Using pw-inspector in Brute Force attack on SQL Server

  • Comments posted to this topic are about the item Using pw-inspector in Brute Force attack on SQL Server

  • Hi Anil,

    You stated:

    Since we have several passwords that do not meet the minimum security standard of SQL Server, we will now use pw-inspector to generate a new word list to perform the attack, meeting the criteria of minimum password length of 6 characters and containing numbers:

    cat attack_hydra.txt | pw-inspector -m 6 -n > passwords.txt

    The new word list is created, and we already have the IP of the SQL Server server.

    Based on your original word list, what does the new one look like? Does it filter out all of the passwords that don't meet the complexity requirements, or does it actually re-write them to meet the requirements? If you have an example, that'd be great.

    Thanks,

    Mike

    Mike Scalise, PMP
    https://www.michaelscalise.com

  • default install of SQL will have "Failed Logins" logging enabled.

    Right Click the server name, and then click Properties. Under the Security page....

    Only pointing this out because if you were to run a HUGE password file and user name file for testing purposes, you will kill you current Error Log in SQL server.

    have fun but be careful

  • I always thought the weakest link was the person on the other side of the door, who can just open the door and let you in. A disgruntled or careless admin can open that door pretty easily, with or without a strong password strategy

  • For this to work against SQL Server, it assumes that:

    - The user's accounts is not domain authenticated
    https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx

    - The sysadmin doesn't have 'enforce password policy' enabled on the account
    https://support.microsoft.com/en-us/help/2028712/understanding-password-policy-for-sql-server-logins

    - The user's password is relatively simple
    https://it.ucsf.edu/policies/bad-passwords

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • For this to work it presumes that the SQL Server has not been locked down with standard practices and that it's a Linux box or Windows with WSL installed.

    If your job is a DBA or sysadmin I'd say you're about to get fired if this attack worked.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply