Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3273 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Version 6 Module XLII Hacking Database Servers Ethical Hacking and Countermeasures v6 Module XLII: Hacking Database Servers Exam 312-50 Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3274 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News Source: http://searchsecurity.techtarget.com/ News According to the report generated by security guru David Litchfield, a higher number of Microsoft SQL Server and Oracle database servers are vulnerable to attacks due to lack of updates. The report, called "The Database Exposure Survey 2007," highlighted about 368,000 Microsoft SQL Servers and 124,000 Oracle database servers that are not protected by a firewall and are directly accessible. As per the research done by Litchfield, 66 percent of Oracle database servers are found vulnerable. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3275 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective This module will familiarize you with: Database Servers Attacking Oracle How to Break into an Oracle Database Oracle Worm Hacking SQL Server Ten Hacker Tricks to Exploit How SQL Server is Hacked Tools Module Objective This module will familiarize you with: Database Servers Attacking Oracle How to Break into an Oracle Database Oracle Worm Hacking SQL Server Ten Hacker Tricks to Exploit How a SQL Server is Hacked Tools Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3276 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Database Servers How SQL Server is Hacked Attacking Oracle How to Break into an Oracle Database Oracle Worm Hacking SQL Server Ten Hacker Tricks to Exploit Tools Module Flow Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3277 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction Databases are the heart of a commercial website An attack on database servers can cause a great monetary loss for the company Database servers are usually hacked to get the critical information Mistakes made by the web designers can reveal the databases of the server to the hacker Introduction Source: http://neworder.box.sk/newsread.php?newsid=7703 Databases are the central part of any website and are frequently targeted for database attacks. Attacks on database can bring huge loss to the organization. Most databases are hacked to derive critical information such as credit card numbers, account number, and their passwords. Most databases get hacked due to poor web design. Small mistakes in the web design make it vulnerable to attack. Attacker exploits this vulnerability and derives the critical information from the database. An attack on any commercial website can bring down company’s reputation and customers may lose their faith. Most databases are hacked using the web browsers. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3278 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hacking Oracle Database Server Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3279 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Attacking Oracle Finding an Oracle database server on network is done using TCP port scan Once the Oracle database server has been discovered, the first port of call is the TNS Listener Using PL/SQL Injection, attackers can potentially elevate their level of privilege from a low-level PUBLIC account to an account with DBA-level privileges Attacking Oracle An Oracle database server on network is found by using TCP port scan. Once the Oracle database server has been traced, the first port of call is made to the TNS Listener. Using PL/SQL Injection, attackers can potentially elevate their level of privilege from a low-level PUBLIC account to an account with DBA-level privileges. After getting the DBA privileges, an attacker can do anything with the database. An attacker can steal the personal information of the users, and can use it for wrong purposes. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3280 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Issues in Oracle SQL Injection SQL Manipulation Code Injection Attack Buffer Overflow Security Issues in Oracle The security issues found in Oracle are as follows: SQL Injection: A SQL injection attack uses non-validated input vulnerabilities to perform SQL injection. Attacker sends malicious SQL commands through a web application that are executed in a back-end database. Programmers use sequential SQL commands with client supplied parameters making it easier for attackers to inject commands. Attackers can easily execute random SQL queries on the database server through a web application. SQL Manipulation: The SQL manipulation technique gives the authorized privilege of valid users to the attacker to access the database. With the help of this attack, an attacker can make a backdoor entry to the database. Code Injection Attack: With the help of code injection attacks, attackers try to add extra SQL statements or commands to the existing SQL statement. This attack is mostly done against SQL server application’s EXECUTE statement. Buffer Overflow: Buffer overflows in database occur in standard functions such as, bfilename,to_timestamp_tz, and tz_offset, and which can be exploited using a SQL injection attack. Function injection methods on files bfilename,to_timestamp_tz, and tz_offset are used to execute buffer overflow attack. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3281 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Database Attacks Excessive privileges: • When users (or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access to confidential information • Query-level access control as it restricts privileges to minimum-required operations and data Solution: EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Database Attacks (cont’d) Privilege abuse: • Privilege is abused when a system user performs an action that is not in accordance with corporate policy or law • Users may abuse legitimate data access privileges for unauthorized purposes • Access control policies that apply not only to what data is accessible, but how data is accessed • By enforcing policies for time of day, location, and application client and volume of data retrieved, it is possible to identify users who are abusing access privileges Solution : EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Database Attacks (cont’d) • IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities Solution: Platform vulnerabilities: • Vulnerabilities in underlying operating systems may lead to unauthorized data access and corruption Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Database Servers Module XLII Page | 3282 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Database Attacks (cont’d) • Common DoS techniques include buffer overflows, data corruption, network flooding, and resource consumption Denial of service: • Vulnerabilities in database protocols may allow unauthorized data access, corruption, or availability • Protocol attacks can be defeated by parsing and validating SQL communications to make sure they are not malformed Database protocol vulnerabilities: Exposure of backup data: • Some recent high profile attacks have involved theft of database backup tapes and hard disks Types of Database Attacks Excessive privileges: When excessive database privileges are provided to a user or application than required, they may be used to gain access to confidential information. Consider an example, where a university administrator whose job requires read-only permission to read student’s records, may take advantage of unnecessary privileges to change the grades of the student records. Solution: The key to this problem (apart from hiring good policies) is a query-level access control. Query-level access control limits privileges to minimum-required operations and data. Privilege abuse: For the purpose of the legitimate data, some users may misuse the data access privileges. Consider the example, where a user has permissions to view individual patient’s records via a custom healthcare application. A client may wrongfully use that privilege to access all patient records via a MS-Excel client. Users may misuse privileges for unauthorized access to all records. Solution: The key to this problem is to apply access control policies to what and how the data is accessed. Users abusing access privileges can be identified by applying policies for: o Time of day. o Location. o Application client and volume of data retrieved. Platform vulnerabilities: Hidden vulnerabilities in operating systems may lead to unauthorized data access and corruption. For example, the Blaster worm took advantage of Windows 2000 vulnerability and brought down the target servers. Solution: The best way to identify and/or block these kinds of attacks is to use IPS tools that are designed to exploit known database platform vulnerabilities. Denial-of-service: Denial-of-service (DoS) can be carried by using techniques of: o Buffer overflows. o Data Corruption. o Network Flooding.