Choosing tools

As with wireless networks, operating systems, and so on, you need good tools if you’re going to find the database security issues that count. The following are my favorite tools for testing database security:

• Advanced SQL Password Recovery (www.elcomsoft.com/asqlpr.html) for cracking Microsoft SQL Server passwords
• Cain & Abel (www.oxid.it/cain.html) for cracking database password hashes
• Nexpose (www.rapid7.com/products/nexpose) for performing in-depth vulnerability scans
• SQLPing3 (www.sqlsecurity.com/downloads) for locating Microsoft SQL Servers on the network, checking for blank passwords for the ‘sa’ account (the default SQL Server system administrator), and performing dictionary password-cracking attacks

You can also use exploit tools, such as Metasploit, for your database testing.

Finding databases on the network

The first step in discovering database vulnerabilities is to figure out where they’re located on your network. It sounds funny, but many network admins I’ve met aren’t even aware of various databases running in their environments. This is especially true for the free SQL Server Express database software editions that anyone can download and run on your network.

I can’t tell you how often I find sensitive production data, such as credit card and Social Security numbers, being used in test databases that are completely wide open to abuse by curious insiders or even external attackers that have made their way into the network. Using sensitive production data in the uncontrolled areas of the network such as sales, software development, and quality assurance (QA) is a data breach waiting to happen.

The best tool I’ve found to discover Microsoft SQL Server systems is SQLPing3, which is shown in Figure 16-1.

SQLPing3 can even discover instances of SQL Server hidden behind personal firewalls, such as Windows Firewall. This is a nice feature as Windows Firewall is enabled by default on Windows 7 and up.

If you have Oracle in your environment, Pete Finnigan has a great list of Oracle-centric security tools at www.petefinnigan.com/tools.htm that can perform functions similar to SQLPing3.

Cracking database passwords

SQLPing3 also serves as a nice dictionary-based SQL Server password-cracking program. As you saw in Figure 16-1, it checks for blank sa passwords by default. Another free tool for cracking SQL Server, MySQL, and Oracle password hashes is Cain & Abel, shown in Figure 16-2.

You simply load Cain & Abel, click the Cracker tab at the top, select Oracle Hashes at the bottom left, and click the blue plus symbol at the top to load a user name and password hash to start the cracking. You can also select Oracle TNS Hashes at the bottom left and attempt to capture Transport Network Substrate hashes off the wire when capturing packets with Cain. You can do the same for MySQL password hashes.

The commercial product ElcomSoft Distributed Password Recovery (www.elcomsoft.com/edpr.html) can also crack Oracle password hashes. If you have access to SQL Server master.mdf files (which are often readily available on the network due to weak share and file permissions as I outline later in this chapter), you can use ElcomSoft’s Advanced SQL Password Recovery (www.elcomsoft.com/asqlpr.html) to recover database passwords immediately.

You might stumble across some legacy Microsoft Access database files that are password protected as well. No worries: The tool Advanced Office Password Recovery (www.elcomsoft.com/acpr.html) can get you right in.

As you can imagine, these password-cracking tools are a great way to demonstrate the most basic of weaknesses in your database security. It’s also a nice way to underscore the problems with critical files scattered across the network in an unprotected fashion.

Another good way to demonstrate SQL Server weaknesses is to use Microsoft SQL Server 2008 Management Studio Express (www.microsoft.com/en-us/download/details.aspx?id=7593) to connect to the database systems you now have the passwords for and set up backdoor accounts or browse around to see (and show) what’s available. In practically every unprotected SQL Server system I come across, there’s sensitive personal financial or healthcare information available for the taking.

Scanning databases for vulnerabilities

As with operating systems and web applications, some database-specific vulnerabilities can be rooted out only by using the right tools. I use Nexpose to find such issues as:

• Buffer overflows
• Privilege escalations
• Password hashes accessible through default/unprotected accounts
• Weak authentication methods enabled

A great all-in-one commercial database vulnerability scanner for performing in-depth database checks — including user rights audits on SQL Server, Oracle, and so on — is AppDetectivePRO (www.trustwave.com/Products/Database-Security/AppDetectivePRO). AppDetectivePRO can be a good addition to your security testing tool arsenal if you can justify the investment.

Many vulnerabilities can be tested from both an unauthenticated outsider’s perspective as well as a trusted insider’s perspective. The important thing is to review the security of your databases from as many angles as reasonably possible. As I’ve said before, if it’s out there and accessible, people are going to play with it.

