Ethical Hacking and Countermeasures Countermeasures Version 6 Mod le XLII Mod u le XLII Hacking Database Servers News EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Source: http://searchsecurity.techtarget.com/ Module Objective This module will familiarize you with: Database Servers Attackin g Oracle g How to Break into an Oracle Database Oracle Worm Oracle Worm Hacking SQL Server T Hk Tik Eli T en H ac k er T r i c k s to E xp l o i t How SQL Server is Hacked EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools Module Flow Database Servers How SQL Server is Hacked Oracle Worm Attacking Oracle Hacking SQL Server Tools How to Break into an Oracle Database Ten Hacker Tricks to Exploit EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction Databases are the heart of a commercial website An attack on database servers can cause a great monetary loss for the company Database servers are usually hacked to get the critical information Mistakes made by the web designers can reveal the databases of the server to the hacker EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited H ac kin g O r ac l e ac g O ac e Database Server EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Attacking Oracle Finding an Oracle database server on network is done Finding an Oracle database server on network is done using TCP port scan O h Ol db h b di d O nce t h e O rac l e d ata b ase server h as b een di scovere d , the first port of call is the TNS Listener Using PL/SQL Injection, attackers can potentially elevate their level of privilege from a low-level PUBLIC account to an account with DBA-level privileges EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Issues in Oracle SQL Injection SQL Manipulation Code Injection Attack Buffer Overflow EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Database Attacks Excessive p rivile g es: pg • When users (or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access function, these privileges may be used to gain access to confidential information Solution: • Query-level access control as it restricts privileges to minimum-required operations and data EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Database Attacks (cont ’ d) (cont d) Privilege abuse: • Privilege is abused when a system user performs an action that is not in accordance with corporate policy or law U b lii d iil f • U sers may a b use l eg i t i mate d ata access pr i v il eges f or unauthorized purposes A t l li i th t l t l t h t d t i Solution: • A ccess con t ro l po li c i es th a t app l y no t on l y t o w h a t d a t a i s accessible, but how data is accessed • By enforcing policies for time of day, location, and application client and volume of data retrieved, it is possible to identify EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited client and volume of data retrieved, it is possible to identify users who are abusing access privileges [...]... an ODBC data source and p g y g y the ability of the client to connect to a server ¿ Syntax: y odbcping [/?] | [ { -Sserver_name [\instance_name] | -Ddata_source } [- Ulogin_id] [-Ppassword] ] EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Tool: ASPRunner Professional ASPRunner Professional enables to create a set of ASP pages to access and modify data from... publish an existing database FlexTracer enables to trace SQL-queries for various RDBMS and SQL queries functions exported by DLLs EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited... access and encryption/decryption operations in the yp / yp p background EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Security Tools (cont’d) AppDetective: • It is a network-based, penetration testing/vulnerability assessment scanner that locates and determines security strength of databases within a network • After locating, it examines, reports, and help... to transfer the , ; pp payload EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Hacking SQL Server g Q EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Ten Hacker Tricks to Exploit SQL Server Systems The following are the tricks to exploit SQL Server systems: • • • • • • • • • • EC-Council Direct Connections via... SA passwords Direct exploit Direct-exploit attacks SQL injection Blind SQL injection Reverse engineering the system Google h k G l hacks Perusing Web site source code Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Screenshots for Hacker Tricks Vulnerability Scanning SQL Injection Direct-exploit Attacks EC-Council Copyright © by EC-Council All Rights Reserved Reproduction... Edition • MS SQL Client tools such as Query Analyzer and odbcping • NGSSniff • NGSSQLCrack • NGSSQuirreL • Microsoft Visual C++ EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Query Analyzer Microsoft SQL Server SQL Query Analyzer is a graphical tool that allows you to: • Create queries and other SQL scripts and execute them against SQL Server databases (Query... parameters(Object Browser procedure execution feature) • D b stored procedures(T-SQL D b Debug d d (T SQL Debugger) ) • Debug query performance problems(Show Execution Plan, Show Server Trace, Show Client Statistics, and Index Tuning Wizard) • Add frequently used commands to the Tools menu(customized Tools menu feature) EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited odbcping... can be defeated by parsing and validating SQL communications to make sure they are not malformed Exposure of backup data: • Some recent high profile attacks have involved theft f database b k t th ft of d t b backup tapes and h d di k d hard disks EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited How to Break into an Oracle Database and Gain DBA Privileges New... delete, and add data into database In addition, it can restrict access to data with a login page either with a specified username/password or existing user information from database You can specify which fields to include and which fields should b searchable h ld be h bl EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited ASPRunner Professional: Screenshot EC-Council... EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Tool: FlexTracer FlexTracer enables to trace SQL-queries for various RDBMS and functions exported by DLLs It creates a history log containing all invoked operations, as well as their results, parameters, and execution times FlexTracer currently supports Oracle (OCI), MS SQLServer DB-Lib, MySQL, Interbase/Firebird, . Ethical Hacking and Countermeasures Countermeasures Version 6 Mod le XLII Mod u le XLII Hacking Database Servers News EC-Council Copyright © by EC-Council All Rights Reserved confidential information Solution: • Query-level access control as it restricts privileges to minimum-required operations and data EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction. location, and application client and volume of data retrieved, it is possible to identify EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited client and