KFSensor

 

Edit Sim Std Server - SQL Server

Use the Edit Sim Std Server - SQL Server dialog box to add or edit a SQL Server definition.

You will find a description of what are Sim Std Servers here.

This Sim Std Server emulates Microsoft's SQL Server database system.
The emulation is limited to enabling a visitor to attempt to log onto a database.
The visitor sends their user name and password, which will never be accepted.

MS SQL Server also has an additional USP service for providing information on SQL Severs on a network.
See the Edit Sim Std Server - SQL UDP Server section for more details.

The decoded login packet provides a number of interesting fields that can reveal a lot of information about an attacker.

Field Example Description
TDS version x71000001 The version of the TDS protocol being used. TDS is the protocol used by SQL Server
Client version x07000000 The version of the SQL protocol being used by the visitor
Time zone -60 The time zone of the visitor. This is relative to GMT and gives a good indication of the location of the visitor
MAC 00 E0 7D DC E4 22 The physical network address of the visitor
Host CALI The NetBIOS name of the visitor's machine
User sa The SQL Server account the visitor is attempting to log on as.
'sa' is the standard admin account.
Password secret The decrypted password the visitor is using to log on with.
Multiple attacks to this server may be due to a password dictionary attack
App osql The name of the application being used to attack the server
Library ODBC The name of the underlying library being used by the visitor
Language   This will usually be blank to indicate the default language
Database   The name of the database the visitor is attempting to log on to.
This will be blank unless the visitor has used the SQL UDP Server to obtain the database name.

There are a number of different tools that can be used to automate different attacks on SQL Servers.
Examples are: sqlpoke, sqlbf and sqldict.

You can find these and more on these web sites:
http://packetstormsecurity.nl/Crackers/indexdate.shtml
http://www.sqlsecurity.com/scripts.asp

Title

  • Name
    Each Sim Std Server requires a unique name, which is used to identify it.
  • Description
    A piece of text for notes on what the Sim Std Server aims to support
  • Default Port
    Most services have standard ports on which visitors expect to find them.
    The default port is TCP 1433.
    This is only used as a prompt during configuration of a Listen; a Sim Std Server can be set on any or many different ports.
  • Severity
    The severity level that events generated by this Sim Std Server will be given. This can be overridden as part of the Listen configuration.

Options

These settings control how the data is logged.
  • Log Detail
    This controls how much detail of the decoded packets is recorded.
    Type Description
    Basic Provides a brief summary of the main points of interest in the packet.
    Normal Provides more details of the packet.
    Debug Provides all the details of the packet
  • Log decoded packet
    If checked then each packet will be decoded and logged in a human readable format.
  • Log raw packet
    If checked then the raw binary data of the packet will be logged. If both this option and the one above are checked then each packet will be logged first in decoded format and then as a binary value.
  • Response Delay
    The option allows the time taken by a connection to be slowed down by adding a delay in milliseconds, before each response is sent.
    This feature provides a good way of slowing down an attack and preventing the honeypot from being over loaded.
    Note: Unlike the other time settings this one is in milliseconds, not seconds.

Related Topics


KFSensor On-Line Manual Contents