Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
SQL Server Connection Strings CheatSheet
Below is a cheatsheet for creating SQL Server client connection strings and finding them in common configuration files.
Authentication Options
Current Windows Account
Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Provided Windows Account
Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1;uid=Domain\Account;pwd=Password;"
Provided SQL Login
Server=Server\Instance;Database=Master;Connection Timeout=1;User ID=Username;Password=Password;"
Connection Type Options
Server=TCP:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Named Pipes
Connecting to instances by name, forcing a named pipes connection.
Server=np:Server;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=np:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Default instance: Server=\\APPHOST\pipe\unit\app;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Named instance: Server=\\APPHOST\pipe\MSSQL$SQLEXPRESS\SQL\query;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=via:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Shared Memory
Server=lpc:Servername\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=(local);Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=(.);Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Dedicated Admin Connection
Server=DAC:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Other Options
Spoof Application Client
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;Application Name="My Application"
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;ApplicationName=".Net SqlClient Data Provider"
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;AppName="EvilSQLClient"
determine app name in sql server: select APP_NAME()
Spoof Workstation Id
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;Workstation Id="MyWorkstation"
determine hostname name in sql server: select Host_NAME()
Set Encryption
Driver='ODBC Driver 11 for SQL Server';Server=ServerNameHere;Encrypt=YES;TrustServerCertificate=YES
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;Application Name="My Application";Encrypt=Yes
Encrypt Flag Notes:
Data sent between client and server is encrypted using SSL. The name (or IP address) in a Subject Common Name (CN) or
Subject Alternative Name (SAN) in a SQL Server SSL certificate should exactly match the server name (or IP address)
specified in the connection string.
Set Packet Size
Note: This could potentially be used to obfuscate malicious payloads from network IDS going over unencrypted connections.
"Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=SSPI;Packet Size=512"
Online References
Get all install ODBC drivers
Get all install ODBC drivers for SQL Server that are 64 bit
Get-OdbcDriver -Name "SQL Server*" -Platform "64-bit"
Get all ODBC User DSNs for specified driver
$DsnArray = Get-OdbcDsn -DriverName "SQL Server*"
Get ODBC System DSNs by name
Get-OdbcDsn -Name "MyPayroll" -DsnType "System" -Platform "32-bit"
Get ODBC DSNs with names that contain a string
Get-OdbcDsn -Name "*Payroll*"
Universal Data Link (UDL) Files
.UDL files often contain connection strings in a format similar to:
; Everything after this line is an OLE DB initstring
Provider=SQLOLEDB.1;Persist Security Info=False;Data Source=servername;Initial Catalog=Northwind;Integrated Security=SSPI
Finding UDL files
cd \
dir /s /b *.udl
Get-ChildItem -Path C:\ -Filter *.udl -Recurse | select fullname
ApplicationHost.config Files
Decrypt Entire Config File
1. List application pools.
appcmd list apppools
appcmd list apppools /text:MyTestPool
2. Get clearext configuration file for specific pool.
appcmd list apppool "MyTestPool" /text:*
Decrypt Virtual Directory and Application Credentials in Config File
1. List virtual directories.
appcmd list vdir
2. List configuration content.
appcmd list vdir "Bike Shop/" /text:*
Web.config Files
Finding web.config files
cd \
dir /s /b web.config
Get-ChildItem -Path C:\ -Filter web.config -Recurse | select fullname
Finding registered web.config files via appcmd.exe
Common Paths:
C:\Program Files\IIS Express\appcmd.exe
C:\Program Files (x86)\IIS Express\appcmd.exe
Common Commands:
%windir%\system32\inetsrv\appcmd list vdir
dir /s /b v | find /I "web.config"
Decrypted Web.config with aspnet_regiis.exe
C:\Windows\Microsoft\.NETFrameworkv\2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" c:\MyTestSite
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.