A great way to control attackers and get perception on their strategies and ways is to make use of a honeypot. A honeypot is a purposefully susceptible system with faux knowledge that you simply really need attackers to breach. This offers you a little bit of a protected sandbox the place you may monitor the attacker’s exercise. At the moment I need to focus on easy methods to arrange a Microsoft SQL honeypot for the aim of luring automated bots.
Since this method might be arrange particularly with the expectation of being hacked, you don’t want it on the identical community as any inside system. Use an remoted digital machine within the cloud or maintain the system segmented off by itself community.
If you wish to have a pleasant and wholesome bot go to your MSSQL honeypot, it’s a must to present some hospitality. It’s best to start by preserving default ports in your MSSQL Server to permit for easy discovery. Be sure that these ports are open by means of any firewall to attach your server to a public Web. That ought to do the trick and you need to begin seeing buzzing and knocking bots very quickly.
Within the subsequent step you have got an choice – you get to decide on which login you’ll permit your favourite bot to take over. Here’s a listing of accounts which are at the moment the most well-liked probed: sa, NT AUTHORITYANONYMOUS LOGON, hbv7, vice, kisadmin, bwsa, ps, uep, 401hk, sysdba, su, sql, internet, mssqla, dbhelp
By selecting an insecure password for the account you chose (e.g. Password123 or abc123), you guarantee that bots will discover their method into your honeypot.
Now that your new bot is on the within, we have to guarantee that all of the bots play effectively with one another. After bots get onto the system they attempt to stop different bots from doing the identical factor. To realize that, they usually change the password they guessed to one thing extra complicated.
To mitigate that conduct, you should use just a little script that can change the password again to one thing simply guessable worth each jiffy.
conn = pyodbc.join(…….)
cursor = conn.cursor()
cursor.execute(“ALTER LOGIN [sa] WITH PASSWORD=N'<…>’ “)
One other frequent step taken by bots is to close down MSSQL audit hint by executing sp_trace_setstatus.
To handle that, we will begin an audit hint after which patch MSSQL in reminiscence utilizing windbg:
- Begin windbg64
- Connect the debugger to sqlservr.exe
- Discover the module ‘sqllang’ and alter the identify of the operate ‘p_trace_setstatus’ to one thing else in reminiscence view
Now it’s possible you’ll surprise, what do bots do once they assume nobody is watching? They register dll information, make wmi calls, change registry keys, create OLE objects, setup rogue jobs, add binary code, create logins and delete logins of different identified bots … All the great things.
And you need to see it for your self.
A listing of bot logins deleted by different bots usually seems like this even after a short while of monitoring: ps, su, Rolename, shitou, masqer, se, Mssqla, vice, rely, suz, syn, gaibian, sasa, xxa, Myar, win7, sz, wwo, kisadminnew1, ss, mms, chicago, customers, so, gd, home windows, wq, [email protected], bingo
Watch these cute little carnivores snap their jaws at one another and flex permissions “muscle tissue” increasing management over the server by any means out there. It’s very entertaining to look at strategies that many take into account unusual or permissions being taken benefit of which are usually considered ineffective/innocent. Additionally, you ought to be involved with the opportunity of extra refined focused assaults of comparable nature.
That is what lurks proper outdoors of your firewalls, simply ready for the subsequent zero-day or a mistake in your safety implementation. Have enjoyable together with your playdate with bots and maintain your system safe through the use of database safety scanners like Trustwave’s.
microsoft cve-2020-0618 microsoft sql server reporting services remote code execution vulnerability,hqk reporting service v1 2,sql server reporting services rce,rce in sql server reporting services ssrs,hqk reporting service v1 2 commands