MySQL server database testing: • 9.2.Extract the version of database being used • 9.3.Try to login using default/common passwords... Step 1: Scan for Default Ports Used by the Database c
Trang 2Penetration Testing Roadmap
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Cont’d
Trang 3Penetration Testing Roadmap
(cont’d)
Cont’d
Physical Security Database
War Dialing VPN
Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held Device
Penetration Testing
Telecommunication And Broadband Communication
Email Security
Penetration Testing
Security Patches
Penetration Testing
Trang 4List of Steps
1
• Attempt to brute force password hashes from the database
Trang 5List of Steps (cont’d)
7 Microsoft SQL server testing:
• 7.1 Test for direct access interrogation
• 7 2 Scan for Microsoft SQL server ports ( TCP/UDP 1433)
• 7 3 Test for SQL Server Resolution Service (SSRS)
• 7 4 Test for buffer overflow in pwdencrypt() Function
• 7 5 Test for heap/stack buffer overflow in SSRS
• 7 6 Test for buffer overflows in extended stored procedures
• 7 7 Test for service account registry key
8 T h d d b k
• 7 8 Test the stored procedure to run web tasks
• 7 9 Exploit SQL injection attack
• 7 10 Blind SQL injection
• 7 11 Google hacks
• 7 12 Attempt direct-exploit attacks
• 7 13 Try to retrieve server account list
• 7 14 Using OSQL test for default/common passwords
• 7 15 Try to retrieve sysxlogins table
• 7 15 Try to retrieve sysxlogins table
Trang 6List of Steps (cont’d)
8 Oracle server testing:
• 8.1.Port scan UDP/TCP ports ( TCP/UDP 1433)
• 8.2.Check the status of TNS listener running at Oracle server
• 8 3 Try to login using default account passwords
• 8.4.Try to enumerate SIDs
• 8.5.Use SQL plus to enumerate system tables
• 9.1.Port scan UDP/TCP ports ( TCP/UDP )
9 MySQL server database testing:
• 9.2.Extract the version of database being used
• 9.3.Try to login using default/common passwords
Trang 7Step 1: Scan for Default Ports
Used by the Database
Use port scanning tools
such as Nmap to scan for
port used by database
Following are the default
d f diff
ports used for different
products like Oracle
Database or Oracle
Application Server:
Trang 8Step 1: Scan for Default Ports Used by the Database (cont’d) Used by the Database (cont d)
Trang 9Step 1: Scan for Default Ports Used by the Database (cont’d) Used by the Database (cont d)
Trang 10Step 1: Scan for Default Ports Used by the Database (cont’d) Used by the Database (cont d)
Trang 11Step 1: Scan for Default Ports Used by the Database (cont’d) Used by the Database (cont d)
Trang 12Step 2: Scan for Non-Default Ports Used by the Database
Following are the some other ports used by Oracle:
sql*net 66 Oracle SQL*NET
SQL*Net 1 1525 Registered as orasrv
Trang 13-Step 2: Scan for Non-Default Ports Used by the Database (cont’d)
oracle? 2005 Registered as "berknet" for 2005 TCP, oracle for
2005 UDP Oracle GIOP 2481 giop
Oracle GIOP SSL 2482 giop-ssl
Oracle TTC 2483 ttc Oracle may use this port to replace 1521 in
future Oracle TTC SSL 2484 ttc-ssl
OEM Agent 3872 Oem-agent
Oracle RTC-PM port 3891 rtc-pm-port
Oracle dbControl Agent 3938 dbcontrol agent
Oracle dbControl Agent 3938 dbcontrol_agent
Trang 14Step 3: Identify the Instance Names Used by the Database
Specify a unique name while configuring an instance of Notification Services
Instance name used to identify instance database objects
Instance resources are located by Notification Services using the instance name
Instance name must be kept short, and based on unchanging entities
Database supports multiple instances, but only one instance can be a default instance
Instance name criteria:
• Same version
• Same edition
Trang 15Step 4: Identify the Version Numbers Used by the Database
To check the version information for example, the Oracle database simply connect and login
to the Oracle database with SQL *Plus After login, you will see:
• SQL*Plus: Release 9.2.0.6.0 - Production on Tue Oct 18 17:58:57 2005
Oracle Universal Installer check for Oracle Version information
Examples: Oracle8i, 9i, 10g, 11i
Version 0.6
Trang 16Step 4: Identify the Version Numbers
Used by the Database (cont’d)
Trang 17Step 5: Attempt to Brute-Force Password Hashes from the Database
Use tools such as Orabf to brute force password hashes p
Orabf is a brute force/dictionary tool for Oracle hashes
Trang 18Step 6: Sniff Database Related
Traffic on the Local Wire
Sniffing determines number of database
connections
Use packet sniffing tools such as to sniff data packets from a
network
Trang 19Step 7: Microsoft SQL Server
Testing
Scan for Microsoft SQL Server ports ( TCP/UDP 1433)
Test for SQL Server Resolution Service (SSRS)
Using OSQL test for default/common passwords
Try to retrieve Sysxlogins table
Bruteforce SA account
Trang 20Step 7.1: Test for Direct Access
Interrogation
Direct or ad hoc access enables users to directly access the y
underlying data structures
Write special queries using asterisks (*) to directly
interrogate database
Trang 21Step 7.2: Scan for Microsoft SQL Server Ports ( TCP/UDP 1433)
Port 1433: Microsoft's SQL server, including the desktop editions
that are often silently installed with other Microsoft applications,
opens and services queries delivered over incoming TCP
connections through this port.
