During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
- Understand real-world impact of SQL injection and SQL Server issues.
- How to exploit lesser known SQL Server issues
- How to prevent the exploitation of common SQL Server configurations
- Introduction to new tools that can be used during penetration tests and audits of SQL Servers that target weak configurations and sensitive data.
About Scott Sutherland
Scott Sutherland is a security consultant responsible for the development and execution of penetration test services at NetSPI. His role includes researching and developing tools, techniques and methodologies used during network and application penetration tests. As an active participant in the information security community, Sutherland performs security research in his free time and contributes technical security blog posts, presentations and tools on a regular basis through NetSPI. You can find him blogging on the NetSPI website and on Twitter.
About Antti Rantasaari
Antti is a security consultant currently responsible for the development, and execution of penetration test services at NetSPI. This role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests.