9 - Database Pen Testing Flashcards
1
Q
What are the steps for DB Pen Testing?
A
- Info Recon
- Scan for ports
- Sniff DB related traffic
- Discover Databases on Network
- Database Enumeration: Oracle
- Scan for other Default ports used by Oracle (80,389,443,636,1521,1526)
- Check for status of the TNS Listener running on Oracle server
- Enumerate the Database (use Tnsping,Metasploit, error messages, hxxps://hostname:portnumber/em, SQL *Plus, Oscanner utility)
- Database Enumeration: MS SQL Server
- Scan for Default Ports used by SQL Server DB (TCP: 1434, 2383, 2382, 135, 80/443, 4022)
- Enumerate the database using NMAP scripts
- Enumerate DB using Standard SQL Queries (Utilize asterisks to directly interrogate the DB)
- Enumerate using SQL Server Resolution Service (SSRS: used to provide referral services for multiple server instances)
- Database Enumeration: MySQL
- Vulnerability and Exploit Research
- Conduct Exploit Research for know vulnerabilities
- Perform Vulnerability Scanning on Target DB (Scuba scanner, McAfee, AppDetectivePro)
- Database Exploitation: Oracle
- Try to log in using Default Account Passwords (SYS, SYSTEM, DBSNMP)
- Try to Brute Force Oracle Logins (Metasploit)
- Test whether Execution of Privileges is Allowed
- Try to Bypass the Protections Provided by the Oracle DB Vault
- Attempt to Brute-force Password Hashes from the Oracle Database (use Orabf)
- Database Exploitation: MS SQL Server
- Test the Stored Procedure to Run Web Tasks (Attempt to delete, update, or insert tasks)
- Brute Force SA Account (SA is a built-in DB admin login; NMAP)
- Database Enumeration: MySQL
- Try to Log in using Default/Common Passwords
- Brute Force Accounts using Dictionary Attack (Manually, Automatically)
- Database Password Cracking Tools: Cain & Abel, HexorBase,
2
Q
What ports are related to DB specific traffic?
A
- Oracle SQLPlus: 1521
- SQL Server: 1433
- MySQL: 3306
3
Q
What is the purpose of a TNS (Transparent Network Substrate) listener?
A
It is an independent process that connects to the database and resides in the software layer of both client and server. It establishes connections between the Oracle server and client app, allowing valid users who have permissions to control the database and OS to execute the arbitrary code. Files that control listener are:
- $ORACLE_HOME/bin/Lsnctl (actual listener control program)
- $ORACLE_HOME/network/admin/listener.ora (actual TNS Listener config file)
- $ORACLE_HOME/bin/Tnslnsr (actual listening process)
4
Q
What are some NMAP scripts used to enumerate MS SQL DB?
A
- broadcast-ms-sql-discover: Discovers SQL servers in same broadcast domain
- ms-sql-brute: Performs password guessing against MS SQL server
- ms-sql-config: Queries MS SQL Server instances for a list of databases, linked servers, and config settings
- ms-sql-dac: Queries the MS SQL Browser service for the DAC (Dedicated Admin Connection) port
- ms-sql-dump-hashes: Dumps the password hashes from an MS-SQL server in a format suitable for cracking tools
- ms-sql-empty-password: Attempts to authenticate MS SQL servers using an empty password for the sysadmin account
- ms-sql-hasdbaccess: Queries MS SQL Server instances for a list of databases a user has access to
- ms-sql-info: Attempts to determine config and version info for MS SQL Server instances
- ms-sql-ntlm-info: Enumerates info from remote MS SQL services with NTLM authentication enabled
- ms-sql-query: Runs a query against MS SQL Server
- ms-sql-tables: Queries MS SQL Server for a list of tables per database
- ms-sql-xp-cmdshell: Attempts to run a command shell of MS SQL Server
5
Q
What are some Countermeasures?
A
- Ensure physical security of your server
- Arrange a FW between the Internet and your server
- Always use multiple FWs to create screened subnets
- Always block TCP port 1433 and UDP port 1434
- Isolate services
- Create a security threat checklist
- Relevant security training is required for all developers and testers
- Do not allow direct catalog updates
- Assign permissions to roles rather that to users
- Verify all the safety stored procedures that have been marked for Autostart
- Never install SQL Server on a domain controller
- Scan all accounts regularly with NULL passwords and remove them
- Install a certificate to enable SSL connections
- Use the SQL Server service account to encrypt DB files with EFS
- Certs should use fully qualified DNS name of the server
- Allow linked server access only to those logins that need it
- Allow ad hoc data access only for trusted providers
- Never grant permissions to the public database role
- Use complex passwords
- Remove sample DB’s from production servers