It can take a long time to perform a complete
crack, depending on the size of your dictionary file,
the character set you select for the brute-force analysis,
and the password size range you select. The tool reports
any passwords it discovers immediately, as you can see in Figure 3, so you can take whatever action you
want without waiting for the session to finish. Figure
3 shows the session after only a few minutes, already
with a successful dictionary crack. After NGSSQLCrack
had run for hours on my system, I was relieved
that it still hadn’t cracked the strong passwords for sa
and carol.
NGSSoftware claims that NGSSQLCrack isn’t a
hacker’s tool, since you need administrative access to a
machine to get the password hashes for cracking. But
it’s all too easy to gain such access through applications,
such as by using SQL injection. Once an attacker has cracked some of your passwords, all kinds of nasty
attacks become possible. At that point, you might as
well just post your data on your Web site for all the
world to see.
If you want to get into industrial-strength password
cracking, the tool of choice is the free, cross-platform
Cain & Abel. This tool gives you many more options than
NGSSQLCrack for gathering, sniffing, and cracking all
kinds of passwords—from Windows and other OSs
as well as SQL Server—along with much more robust cracking options. Cain & Abel is a true hacker’s tool,
and you’ll probably need to spend some time figuring out
the tool and learning how to use it effectively. It’s almost
scary how well Cain & Abel can crack passwords, so
much so that you’ll never again create a simple or short
password for any use whatsoever.
The choice between NGSSQLCrack and Cain &
Abel is a matter of cost and ease of use. NGSSQLCrack
makes the whole cracking process easy but is
expensive. Cain & Abel is free and has more power and
flexibility but is also more complex and harder to learn.
Overall, the results seem to be similar.
Industrial-Strength
Vulnerability Analysis
Many SQL Server hacking tools are niche products,
focusing on one aspect of security such as password
strength or port visibility. But there are literally hundreds
of potential vulnerabilities in a product as complex as
SQL Server, and it would take the most diligent administrator
years to find all the problems. That’s where a comprehensive,
industrial-strength
vulnerability scanner is a lifesaver.
Many such commercial vulnerability
scanners are available, most
of which are general network
analyzers that happen to include
scans of SQL Server instances.
These include commercial, opensource,
and freeware products.
The SQL Server–specific features
of these products are often fairly
insubstantial, but such products
do provide a full set of tools for monitoring all interactions
the server makes with the network. And often these
products provide the infrastructure you need to develop
custom attacks and scans.
The heavyweight entry in this group of products
is the Metasploit Project. As its Web site describes it,
Metasploit is an “open source platform for developing,
testing, and using exploit code.” A key part of the
project is the Metasploit Framework, a development
platform that supports creating both security tools and
exploits. The framework is largely the reason for Metasploit’s
wide use by both the good and bad guys, since it’s
relatively easy to adapt the tools for specific purposes.
Over the years, many of SQL Server’s vulnerabilities
have been discovered using these tools. Metasploit isn’t
for the faint of heart—you have to be really focused and
dedicated to learning to use it effectively—but it’s incredibly
powerful. Unfortunately, much of that power is used
for evil, and you can bet it’s being used right now on your
servers. At the very least, you should assume that it is!
SQL Server–specific vulnerability scanners are less
common than the general network analyzers, but NGSSoftware
offers one: NGSSQuirreL for SQL Server. This is a powerful SQL Server security analyzer that performs
more than 700 tests to find most of the known vulnerabilities
in various SQL Server versions. The product
is a bit picky about getting the connection and login
credentials just right before starting a scan; it took me
about a half dozen tries to configure everything correctly
to make a successful connection for a scan. Other
applications, including a local version of SSMS, had no
trouble connecting to the server I wanted to scan, so I’m
not sure what the problem was.
Once you’ve set up NGSSQuirreL correctly on
your system, start the scan and go get some coffee. By
the time you get a cup of coffee and return to your
desk, the scan should have finished—that’s surprisingly
quick and what you can expect for an NGSSQuirreL
scan, even on a remote server over a broadband connection
near the low end of the speed range. After
NGSSQuirreL finishes the scan, it displays an easily
navigated treeview containing a lot of information
about the SQL Server instance as well as the problems
the tool found. When I ran an NGSSQuirreL scan on a
remote server, I was distressed to see how many vulnerabilities
it found—on a production server! Each item
in the scan results list has plenty of information about
the problem and what to do about it, along with lists
of affected database or server objects, as needed. Not
every problem that NGSSQuirreL finds means you
have a serious security vulnerability, but taken together,
they can indicate a server’s potential vulnerability.
The No-Brainer Security Tool
Finally we come to the very best SQL Server security
tool of all, one that’s essential to run regularly to ensure
secure database servers. But the tool—Microsoft
Update—isn’t exactly a hacker tool. A fully patched
machine is one of your best defenses against new
attacks. It’s gotten so bad that Microsoft’s second
Tuesday of the month—Patch Tuesday—is often followed
by Black Wednesday as attackers develop new
attacks overnight after Microsoft releases the details
of newly patched vulnerabilities. Of course, you need
to test all SQL Server updates before deploying them
to production servers. And don’t use Windows Update,
which doesn’t have nearly the reach of Microsoft
Update. Third-party tools that perform similar functions
to Microsoft Update are available as well.
One Step Ahead of Hackers
In this age of increasingly clever attacks on our database
servers, administrators have to be diligent about
monitoring and testing the security of their SQL Server
machines. You can strengthen your database defenses
by using the tools I’ve described or similar ones to find
out what hackers already know about your databases
and servers.