Thursday, July 5, 2012

Hacking Microsoft SQL Dedicated Admin Connection (DAC)

Microsoft SQL Dedicated Admin Connection (DAC)

Microsoft SQL Server 2005/2008/2012 provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. This feature requires pre-allocating dedicated resources during server startup like additional memory ~3.5 megs.  Because of this extra resource, in SQL Express scenarios the DAC feature is disabled. You can enable it by starting SQL Server service with a trace flag. By default, the DAC is only available from a client on the server. To enable client applications on remote computers to use the DAC, use the remote admin connections option of sp_configure.

SQL Server listens for the DAC on TCP port 1434 if available or a TCP port dynamically assigned upon Database Engine startup. The error log contains the port number the DAC is listening on. By default the DAC listener accepts connection on only the local port. To activate remote administration connections, see the remote admin connections Server Configuration Option below.

The following example enables the DAC from a remote computer.

sp_configure 'remote admin connections', 1;

In this example, an administrator notices that server 172.16.x.x is not responding and wants to diagnose the problem. To do this, the user activates the sqlcmd command prompt utility and connects to server 172.16.x.x using -A to indicate the DAC.

C:\Users\Win7>sqlcmd -A -S 172.16.x.x -U sa -P Bob$yourUncl3

DAC with remote admin connections permitted may allow an attacker to bypass access controls, logon triggers, perform brute force attacks or run unauthorized queries.

Ensure DAC is configured per your Microsoft SQL Server Build and Hardening Documentation and Policies.

To determine the state of the DAC:

sp_configure 'remote admin connections'

0: Indicates only local connections are allowed by using the DAC.
1: Indicates remote connections are allowed by using the DAC.

Detecting DAC using NMap:

bash-3.2$ nmap 172.16.1-3.1-254 -p1434 -vv --open -Pn -n

Starting Nmap 5.51 ( ) at 2012-06-28 09:56 PDT
Initiating Connect Scan at 09:56
Scanning 762 hosts [1 port/host]
Discovered open port 1434/tcp on 172.16.x.1
Discovered open port 1434/tcp on 172.16.x.2

Failed Logons will appear in the Windows Application Event Log:

Windows Event Log:

Event Type:    Failure Audit
Event Source:    MSSQLSERVER
Event Category:    (4)
Event ID:    18456
Date:        6/28/2012
Time:        10:08:18 AM
User:        N/A
Computer:    SQL01PRD
Login failed for user 'sa'. [CLIENT: 10.16.x.x]

Additional DAC related messages to monitor for:


Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag %d. This is an informational message only. No user action is required.


Changing the remote access settings for the Dedicated Admin Connection failed with error 0x%lx, status code 0x%lx.


Dedicated admin connection support was established for listening remotely on port %d.


Could not connect because the maximum number of '%ld' dedicated administrator connections already exists. Before a new connection can be made, the existing dedicated administrator connection must be dropped, either by logging off or ending the process.%.*ls

No comments:

Post a Comment

Thanks for adding to the conversation. I'll update your post shortly.