|
Home > Archive > MS SQL Server security > October 2006 > Hacking the sa password
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Hacking the sa password
|
|
|
| Hi,
I was shown recently at a training session an article that showed how
your could break the sa password by using network monitoring tools and some
other steps. I am currently trying to find this myself so I can show the
developers at my company one of the reasons I am opposed to the sa account
being used and SQL logins in general.
Does anyone out there know where this article would be or what the exact
process is so I can replicate it quickly.
Cheers,
John
| |
| Arnie Rowland 2006-10-25, 6:01 am |
| When one uses a relatively anonymous moniker, John,
<John@discussions.microsoft.com>", how would we know that you aren't just
trying to hack into someone's database and you are trying to get us to help
you?
;-)
--
Arnie Rowland, Ph.D.
Westwood Consulting, Inc
Most good judgment comes from experience.
Most experience comes from bad judgment.
- Anonymous
"John" <John@discussions.microsoft.com> wrote in message
news:9DB6A662-08C1-41FB-81A8- 18BC7D4FCBF1@microso
ft.com...
> Hi,
> I was shown recently at a training session an article that showed how
> your could break the sa password by using network monitoring tools and
> some
> other steps. I am currently trying to find this myself so I can show the
> developers at my company one of the reasons I am opposed to the sa account
> being used and SQL logins in general.
>
> Does anyone out there know where this article would be or what the exact
> process is so I can replicate it quickly.
>
> Cheers,
>
> John
| |
|
| Well Arnie, how do we know who anyone really is over the internet. Besides
John is my name but I don't want the entire world to have all my details
especially anyone trawling through forums for personal details to SPAM or
send marketing material through too. I can also not be bothered setting up a
hotmail bogus account as this wa y I still get emails when my posts are
replied to sent to my work email.
On a more interesting note, do you happen to know the location of the
article I am interested in. From memory it uses SQLPing2 which I already
have downloaded.
"Arnie Rowland" wrote:
> When one uses a relatively anonymous moniker, John,
> <John@discussions.microsoft.com>", how would we know that you aren't just
> trying to hack into someone's database and you are trying to get us to help
> you?
>
> ;-)
>
> --
> Arnie Rowland, Ph.D.
> Westwood Consulting, Inc
>
> Most good judgment comes from experience.
> Most experience comes from bad judgment.
> - Anonymous
>
>
> "John" <John@discussions.microsoft.com> wrote in message
> news:9DB6A662-08C1-41FB-81A8- 18BC7D4FCBF1@microso
ft.com...
>
>
>
| |
| Sue Hoegemeier 2006-10-25, 6:01 am |
| It sounds like this may be the article you are referring to:
http://searchsqlserver.techtarget.c...x301336,00.html
-Sue
On Mon, 25 Sep 2006 19:36:02 -0700, John
<John@discussions.microsoft.com> wrote:
>Hi,
> I was shown recently at a training session an article that showed how
>your could break the sa password by using network monitoring tools and some
>other steps. I am currently trying to find this myself so I can show the
>developers at my company one of the reasons I am opposed to the sa account
>being used and SQL logins in general.
>
>Does anyone out there know where this article would be or what the exact
>process is so I can replicate it quickly.
>
>Cheers,
>
>John
| |
| Jasper Smith 2006-10-25, 6:01 am |
| I have an example of a TSQL function that will do the job as part of the
following presentation
http://www.sqldbatips.com/presentat...HACKING_SQL.zip
Note that SQL2005 doesn't use the same method, it uses a self signed
certificate to properly encrypt the login handshake as opposed to SQL2000
which basically just uses obsfucation.
--
HTH,
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
"John" <John@discussions.microsoft.com> wrote in message
news:9DB6A662-08C1-41FB-81A8- 18BC7D4FCBF1@microso
ft.com...
> Hi,
> I was shown recently at a training session an article that showed how
> your could break the sa password by using network monitoring tools and
> some
> other steps. I am currently trying to find this myself so I can show the
> developers at my company one of the reasons I am opposed to the sa account
> being used and SQL logins in general.
>
> Does anyone out there know where this article would be or what the exact
> process is so I can replicate it quickly.
>
> Cheers,
>
> John
|
|
|
|
|