Use a post scanning tool to scan port 1433 for Microsoft SQL
server services.
Trang 22Step 7.3: Test for SQL Server Resolution Service (SSRS)
SSRS is used to provide referral services for multiple server instances
running on the same machine
Scan UDP port 1434 for SQL Server Resolution Service (SSRS)
Alternately ping UDP port 1434 from another SQL server a reply
confirms SSRS
Trang 23Step 7.3: Test for SQL Server Resolution Service (SSRS) (cont’d)
Check the hidden database instances and probe deeper into the
system using command:
sqlping3cl.exe -scantype [range, list, stealth] -StartIP q p g yp [ g , , ]
[IP] EndIP [IP]IPList [FileName] UserList [FileName]
-PassList [FileName] -Output [FileName]
Run SQLPing v 2.5 tool to look for SQL Server system and find
their version numbers
Trang 24Step 7.4: Test for Buffer Overflow
in pwdencrypt() Function
pwdencrypt() function compares user supplied password with the
stored password while logging in
Buffer overflow in pwdencrypt() function provides a chance to an
intruder to run the arbitrary code in the SQL server, sending a crafted
password value
Check the unchecked buffer in password encryption procedure and bulk
insert procedure
Trang 25Step 7.5: Test for Heap/Stack
Buffer Overflow in SSRS
Run arbitrary code by sending a crafted request to port 1434/udp y y g q p 434/ p
Scan the UDP port 1434 at the firewall.
Trang 26Step 7.6: Test for Buffer Overflows
in Extended Stored Procedures
Check the publicly assessable database queries and filter it before
Trang 27Step 7.7: Test for Service Account Registry Key
Alter the SQL service account registry key by "xp_regwrite" extended
stored procedure
weaken the security policy of SQL server
This allows the attacker to run any query or command with the rights of
the operating system
Trang 28Step 7.8: Test the Stored Procedure to Run Web Tasks
Log into a SQL server
Run the stored procedure for web tasks.
Attempt to delete, update, or insert new web tasks in order to
l t i il escalate privileges.
Login
Trang 29Step 7.9: Exploit SQL Injection
Attack
An SQL injection attack enables user to read the details of the
d t b
database.
Run special queries to gain access to the
• EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''=‘
database, such as:
Trang 30Test for SQL Injection Attack
Trang 31Step 7.10: Blind SQL Injection
A blind SQL injection
tt k bl
attack enables
unauthorized user to
exploit web applications
and back end SQL servers
and back-end SQL servers.
Use the Absinthe tool to
exploit the web
application.
Trang 32Step 7.11: Google Hacks
Google searches SQL server errors that enable unauthorized users to
find database and vulnerabilities in SQL server.
Check out Google queries at Johnny Long's “Google Hacking
Database”:
http://johnny.ihackstuff.com/index.php?module=prodreviews
Trang 33Step 7.12: Attempt Direct-exploit
Attacks
Direct-exploit attacks allow users to perform code injection and gain
unauthorized command line assess
Use the Metasploit tool to direct-exploit attack
Trang 34Step 7.13: Try to Retrieve Server
Account List
A server account list contains SQL login IDs and data of the
t d connected servers.
Use the following command to access the account list:
Trang 35Step 7.13: Try to Retrieve Server
Account List (cont’d) Account List (cont d)
When user manages to access the account list, it will show
the output
the output.
Trang 36Step 7.14: Using OSQL Test for Default/Common Passwords
The osql utility is a Microsoft® Win32® command prompt
utility for ad hoc interactive execution of Transact SQL
statements and scripts.
