: brute-force
programs are written in a heavyhanded, tedious way, full of
repetition and devoid of any elegance or useful abstraction (see
also {brute force and ignorance}).
— The Hacker’s Dictionary v3.3.2
http://w4.lns.cornell.edu/~seb/brute-force.html
Personal Reasoning
Although I have never heard or seen a brute force attack against a SQL Server it doesn’t mean it hasn’t been done. Below are some of the reasoning behind writing these scripts to monitor against such and attack and also to show how easy it really is to do. You can avoid these attacks completely if you’re running Windows NT authentication. If you’re running SQL Server authentication, you may be at risk however.
- SQL Server has no auto lockout feature that I know of or have heard of for the SQL Server logins.
- Logging of an attack/Failed logins is only done to the SQL error log (if the feature is turned on, by default it is not). Thus many DBA’s don’t ever bother to look in the error log or turn on the logging feature unless there is a problem with a database or network connection.
- Even if you are using SQL Server Trusted connections there is still the sa account to worry about.
- Most attacks come from disgruntled employees, or curious employees from within a company. Rarely, although highly publicized, do attacks come from “hackers”. In the scenario of disgruntled employees no firewall is going to protect you, your SQL Server box is a sitting duck on your own internal network.
- You could launch this from any machine to attack any SQL Server (within reason) since I am using the old tried and true osql or isql command prompt.
- If I thought of this, then you had have bet somebody already has this or some form of it in their hands.
Brute Force Monitoring
Notes:
This script cycles the SQL Server errorlog once a week. You would want to do this anyways in order to get a “clean” count of failed login attempts. It also will go through the error log and get a count of the failed login attempts made on that server. Also if you want any kind of an alert sent via email or xp_logevent you will have to add it to PWMonitor.sql
Install:
- Turn on “Audit on Failure” setting in the SQL Server properties
- Review the files below and change the set parameters where needed to modify file paths, server name, etc
- PWMonitor.bat
- PWMonitor.sql
- PWMonitor.bat
- Setup a job to run PWMonitor.bat batch file ( whenever you want )
- Scan output for error checking etc, or you can automate it.
Brute Force Attack (example)
Notes:
This script does a basic dictionary attack on a sql server. This script assumes you have access to the master..syslogins table ( this can be modified, use your imagination ). It will run an attack against the server and then output any results to pwfound.txt if it was successful in the run.
Install:
- Review the files below and change the set parameters where needed to modify file paths, server name, etc
- PWDDL.sql
- PWAttack.sql
- PWAttack.bat
- PWDDL.sql
- Run “PWDDL.sql”
- This will just create a table to hold your dictionary
- Use bcp, Bulk Insert or DTS to import your dictionary.
- If you go to one of the hacker sites to get a dictionary you might need to open the file in excel and then save it as a tab delimited text file before importing (windows doesn’t like the formatting)
- Make sure the security setting on the SQL Server box you are testing against does not have the Audit on Failure setting check marked.
- Right click server
- Goto security tab
- Make sure the Audit level is set to None
- Right click server
- Run “pwattack.bat”
- This will run the PWAttack.sql and output the results to a text file. Once the attack is complete we will run find string against the first out file and see if we found anything.
Dictionaries, Notes & Timings
Test box was a Windows 2000 with SQL Server 7.0 SP1 running 256 mg memory on a PENTIUM III 500
- 20 records
- This is a simple test file, you should probably create your own
- This ran in under a minute testing against 3 logins
- This is a simple test file, you should probably create your own
- 44900 records
- This I got off of a hacker site. In which there are other dictionaries which you can download.
- ftp://ftp.cso.uiuc.edu/pub/security/wordlists/dictionaries/
- This ran in about 3 hours against 3 logins
- This I got off of a hacker site. In which there are other dictionaries which you can download.
The best thing to do is take a combination of the dictionary (commonly used words) and things you can think of that would be common to you or your company to put in a dictionary attack. Then run a test against a Test box that is setup like your production box and just see what happens, also by implementing the PWMonitor set of scripts you can monitor the amount of failed login attempts to your box to at least give you a heads up on what someone is doing.
All in all I do not think this is a real threat unlike other kiddie scripts people write since security is usually pretty tight on the SQL Server end, but then again you never know.
Microsoft’s response to scripts like this and holes in security that have arisen is to recommend using NT Authentication mode. The holes shown in this article don’t exist if your users are using this or are using proper complex passwords. NT Authentication has proven to be tight and hard to spoof. Always make sure anyone who has high security doesn’t use a simple password that may be found in the dictionary.