templates/CheatSheet_ConnectionStrings.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
Below is a cheatsheet for creating SQL Server client connection strings and finding them in common configuration files.
 
------------------------------------------------------------------
CREATING CONNECTION STRINGS
------------------------------------------------------------------
 
----------------------
Authentication Options
----------------------
 
Current Windows Account
Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
  
Provided Windows Account
Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1;uid=Domain\Account;pwd=Password;"
 
Provided SQL Login
Server=Server\Instance;Database=Master;Connection Timeout=1;User ID=Username;Password=Password;"
 
 
-----------------------
Connection Type Options
-----------------------
 
TCP/IP
Server=TCP:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
 
Named Pipes
Connecting to instances by name, forcing a named pipes connection.
Server=np:Server;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=np:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Default instance: Server=\\APPHOST\pipe\unit\app;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Named instance: Server=\\APPHOST\pipe\MSSQL$SQLEXPRESS\SQL\query;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
 
VIA
Server=via:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
 
Shared Memory
Server=lpc:Servername\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=(local);Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=(.);Database=Master;Integrated Security=SSPI;Connection Timeout=1"
 
Dedicated Admin Connection
Server=DAC:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
 
 
-----------------------
Other Options
-----------------------
 
Spoof Application Client
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;Application Name="My Application"
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;ApplicationName=".Net SqlClient Data Provider"
determine app name in sql server: select APP_NAME()
 
Set Encryption
Driver='ODBC Driver 11 for SQL Server';Server=ServerNameHere;Encrypt=YES;TrustServerCertificate=YES
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;Application Name="My Application";Encrypt=Yes
 
Encrypt Flag Notes:
Data sent between client and server is encrypted using SSL. The name (or IP address) in a Subject Common Name (CN) or
Subject Alternative Name (SAN) in a SQL Server SSL certificate should exactly match the server name (or IP address)
specified in the connection string.
 
Set Packet Size
https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.packetsize(v=vs.110).aspx
Note: This could potentially be used to obfuscate malicious payloads from network IDS going over unencrypted connections.
"Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=SSPI;Packet Size=512"
 
-----------------------
Online References
-----------------------
 
https://msdn.microsoft.com/en-us/library/ms130822.aspx
https://msdn.microsoft.com/en-us/library/ms188642.aspx
https://technet.microsoft.com/en-us/library/ms191260(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/ms187662(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/ms189307(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/ms178068(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/ms189595(v=sql.105).aspx
https://msdn.microsoft.com/en-us/library/ms254500(v=vs.110).aspx
https://msdn.microsoft.com/en-us/library/hh568455(v=sql.110).aspx
https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnectionstringbuilder(v=vs.110).aspx
https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnectionstringbuilder.applicationname(v=vs.110).aspx
https://www.connectionstrings.com/sql-server/
 
 
------------------------------------------------------------------
FINDING CONNECTION STRINGS
------------------------------------------------------------------
 
-----------------------
ODBC/DNS Notes
-----------------------
https://technet.microsoft.com/en-us/library/hh771015.aspx
https://technet.microsoft.com/en-us/library/hh771014.aspx
 
Get all install ODBC drivers
Get-OdbcDriver
 
Get all install ODBC drivers for SQL Server that are 64 bit
Get-OdbcDriver -Name "SQL Server*" -Platform "64-bit"
 
Get all ODBC User DSNs for specified driver
$DsnArray = Get-OdbcDsn -DriverName "SQL Server*"
 
Get ODBC System DSNs by name
Get-OdbcDsn -Name "MyPayroll" -DsnType "System" -Platform "32-bit"
 
Get ODBC DSNs with names that contain a string
Get-OdbcDsn -Name "*Payroll*"
 
 
-------------------------------
Universal Data Link (UDL) Files
-------------------------------
https://msdn.microsoft.com/en-us/library/e38h511e(v=vs.71).aspx
 
.UDL files often contain connection strings in a format similar to:
 
[oledb]
; Everything after this line is an OLE DB initstring
Provider=SQLOLEDB.1;Persist Security Info=False;Data Source=servername;Initial Catalog=Northwind;Integrated Security=SSPI
 
Finding UDL files
c:
cd \
dir /s /b *.udl
Get-ChildItem -Path C:\ -Filter *.udl -Recurse | select fullname
 
 
------------------------------
ApplicationHost.config Files
------------------------------
https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
 
Decrypt Entire Config File
--
1. List application pools.
 
appcmd list apppools
appcmd list apppools /text:MyTestPool
 
2. Get clearext configuration file for specific pool.
 
appcmd list apppool "MyTestPool" /text:*
 
Decrypt Virtual Directory and Application Credentials in Config File
--
1. List virtual directories.
 
appcmd list vdir
 
2. List configuration content.
 
appcmd list vdir "Bike Shop/" /text:*
 
------------------------------
Web.config Files
------------------------------
https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/#2
 
Finding web.config files
--
c:
cd \
dir /s /b web.config
Get-ChildItem -Path C:\ -Filter web.config -Recurse | select fullname
 
Finding registered web.config files via appcmd.exe
--
Common Paths:
C:\Program Files\IIS Express\appcmd.exe
C:\Program Files (x86)\IIS Express\appcmd.exe
%windir%\system32\inetsrv\appcmd
 
Common Commands:
%windir%\system32\inetsrv\appcmd list vdir
dir /s /b v | find /I "web.config"
 
Decrypted Web.config with aspnet_regiis.exe
--
C:\Windows\Microsoft\.NETFrameworkv\2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" c:\MyTestSite