Instantly share code, notes, and snippets.

Embed
What would you like to do?
SQL Server Connection Strings CheatSheet
Below is a cheatsheet for creating SQL Server client connection strings and finding them in common configuration files.
------------------------------------------------------------------
CREATING CONNECTION STRINGS
------------------------------------------------------------------
----------------------
Authentication Options
----------------------
Current Windows Account
Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Provided Windows Account
Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1;uid=Domain\Account;pwd=Password;"
Provided SQL Login
Server=Server\Instance;Database=Master;Connection Timeout=1;User ID=Username;Password=Password;"
-----------------------
Connection Type Options
-----------------------
TCP/IP
Server=TCP:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Named Pipes
Connecting to instances by name, forcing a named pipes connection.
Server=np:Server;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=np:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Default instance: Server=\\APPHOST\pipe\unit\app;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Named instance: Server=\\APPHOST\pipe\MSSQL$SQLEXPRESS\SQL\query;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
VIA
Server=via:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Shared Memory
Server=lpc:Servername\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=(local);Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Server=(.);Database=Master;Integrated Security=SSPI;Connection Timeout=1"
Dedicated Admin Connection
Server=DAC:Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1"
-----------------------
Other Options
-----------------------
Spoof Application Client
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;Application Name="My Application"
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;ApplicationName=".Net SqlClient Data Provider"
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;AppName="EvilSQLClient"
determine app name in sql server: select APP_NAME()
Spoof Workstation Id
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;Workstation Id="MyWorkstation"
determine hostname name in sql server: select Host_NAME()
Set Encryption
Driver='ODBC Driver 11 for SQL Server';Server=ServerNameHere;Encrypt=YES;TrustServerCertificate=YES
Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=True;Application Name="My Application";Encrypt=Yes
Encrypt Flag Notes:
Data sent between client and server is encrypted using SSL. The name (or IP address) in a Subject Common Name (CN) or
Subject Alternative Name (SAN) in a SQL Server SSL certificate should exactly match the server name (or IP address)
specified in the connection string.
Set Packet Size
https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.packetsize(v=vs.110).aspx
Note: This could potentially be used to obfuscate malicious payloads from network IDS going over unencrypted connections.
"Data Source=(local);Initial Catalog=AdventureWorks;Integrated Security=SSPI;Packet Size=512"
-----------------------
Online References
-----------------------
https://msdn.microsoft.com/en-us/library/ms130822.aspx
https://msdn.microsoft.com/en-us/library/ms188642.aspx
https://technet.microsoft.com/en-us/library/ms191260(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/ms187662(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/ms189307(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/ms178068(v=sql.105).aspx
https://technet.microsoft.com/en-us/library/ms189595(v=sql.105).aspx
https://msdn.microsoft.com/en-us/library/ms254500(v=vs.110).aspx
https://msdn.microsoft.com/en-us/library/hh568455(v=sql.110).aspx
https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnectionstringbuilder(v=vs.110).aspx
https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnectionstringbuilder.applicationname(v=vs.110).aspx
https://www.connectionstrings.com/sql-server/
------------------------------------------------------------------
FINDING CONNECTION STRINGS
------------------------------------------------------------------
-----------------------
ODBC/DNS Notes
-----------------------
https://technet.microsoft.com/en-us/library/hh771015.aspx
https://technet.microsoft.com/en-us/library/hh771014.aspx
Get all install ODBC drivers
Get-OdbcDriver
Get all install ODBC drivers for SQL Server that are 64 bit
Get-OdbcDriver -Name "SQL Server*" -Platform "64-bit"
Get all ODBC User DSNs for specified driver
$DsnArray = Get-OdbcDsn -DriverName "SQL Server*"
Get ODBC System DSNs by name
Get-OdbcDsn -Name "MyPayroll" -DsnType "System" -Platform "32-bit"
Get ODBC DSNs with names that contain a string
Get-OdbcDsn -Name "*Payroll*"
-------------------------------
Universal Data Link (UDL) Files
-------------------------------
https://msdn.microsoft.com/en-us/library/e38h511e(v=vs.71).aspx
.UDL files often contain connection strings in a format similar to:
[oledb]
; Everything after this line is an OLE DB initstring
Provider=SQLOLEDB.1;Persist Security Info=False;Data Source=servername;Initial Catalog=Northwind;Integrated Security=SSPI
Finding UDL files
c:
cd \
dir /s /b *.udl
Get-ChildItem -Path C:\ -Filter *.udl -Recurse | select fullname
------------------------------
ApplicationHost.config Files
------------------------------
https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
Decrypt Entire Config File
--
1. List application pools.
appcmd list apppools
appcmd list apppools /text:MyTestPool
2. Get clearext configuration file for specific pool.
appcmd list apppool "MyTestPool" /text:*
Decrypt Virtual Directory and Application Credentials in Config File
--
1. List virtual directories.
appcmd list vdir
2. List configuration content.
appcmd list vdir "Bike Shop/" /text:*
------------------------------
Web.config Files
------------------------------
https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/#2
Finding web.config files
--
c:
cd \
dir /s /b web.config
Get-ChildItem -Path C:\ -Filter web.config -Recurse | select fullname
Finding registered web.config files via appcmd.exe
--
Common Paths:
C:\Program Files\IIS Express\appcmd.exe
C:\Program Files (x86)\IIS Express\appcmd.exe
%windir%\system32\inetsrv\appcmd
Common Commands:
%windir%\system32\inetsrv\appcmd list vdir
dir /s /b v | find /I "web.config"
Decrypted Web.config with aspnet_regiis.exe
--
C:\Windows\Microsoft\.NETFrameworkv\2.0.50727\aspnet_regiis.exe -pdf "connectionStrings" c:\MyTestSite
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment