Vulnerability Scanner Software for MS SQL
Results 1 to 6 of 6

Thread: Vulnerability Scanner Software for MS SQL

  1. #1
    Member bradlesliect's Avatar
    Join Date
    Apr 2006
    Location
    CT - SA
    Posts
    74

    Vulnerability Scanner Software for MS SQL

    I need to test the integrity of an MS SQL Server that is on our network. What would be the best vulscan to use to check if this server is secure?

    Would there be software to perform port scans on this server as well?


    Thanks

    B
    .....I rather not say....

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    What do you want to test? The database or the server itself?

    For the server you could use nmap and/or nessus.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Member bradlesliect's Avatar
    Join Date
    Apr 2006
    Location
    CT - SA
    Posts
    74
    I have been asked to test the integriity and security of the database. The application being used is built on top of the database. I am not sure how the DB is administered.

    I need something that can test how secure that database is and its easy to crack open.

    PS. this is new to me so go easy with critism

    Thanks in advance for help
    .....I rather not say....

  4. #4
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    Being that you are self proclaimed inexperienced:

    Check out Nessus and Nmap. Nessus is a vulnerability assessment tool that will use plugins that detect known vulnerabilities on the system, MS-SQL included. It will also use a port scan in the process, which you can use to find unnecessary services.

    The configuration of the database and the access it will allow the application is also a serious issue, (permissions to tables and actions)

  5. #5
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    Nessus and Nmap are probably the best to test it yes. You can also try manually performing SQL injection attacks.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Testing for SQL injection and some source code auditting should be done on the application. But don't forget to check the permissions on the tables and databases as d34dI0k1 noted.

    Big warning as this is one of the biggest issues with third party apps:
    DO NOT ALLOW THE APPLICATION TO USE THE (MS-SQL) SA ACCOUNT!

    There are basicly 3 different things you need to audit:
    1) The server/OS itself, needs to be hardened, basic rule: if you don't need/use something, disable or preferably remove it.
    2) The application, source code audit (SQL injection, fuzzing, buffer overflows etc.)
    3) The database, accounts/permissions on tables/databases (LPR; Least Privilege Required).
    Last edited by SirDice; June 13th, 2007 at 11:58 AM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Similar Threads

  1. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 05:31 AM
  2. SP2 vs. the plug-ins
    By SDK in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 3rd, 2004, 02:12 PM
  3. Vulnerability in Internet Explorer ITS Protocol Handler
    By SDK in forum Microsoft Security Discussions
    Replies: 0
    Last Post: April 9th, 2004, 09:27 PM
  4. New Aim Virus
    By Soda_Popinsky in forum Web Security
    Replies: 5
    Last Post: February 15th, 2004, 03:19 AM
  5. ports
    By hatebreed2000 in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: March 14th, 2003, 06:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •