lptv4 module 30 database penetration testing_norestriction

ECSA/LPT

EC Council Module XXXEC-Council odu e

Database Penetration TestingTesting

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’d Physical Security

Database P i i

VoIP P i T iSecurity

Penetration TestingPenetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

List of Steps

1• Scan for default ports used by the database

1

2• Scan for non-default ports used by the database

3• Identify the instance names used by the database

4• Identify the version numbers used by the database

• Attempt to brute force password hashes from the database5

• Attempt to brute force password hashes from the database

6• Sniff database related traffic on the local wire



6

List of Steps (cont’d)

7. Microsoft SQL server testing:

• 7.1. Test for direct access interrogation• 7. 2. Scan for Microsoft SQL server ports ( TCP/UDP 1433)• 7. 3. Test for SQL Server Resolution Service (SSRS)• 7 4 Test for buffer overflow in pwdencrypt() Function• 7. 4. Test for buffer overflow in pwdencrypt() Function• 7. 5. Test for heap/stack buffer overflow in SSRS• 7. 6. Test for buffer overflows in extended stored procedures• 7. 7. Test for service account registry key

8 T h d d b k• 7. 8. Test the stored procedure to run web tasks• 7. 9. Exploit SQL injection attack • 7. 10. Blind SQL injection • 7. 11. Google hacks• 7. 12. Attempt direct-exploit attacks• 7. 13. Try to retrieve server account list • 7. 14. Using OSQL test for default/common passwords• 7 15 Try to retrieve sysxlogins table



• 7. 15. Try to retrieve sysxlogins table• 7. 16. Brute-force SA account

List of Steps (cont’d)

8. Oracle server testing:

• 8.1.Port scan UDP/TCP ports ( TCP/UDP 1433)• 8.2.Check the status of TNS listener running at Oracle server• 8 3 Try to login using default account passwords• 8.3.Try to login using default account passwords• 8.4.Try to enumerate SIDs• 8.5.Use SQL plus to enumerate system tables

• 9.1.Port scan UDP/TCP ports ( TCP/UDP )

9. MySQL server database testing:

• 9.2.Extract the version of database being used• 9.3.Try to login using default/common passwords• 9.4.Brute-force accounts using dictionary attack



• 9.5.Extract system and user tables from the database

Step 1: Scan for Default Ports Used by the DatabaseUsed by the Database

Use port scanning tools such as Nmap to scan for port used by database.

Following are the default d f diff ports used for different

products like Oracle Database or Oracle Application Server:Application Server:



Step 1: Scan for Default Ports Used by the Database (cont’d)Used by the Database (cont d)



Step 2: Scan for Non-Default Ports Used by the DatabasePorts Used by the Database

Following are the some other ports used by Oracle:

Service Port Notes

sql*net 66 Oracle SQL*NET

SQL*Net 1 1525 Registered as orasrv

tlisrv 1527 -

hcoauthor 1529 -

Oracle Remote Data Base 1571 rdb-dbs-disp

oracle-em1 1748 -oracle em1 1748

oracle-em2 1754 -

Oracle-VP2 1808 -



Oracle-VP1 1809 -

Step 2: Scan for Non-Default Ports Used by the Database (cont’d)Used by the Database (cont d)

Service Port Notes

oracle? 2005Registered as "berknet" for 2005 TCP, oracle for 2005 UDP

Oracle GIOP 2481 giop

Oracle GIOP SSL 2482 giop-ssl

Oracle TTC 2483ttc. Oracle may use this port to replace 1521 in future

Oracle TTC SSL 2484 ttc-ssl

OEM Agent 3872 Oem-agent

Oracle RTC-PM port 3891 rtc-pm-port

Oracle dbControl Agent 3938 dbcontrol agent



Oracle dbControl Agent 3938 dbcontrol_agent

Step 3: Identify the Instance Names Used by the DatabaseNames Used by the Database

Specify a unique name while configuring an instance of Notification Services

Instance name used to identify instance database objects

Instance resources are located by Notification Services using the instance nameInstance resources are located by Notification Services using the instance name

Instance name must be kept short, and based on unchanging entities

Database supports multiple instances, but only one instance can be a default instance

Instance name criteria:

• Same version• Same edition• Same language• Same clustered state



Run WinSID to find instances of Oracle database

Step 4: Identify the Version Numbers Used by the DatabaseNumbers Used by the Database

To check the version information for example, the Oracle database simply connect and login the Oracle database, simply connect and login to the Oracle database with SQL *Plus. After login, you will see:

• SQL*Plus: Release 9.2.0.6.0 - Production on Tue Oct 18 17:58:57 2005

Oracle Universal Installer check for Oracle Version information

Examples: Oracle8i, 9i, 10g, 11i

Version 0.6



Step 4: Identify the Version Numbers Used by the Database (cont’d)Used by the Database (cont d)



Step 5: Attempt to Brute-Force Password Hashes from the DatabasePassword Hashes from the Database

Use tools such as Orabf to brute force password hashesp

Orabf is a brute force/dictionary tool for Oracle hashes



Step 6: Sniff Database Related Traffic on the Local WireTraffic on the Local Wire

Sniffing determines number of database

connections

Use packet sniffing tools such as to sniff data packets from a data packets from a

network



Step 7: Microsoft SQL Server TestingTesting

Test for direct access interrogationg

Scan for Microsoft SQL Server ports ( TCP/UDP 1433)

Test for SQL Server Resolution Service (SSRS)

Using OSQL test for default/common passwords

Try to retrieve Sysxlogins table

B t f SA t



Bruteforce SA account

Step 7.1: Test for Direct Access InterrogationInterrogation

Direct or ad hoc access enables users to directly access the yunderlying data structures

Write special queries using asterisks (*) to directly interrogate database



Step 7.2: Scan for Microsoft SQL Server Ports ( TCP/UDP 1433)Server Ports ( TCP/UDP 1433)

Port 1433: Microsoft's SQL server, including the desktop editions that are often silently installed with other Microsoft applications, opens and services queries delivered over incoming TCP connections through this port.

Use a post scanning tool to scan port 1433 for Microsoft SQL server services.



Step 7.3: Test for SQL Server Resolution Service (SSRS)Resolution Service (SSRS)

SSRS is used to provide referral services for multiple server instances i h hirunning on the same machine.

S UDP t f SQL S R l ti S i (SSRS)Scan UDP port 1434 for SQL Server Resolution Service (SSRS).

Alternately ping UDP port 1434 from another SQL server a reply Alternately, ping UDP port 1434 from another SQL server, a reply confirms SSRS.



Step 7.3: Test for SQL Server Resolution Service (SSRS) (cont’d)Resolution Service (SSRS) (cont d)

Check the hidden database instances and probe deeper into the t i d system using command:

sqlping3cl.exe -scantype [range, list, stealth] -StartIP q p g yp [ g , , ][IP] -EndIP [IP]-IPList [FileName] -UserList [FileName] -PassList [FileName] -Output [FileName]

Run SQLPing v 2.5 tool to look for SQL Server system and find their version numbers



Step 7.4: Test for Buffer Overflow in pwdencrypt() Functionin pwdencrypt() Function

pwdencrypt() function compares user supplied password with the pwdencrypt() function compares user supplied password with the stored password while logging in.

Buffer overflow in pwdencrypt() function provides a chance to an Buffer overflow in pwdencrypt() function provides a chance to an intruder to run the arbitrary code in the SQL server, sending a crafted password value.

Check the unchecked buffer in password encryption procedure and bulk insert procedure.

Check the incorrect permission on SQL Server service account registry key.



key.

Step 7.5: Test for Heap/Stack Buffer Overflow in SSRSBuffer Overflow in SSRS

Run arbitrary code by sending a crafted request to port 1434/udp.y y g q p 434/ p

Scan the UDP port 1434 at the firewall.



Step 7.6: Test for Buffer Overflows in Extended Stored Proceduresin Extended Stored Procedures

Check the extended stored procedures that cause stack buffer overflow. p

Check the publicly assessable database queries and filter it before processing.processing.

Try to load and execute a database query that calls one of the affected functions.

Run the arbitrary code with the escalated privileges of the SQL service account.



Step 7.7: Test for Service Account Registry KeyAccount Registry Key

Alter the SQL service account registry key by "xp_regwrite" extended d dstored procedure.

Pretend as an administrator to escalate the privileges that allows to p gweaken the security policy of SQL server.

This allows the attacker to run any query or command with the rights of This allows the attacker to run any query or command with the rights of the operating system.



Step 7.8: Test the Stored Procedure to Run Web TasksProcedure to Run Web Tasks

Log into a SQL server. Log into a SQL server.

Run the stored procedure for web tasks.Run the stored procedure for web tasks.

Attempt to delete, update, or insert new web tasks in order to l t i ilescalate privileges.

Login



Step 7.9: Exploit SQL Injection AttackAttack

An SQL injection attack enables user to read the details of the d t bdatabase.

Run special queries to gain access to the

•EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''=‘

database, such as:

p )•EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '__w%') AND ''=‘

Use an automated tool, such as SQL Injector.



Test for SQL Injection Attack



Step 7.10: Blind SQL Injection

A blind SQL injection tt k bl attack enables

unauthorized user to exploit web applications and back end SQL serversand back-end SQL servers.

Use the Absinthe tool to exploit the web application.



Step 7.11: Google Hacks

Google searches SQL server errors that enable unauthorized users to Google searches SQL server errors that enable unauthorized users to find database and vulnerabilities in SQL server.

h k l i h ' “ l kiCheck out Google queries at Johnny Long's “Google Hacking Database”: http://johnny.ihackstuff.com/index.php?module=prodreviews



Step 7.12: Attempt Direct-exploit AttacksAttacks

Direct-exploit attacks allow users to perform code injection and gain th i d d li unauthorized command line assess.

Use the Metasploit tool to direct-exploit attack.



Step 7.13: Try to Retrieve Server Account ListAccount List

A server account list contains SQL login IDs and data of the t d connected servers.

Use the following command to access the account list:



Step 7.13: Try to Retrieve Server Account List (cont’d)Account List (cont d)

When user manages to access the account list, it will show the outputthe output.



Step 7.14: Using OSQL Test for Default/Common PasswordsDefault/Common Passwords

The osql utility is a Microsoft® Win32® command prompt utility for ad hoc interactive execution of Transact SQL utility for ad hoc, interactive execution of Transact-SQL statements and scripts.

The osql utility is typically used in these ways:

• Users interactively enter Transact-SQL statements in a manner similar to working on the command prompt. The results are displayed in the command prompt window.U b i l j b i h if i i l T• Users submit an osql job either specifying a single Transact-SQL statement to execute or pointing the utility to a text file that contains Transact-SQL statements to execute.



Step 7.15: Try to Retrieve Sysxlogins TableSysxlogins Table

Access information for an SQL server is stored in the sysxlogins system Q y g ytable.

The Sysxlogins system table stores qualified user and group names.

Sysxlogins table is queried first to retrieve login name and SID of user using SUSER_SNAME() and SUSER_SID() functions.

If sysxlogins table does not match the requested username or SID, then Windows Local Security Authority (LSA) is queried for the information



Windows Local Security Authority (LSA) is queried for the information.

Try to Retrieve Sysxlogins Table ViewsViews

Sysxlogins system table resides only in the master y g y ydatabase containing information regarding logins of users and can only be accessed through the following views:

• Syslogins: SQL server login information is provided by interpreting the “status column”interpreting the status column

• Sysremotelogins: Each remote user is allocated one row in the table to call remote stored procedures on the SQL server

• Sysoledbusers: Allocates one row each for user and password imapping

sp_addlogin: The system stored procedure to create a new login



account in the sysxlogins system table

SQL Server System Tables



Step 7.16: Brute-force SA Account

SA is a built-in database administrator login

A brute-force attack is trying every possible combination of characters as password until correct password is found

Use password cracking tools such as THC Hydra to brute-force SA login p g y gpassword



Step 8: Oracle Server Testing

Port scan UDP/TCP ports ( TCP/UDP )1433)

Check the status of TNS listener running lat Oracle server

Try to login using default account passwords

Try to enumerate SIDsTry to enumerate SIDs

Use SQL plus to enumerate system tables



Use SQL plus to enumerate system tables

Port Scanning Basic Techniques

The basic port scan tries to know which port is open or available to The basic port scan tries to know which port is open or available to probe in.

TCP connect(): The connect() system call provided by an OS is used to TCP connect(): The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed.

Strobe: A strobe does a narrower scan, only looking for those services the attacker knows how to exploit.



Port Scanning Advanced TechniquesTechniques

Fragmented packet port scan

SYN scan

FIN scanFIN scan

Bounce scan

Finger

UDP scanningg

ICMP scan

Fi i i OS



Fingerprinting an OS

Step 8.1: Port Scan UDP/TCP Ports ( TCP/UDP 1433) Ports ( TCP/UDP 1433)

Use a port scanning tool such as Nmap to scan for ports Use a port scanning tool such as Nmap to scan for ports 1433.



Step 8.2: Check the Status of TNS Listener Running at Oracle ServerListener Running at Oracle Server

The TNS Listener Process is a independent process that connects p pdatabase and resides in the software layer of both client and server.

TNS Listener establishes connections between the Oracle server and a S s e e es ab s es co ec o s be ee e O ac e se e a d aclient application allowing valid users who has permissions to control database, and OS to execute arbitrary code.

To find the TNS Listener, use port scanners like Nmap and amap.

If Listener is not password protected, to get SID use the following command:



• tnscmd10g.pl status –h <ip-address>

Step 8.2: Check the Status of TNS Listener Running at Oracle Server (cont’d)g ( )

The Oracle TNS Listener is the lynchpin between a user/web server The Oracle TNS Listener is the lynchpin between a user/web server offering connection and the back-end database.

• $ORACLE_HOME/bin/lsnrctl - This is the actual Listener control program

Files that control the listener are:

program.• $ORACLE_HOME/network/admin/listener.ora - The actual TNS

Listener config file.• $ORACLE_HOME/bin/tnslnsr - The actual listening process.



Oracle TNS Listener: Screenshot



Finding the TNS Listener



Listener Modes

Listener can be configured in one of threed

• Database: Provides network access to an Oracle databaseinstance

modes:

instance• PLSExtProc: Method for PL/SQL packages to access

operating system executables• Executable: Provides network access to operating system• Executable: Provides network access to operating system

executables



Step 8.3: Try to Login Using Default Account PasswordsDefault Account Passwords



Step 8.3: Try to Login Using Default Account Passwords (cont’d)Account Passwords (cont d)



Step 8.4: Try to Enumerate SIDs

Use the Oracle Password Guesser (opwg) utility of Oracle Auditing l ( ) / l i l f d f lTools (OAT) to enumerate a SID/multiple SIDs for default usernames

and passwords.



Step 8.5: Use SQL Plus to Enumerate System TablesEnumerate System Tables

SQL PLUS runs .sql scripts against Oracle

Run WinSID or a similar tool to look for service name

Ex: SERVICE_NAME=test.domain

To establish a connection to remote go to the command prompt and type:

• sqlplus user/[email protected]

Now from SQL> @c:\sql\sql (Script is located at c:\sql and is called sql sql)



sql.sql)

SQL PLUS: Screenshot



Step 9: MySQL Server Database TestingTesting

Port scan UDP/TCP ports (TCP/UDP)/ p ( / )

Extract the version of database being used

Try to logon using default/common passwords

Brute force accounts using dictionary attack

Extract system and user tables from the database



Step 9.1: Port Scan UDP/TCP Ports ( TCP/UDP)Ports ( TCP/UDP)

Use port scanning tools such as Nmap and scan TCP/UDP Use port scanning tools such as Nmap and scan TCP/UDP ports for MySQL Server Database services.



Step 9.2: Extract the Version of Database being UsedDatabase being Used

SQLver extracts the version by querying the file, snetlib.dll without logging into servers

It TCP t It uses TCP port 1433

It just connects to the specified TCP port and start working

• sqlver <ip_address/hostname> <port_no.>

Execution:



Step 9.3: Try to Login Using Default/Common PasswordsDefault/Common Passwords

Try passwords like admin administrator sa password etc Try passwords like admin, administrator, sa, password, etc.



Step 9.4: Brute-force Accounts Using Dictionary AttackUsing Dictionary Attack

A method to break password-based security systems is by testing all d ibl dcommon words as possible passwords.

It can be done in two ways:

• Manually.• By making use of software and a database which contains millions

of possible words.of possible words.

h d k

It can be used to:

• Determine the decryption key.• Probe and break password mechanisms.



Dictionary Attack Tools

Following are some of the dictionary attack tools:

• Cain & Abel• John the Ripper• THC Hydra• THC Hydra• Aircrack • L0phtcrack

AirSnort • AirSnort • SolarWinds • Pwdump

R i b C k • RainbowCrack • Brutus



Dictionary Attack Tool: Cain & AbelAbel

Password recovery tool for Microsoft operating systems

• Network

Allows easy recovery of various kind of passwords by sniffing:

• Cracking encrypted passwords using dictionary • Brute-force and cryptanalysis attacks• Recording VoIP conversations

D di bl d d• Decoding scrambled passwords• Recovering wireless network keys• Revealing password boxes• Uncovering cached passwordsUncovering cached passwords• Analyzing routing protocols

It i i i lifi d f d d d ti l



Its main purpose is simplified recovery of passwords and credentials from various sources

Cain & Abel: Screenshot 1



Cain & Abel: Screenshot 2



Dictionary Attack Tool: SQLdict

SQLdict: Is a basic single ip brute-force MS SQL server password utility that can carry out a dictionary attack against a named SQL account.

The use of this tool is simple, just specify the IP address being attacking, the user account up against and then load an appropriate wordlist to try via the Load Password File buttonvia the Load Password File button.



Step 9.5: Extract System and User Tables from the Database User Tables from the Database

User tables contain information such as host, user names, passwords, and privileges to particular usersand privileges to particular users.

To extract system and user tables, go to User Administration from the database administration panel.p



Summary

In this module we learned:

• How to scan default and non-default ports of databases.H id if i i b f

In this module, we learned:

• How to identify instance names, version numbers of database servers.

• How to test Microsoft SQL servers, Oracle servers, and MySQL server databases MySQL server databases.

• How to enumerate SIDs and crack login passwords.



lptv4 module 30 database penetration testing_norestriction

Documents

heap stack buffer overflow

tns listener running

dictionary attack tool

oracle tns listener

default account passwords

buffer overflow

tns listener

arbitrary code