{"id":3449,"date":"2013-11-27T17:48:38","date_gmt":"2013-11-27T16:48:38","guid":{"rendered":"http:\/\/andreas-wolter.com\/wo-sind-die-scripte-zu-dem-vortrag-sql-attackedhacking-sql-server\/"},"modified":"2017-10-12T17:57:29","modified_gmt":"2017-10-12T16:57:29","slug":"where-are-the-scripts-to-the-session-sql-attackedhacking-sql-server","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/where-are-the-scripts-to-the-session-sql-attackedhacking-sql-server\/","title":{"rendered":"Where are the scripts to the session \u201eSQL Attacked\/Hacking SQL Server\u201c ? ;-)"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_heading-862484e0d8c4a73b08d0e3303ca1256a\">\n#top .av-special-heading.av-av_heading-862484e0d8c4a73b08d0e3303ca1256a{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-av_heading-862484e0d8c4a73b08d0e3303ca1256a .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-av_heading-862484e0d8c4a73b08d0e3303ca1256a .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-av_heading-862484e0d8c4a73b08d0e3303ca1256a av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >Where are the scripts to the session <span class='special_amp'>\u201e<\/span>SQL Attacked\/Hacking SQL Server<span class='special_amp'>\u201c<\/span> ? \ud83d\ude09<\/h3><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Subsequent to the lectures from my \u201cHacking SQL Server\u201d series \u201cSecurity Session \u201eSQL Attack..ed\u201c \u2013 Attack scenarios on SQL Server (&#8220;Hacking SQL Server&#8221;)\u201d which I have already given at the SQLSaturdays <a href=\"http:\/\/sqlsaturday.com\/viewsession.aspx?sat=230&#038;sessionid=14807\" target=\"_blank\" rel=\"noopener\">Rheinland<\/a>, <a href=\"http:\/\/sqlsaturday.com\/viewsession.aspx?sat=258&#038;sessionid=16792\" target=\"_blank\" rel=\"noopener\">Istanbul<\/a>, at the SQLRAlly Amsterdam and at many regional groups of <a href=\"http:\/\/www.sqlpass.de\/Regionen\/Deutschland.aspx\" target=\"_blank\" rel=\"noopener\">PASS Germany<\/a>, more often than not the question arises whether I make the presented code available to the public. <!--more-->With Twitter not being that suitable a medium of discussion (greetings to @DirkHondong and @FrankGeisler ;-)), yet the topic deserving some more attention, I will get into the matter in the following.<\/p>\n<p>The background as to why I\u2019m<u>not making public<\/u> the scripts developed for this purpose is actually quite simple: in the scripts, I am showing attack variants and techniques, among others, which have not been documented or are not known within the \u201cscene\u201d (?).<\/p>\n<p>And since I am a little familiar with the discretionary SQL injection and \u201cHacking\u201d\/DoS tools in general I would like to avoid giving those parties developing these tools new ideas for bringing servers down. This wouldn\u2019t be of use to anyone (from the SQL Server community) (- except maybe to \u201ccontract hackers,\u201d but I\u2019m \u201cafraid\u201d I don\u2019t hold any stocks in there ;-)).<\/p>\n<ul>\n<li>By the way, most of the SQL injection variants are very well <a href=\"http:\/\/en.wikipedia.org\/wiki\/SQL_injection\" target=\"_blank\" rel=\"noopener\">documented<\/a> in the internet, and a simple search will spill out a variety of code examples. It will hardly make a difference which template one is using, as one will need to make adaptions anyway. \ud83d\ude09<\/li>\n<\/ul>\n<p>In contrast to general opinion, I do not believe that everyone needs to be able to <strong>carry out<\/strong> all \u201chacking\u201d techniques by themselves. I think this is often used as a blanket pretext for justifying security-wise questionable actions.<\/p>\n<p>I am of the opinion that it is sufficient to know\/have seen where one can be vulnerable, and that it is more important to invest the time into developing skills for <strong>protection<\/strong>.<\/p>\n<p>And this is a good prerequisite for \u201chacking\u201d oneself (and the difference to the so-called \u201cscript kiddie\u201d). Only that <u>even more<\/u> knowledge will be required then.<\/p>\n<p>In principle, however, I am rather observing a lack of knowledge of the correlations in the security architecture of SQL Server on which I am by nature focusing, as well as, of course, the Windows Server beneath it and the domain architecture in general.<\/p>\n<p>To be able to \u201chack\u201d alone is of no avail. Once one has covered everything known, one can still get to that. If this is necessary, one will end up in the grey area of \u201cpenetration testing.