Choosing tools

These are my favorite tools for testing storage security:

• nmap (http://nmap.org) for port scanning to find live storage hosts
• SoftPerfect Network Scanner (www.softperfect.com/products/networkscanner) for finding open and unprotected shares
• FileLocator Pro (www.mythicsoft.com)
• Nexpose for performing in-depth vulnerability scans

Finding storage systems on the network

To seek out storage-related vulnerabilities, you have to first figure out what’s where. The best way to get rolling is to use a port scanner and, ideally, an all-in-one vulnerability scanner, such as Nexpose or LanGuard. Also, given that many storage servers have web servers built in, you can use such tools as Acunetix Web Vulnerability Scanner and Netsparker to uncover web-based flaws. You can use these vulnerability scanners to gain good insight into areas that need further inspection, such as weak authentication, unpatched operating systems, cross-site scripting, and so on.

A commonly overlooked storage vulnerability is that many storage systems can be accessed from both the de-militarized zone (DMZ) segment and the internal network segment(s). This vulnerability poses risks to both sides of the network. Be sure to manually check to see if you can reach the DMZ from the internal network and vice versa.

You can also perform basic file permission and share scans (as outlined in Chapter 12) in conjunction with a text search tool to uncover sensitive information that everyone on the network should not have access to. Digging down further, a quick means for finding open network shares is to use SoftPerfect Network Scanner’s share scanning capabilities as shown in Figure 16-3.

As you can see in Figure 16-3, Network Scanner enables you to perform a security and security permission scan for all devices or simply folders. I recommend selecting Specific account in the Authentication section shown in Figure 16-3 and then click Manage so you can enter a domain account for the network that has general user permissions. This will provide a good level of access to determine which shares are accessible.

Once Network Scanner has completed its scan, the shares showing Everyone in the Shared Folder Security column points you to the shares that need attention. Hardly a security assessment goes by without coming across such shares open to the Windows Everyone group. Just as common is to see the directories and files within these shares that are also be accessible to any logged-in Windows user to open, modify, delete — whatever they please. How’s that for accountability!?

Rooting out sensitive text in network files

Once you find open network shares, you’ll then want to scan for sensitive information stored in files such as PDFs, .docx, and .xlsx files. It’s as simple as using a text search utility, such as FileLocator Pro or Effective File Search (www.sowsoft.com/search.htm). Alternatively, you can use Windows Explorer or the find command in Linux to scan for sensitive information, but it’s just too slow and cumbersome for my liking.

You’ll be amazed at what you come across stored insecurely on users’ desktops, server shares, and more, such as:

• Employee health records
• Customer credit card numbers
• Corporate financial reports
• Source code
• Master database files (as I mentioned earlier)

The sky’s the limit. Such sensitive information should not only be protected by good business practices, but is also governed by state, federal, and international regulations see have to make sure that you find it and secure it.

Do your searches for sensitive text while you’re logged in to the local system or domain as a regular user — not as an administrator. This will give you a better view of regular users who have unauthorized access to sensitive files and shares that you thought were otherwise secure. When using a basic text search tool, such as FileLocator Pro, look for the following text strings:

• DOB (for dates of birth)
• SSN (for Social Security numbers)
• License (for driver’s license information)
• Credit or CCV (for credit card numbers)

Don’t forget about your mobile devices when seeking sensitive, unprotected information. Everything from laptops to USB drives to external hard drives is fair game to the bad guys. A misplaced or stolen system is all it takes to create a costly data breach.

The possibilities for information exposure are endless; just start with the basics and only peek into common files that you know might have some juicy info in them. Limiting your search to these files will save you a ton of time!

• .txt
• .doc and .docx
• .rtf
• .xls and .xlsx
• .pdf

An example of a basic text search using FileLocator Pro is shown in Figure 16-4. Note the files found in different locations on the server.

FileLocator Pro also has the ability to search for content inside PDF files to uncover sensitive data.

To speed the process, you can use Sensitive Data Manager, a really neat tool designed for the very purpose of scanning storage devices for sensitive, personally identifiable information. It can also search inside binary files such as PDFs.

For a second round of testing, you could perform your searches logged in as an administrator. You’re likely to find a lot of sensitive information scattered about. It might seem worthless at first; however, this can highlight sensitive information stored in places it shouldn’t be or that network administrators shouldn’t have access to.

Testing is highly dependent on timing, searching for the right keywords, and looking at the right systems on the network. You likely won’t root out every single bit of sensitive information, but this effort will show you where certain problems are, which will help you to justify the need for stronger access controls and better IT and security management processes.