The osql utility is typically used in these
ways:
• Users interactively enter Transact-SQL statements in a manner similar to working on the command prompt The results are displayed in the command prompt window
• Users submit an osql job either specifying a single
Transact-SQL statement to execute or pointing the utility to a text file
Trang 37Step 7.15: Try to Retrieve
Sysxlogins Table
table
The Sysxlogins system table stores qualified user and group names
Sysxlogins table is queried first to retrieve login name and SID of user
using SUSER_SNAME() and SUSER_SID() functions
If sysxlogins table does not match the requested username or SID, then
Windows Local Security Authority (LSA) is queried for the information
Windows Local Security Authority (LSA) is queried for the information
Trang 38Try to Retrieve Sysxlogins Table
Views
database containing information regarding logins
of users and can only be accessed through the following views:
• Syslogins: SQL server login information is provided by
interpreting the “status column”
interpreting the status column
• Sysremotelogins: Each remote user is allocated one row in the
table to call remote stored procedures on the SQL server
• Sysoledbusers: Allocates one row each for user and password
i mapping
Trang 39SQL Server System Tables
Trang 40Step 7.16: Brute-force SA Account
SA is a built-in database administrator login
A brute-force attack is trying every possible combination of characters as
password until correct password is found
Use password cracking tools such as THC Hydra to brute-force SA login p g y g
password
Trang 41Step 8: Oracle Server Testing
Port scan UDP/TCP ports ( TCP/UDP
) 1433)
Check the status of TNS listener running
l
at Oracle server
Try to login using default account passwords
Try to enumerate SIDs
Use SQL plus to enumerate system tables Use SQL plus to enumerate system tables
Trang 42Port Scanning Basic Techniques
The basic port scan tries to know which port is open or available to
probe in
TCP connect(): The connect() system call provided by an OS is used to
open a connection to every interesting port on the machine If the port is listening, connect() will succeed
Strobe: A strobe does a narrower scan, only looking for those services
the attacker knows how to exploit
Trang 43Port Scanning Advanced
Techniques
Fragmented packet port scan
SYN scan FIN scan Bounce scan Finger UDP scanning g ICMP scan
Fingerprinting an OS
Trang 44Step 8.1: Port Scan UDP/TCP
Ports ( TCP/UDP 1433)
Use a port scanning tool such as Nmap to scan for ports
1433.
Trang 45Step 8.2: Check the Status of TNS Listener Running at Oracle Server
database and resides in the software layer of both client and server
TNS Listener establishes connections between the Oracle server and a S s e e es ab s es co ec o s be ee e O ac e se e a d a
client application allowing valid users who has permissions to control
database, and OS to execute arbitrary code
To find the TNS Listener, use port scanners like Nmap and amap
If Listener is not password protected, to get SID use the following
command:
• tnscmd10g.pl status –h <ip-address>
Trang 46Step 8.2: Check the Status of TNS Listener
The Oracle TNS Listener is the lynchpin between a user/web server
offering connection and the back-end database
• $ORACLE_HOME/bin/lsnrctl - This is the actual Listener control program
Files that control the listener are:
Trang 47Oracle TNS Listener: Screenshot
Trang 48Finding the TNS Listener
Trang 50Step 8.3: Try to Login Using Default Account Passwords
Trang 51Step 8.3: Try to Login Using Default
Account Passwords (cont’d)
Trang 52Step 8.3: Try to Login Using Default
Account Passwords (cont’d)
Trang 53Step 8.4: Try to Enumerate SIDs
Use the Oracle Password Guesser (opwg) utility of Oracle Auditing
Tools (OAT) to enumerate a SID/multiple SIDs for default usernames
and passwords
Trang 54Step 8.5: Use SQL Plus to Enumerate System Tables
SQL PLUS runs sql scripts against Oracle
Run WinSID or a similar tool to look for service name
Ex: SERVICE_NAME=test.domain
To establish a connection to remote go to the command prompt and
type:
• sqlplus user/password@test.domain
Trang 55SQL PLUS: Screenshot
Trang 56Step 9: MySQL Server Database
Testing
Port scan UDP/TCP ports (TCP/UDP) / p ( / )
Extract the version of database being used
Try to logon using default/common passwords
Brute force accounts using dictionary attack
Extract system and user tables from the database
Trang 57Step 9.1: Port Scan UDP/TCP
Ports ( TCP/UDP)
Use port scanning tools such as Nmap and scan TCP/UDP
ports for MySQL Server Database services
Trang 58Step 9.2: Extract the Version of
Database being Used
SQLver extracts the version by querying the file, snetlib.dll
without logging into servers
It uses TCP port 1433
It just connects to the specified TCP port and start working
Execution:
Trang 59Step 9.3: Try to Login Using Default/Common Passwords
Try passwords like admin administrator sa password etc
Try passwords like admin, administrator, sa, password, etc
Trang 60Step 9.4: Brute-force Accounts
Using Dictionary Attack
A method to break password-based security systems is by testing all
common words as possible passwords
It can be done in two ways:
• Manually.
• By making use of software and a database which contains millions
of possible words.
It can be used to:
• Determine the decryption key.
• Probe and break password mechanisms.
Trang 61Dictionary Attack Tools
Following are some of the dictionary attack tools:
• Cain & Abel
• John the Ripper
• THC Hydra
• Aircrack
• L0phtcrack AirSnort
Trang 62Dictionary Attack Tool: Cain &
Abel
Password recovery tool for Microsoft operating systems
• Network
Allows easy recovery of various kind of passwords by sniffing:
• Cracking encrypted passwords using dictionary
• Brute-force and cryptanalysis attacks
• Recording VoIP conversations
• Decoding scrambled passwords
• Recovering wireless network keys
• Revealing password boxes
• Uncovering cached passwords Uncovering cached passwords
• Analyzing routing protocols
Trang 63Cain & Abel: Screenshot 1
Trang 64Cain & Abel: Screenshot 2
Trang 65Dictionary Attack Tool: SQLdict
SQLdict: Is a basic single ip brute-force MS SQL server password utility
that can carry out a dictionary attack against a named SQL account
The use of this tool is simple, just specify the IP address being attacking,
the user account up against and then load an appropriate wordlist to try
via the Load Password File button
via the Load Password File button.