\u201d<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>The actual goal of my lectures\/ \u201cshows\u201d (?) is the \u201c<strong>awareness<\/strong>\/perception,\u201d and the <u>enhancement of sensitivity<\/u> for the topic of security in the sense of:<\/p>\n<blockquote><p><em>\u201cHave I taken all this into consideration?\u201d<\/em><\/p>\n<p><em>\u201cCould I still have gaps and be an easy target without having noticed up to now?\u201d<\/em><\/p><\/blockquote>\n<p>Not:<\/p>\n<blockquote><p><em>\u201cIn order to make my SQL Server environment more secure I would like to dabble in \u2018hacking.\u2019\u201d<\/em><\/p><\/blockquote>\n<p>I hope this makes sense to you J<\/p>\n<p>Either way, an open discussion on this topic is absolutely along my lines.<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><br class=\"\u201cclear\u201c\" \/>Happy securing<\/p>\n<p><br class=\"\u201cclear\u201c\" \/>Andreas<\/p>\n<p>PS: For those who already know the basics, but have more complex requirements or critical environments, there are the <strong>Master-Classes on Security<\/strong>:<\/p>\n<p><a href=\"http:\/\/en.sarpedonqualitylab.com\/SQL_Master-Classes.htm\" target=\"_blank\" rel=\"noopener\">en.sarpedonqualitylab.com\/SQL_Master-Classes.htm<\/a><\/p>\n<p><a href=\"http:\/\/www.sarpedonqualitylab.com\/SQL_Master-Classes.htm\" target=\"_blank\" rel=\"noopener\">\u00a0<\/a><\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_one_full-97c650ae075063b375f558a776c570f8\">\n#top .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n.flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n.responsive #top #wrap_all .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n<\/style>\n<div  class='flex_column av-av_one_full-97c650ae075063b375f558a776c570f8 av_one_full  avia-builder-el-4  el_after_av_textblock  el_before_av_hr  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><div><\/div>\n<div><\/div>\n<\/div><\/section><\/div>\r\n\r\n<div  class='hr av-av_hr-0ff602b3e980a3377077ff3c1c834df6 hr-default  avia-builder-el-6  el_after_av_one_full  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-av_social_share-8644d330ffb238fff0cfa858c5295467 av-social-sharing-box-default  avia-builder-el-7  el_after_av_hr  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/where-are-the-scripts-to-the-session-sql-attackedhacking-sql-server\/&#038;t=Where%20are%20the%20scripts%20to%20the%20session%20%E2%80%9ESQL%20Attacked%2FHacking%20SQL%20Server%E2%80%9C%20%3F%20%3B-%29\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=Where%20are%20the%20scripts%20to%20the%20session%20%E2%80%9ESQL%20Attacked%2FHacking%20SQL%20Server%E2%80%9C%20%3F%20%3B-%29&#038;url=https:\/\/andreas-wolter.com\/en\/?p=3449\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Where%20are%20the%20scripts%20to%20the%20session%20%E2%80%9ESQL%20Attacked%2FHacking%20SQL%20Server%E2%80%9C%20%3F%20%3B-%29&#038;url=https:\/\/andreas-wolter.com\/en\/where-are-the-scripts-to-the-session-sql-attackedhacking-sql-server\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_hr-4474f20d2389e2e5ecf918a02da5132e\">\n#top .hr.hr-invisible.av-av_hr-4474f20d2389e2e5ecf918a02da5132e{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-av_hr-4474f20d2389e2e5ecf918a02da5132e hr-invisible  avia-builder-el-8  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-av_comments_list-88ce68e426f11248fa394058a3de040f  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"Subsequent to the lectures from my \u201cHacking SQL Server\u201d series \u201cSecurity Session \u201eSQL Attack..ed\u201c \u2013 Attack scenarios on SQL Server (&#8220;Hacking SQL Server&#8221;)\u201d which I have already given at the SQLSaturdays Rheinland, Istanbul, at the SQLRAlly Amsterdam and at many regional groups of PASS Germany, more often than not the question arises whether I make [&hellip;]","protected":false},"author":4,"featured_media":4324,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[97,57],"tags":[24,27,232,240],"class_list":["post-3449","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-conferences-en","category-security-en","tag-conference-en","tag-security-en","tag-sicherheit-en","tag-sqlinjection-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3449","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=3449"}],"version-history":[{"count":2,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3449\/revisions"}],"predecessor-version":[{"id":3452,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3449\/revisions\/3452"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/4324"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=3449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=3449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=3449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}