Chapter 16
In This Chapter
Testing and exploiting database flaws
Finding storage weaknesses
Ferreting out sensitive information
Countering database and storage abuse
Attacks against databases and storage systems can be very serious because that’s where “the goods” are located, and those with ill intent are well aware of that. These attacks can occur across the Internet or on the internal network when external attackers and malicious insiders exploit any number of vulnerabilities. These attacks can also occur via the web application through SQL injection.
Database systems, such as Microsoft SQL Server, MySQL, and Oracle, have lurked behind the scenes, but their value and their vulnerabilities have finally come to the forefront. Yes, even the mighty Oracle that was once claimed to be unhackable is susceptible to exploits similar to its competition. With the slew of regulatory requirements governing database security, hardly any business can hide from the risks that lie within because practically every business (large and small) uses some sort of database either in-house or hosted in the cloud.
As with wireless networks, operating systems, and so on, you need good tools if you’re going to find the database security issues that count. The following are my favorite tools for testing database security:
www.elcomsoft.com/asqlpr.html
) for cracking Microsoft SQL Server passwordswww.oxid.it/cain.html
) for cracking database password hasheswww.rapid7.com/products/nexpose
) for performing in-depth vulnerability scanswww.sqlsecurity.com/downloads
) for locating Microsoft SQL Servers on the network, checking for blank passwords for the ‘sa’ account (the default SQL Server system administrator), and performing dictionary password-cracking attacksYou can also use exploit tools, such as Metasploit, for your database testing.
The first step in discovering database vulnerabilities is to figure out where they’re located on your network. It sounds funny, but many network admins I’ve met aren’t even aware of various databases running in their environments. This is especially true for the free SQL Server Express database software editions that anyone can download and run on your network.
The best tool I’ve found to discover Microsoft SQL Server systems is SQLPing3, which is shown in Figure 16-1.
SQLPing3 can even discover instances of SQL Server hidden behind personal firewalls, such as Windows Firewall. This is a nice feature as Windows Firewall is enabled by default on Windows 7 and up.
SQLPing3 also serves as a nice dictionary-based SQL Server password-cracking program. As you saw in Figure 16-1, it checks for blank sa passwords by default. Another free tool for cracking SQL Server, MySQL, and Oracle password hashes is Cain & Abel, shown in Figure 16-2.
You simply load Cain & Abel, click the Cracker tab at the top, select Oracle Hashes at the bottom left, and click the blue plus symbol at the top to load a user name and password hash to start the cracking. You can also select Oracle TNS Hashes at the bottom left and attempt to capture Transport Network Substrate hashes off the wire when capturing packets with Cain. You can do the same for MySQL password hashes.
The commercial product ElcomSoft Distributed Password Recovery (www.elcomsoft.com/edpr.html
) can also crack Oracle password hashes. If you have access to SQL Server master.mdf files (which are often readily available on the network due to weak share and file permissions as I outline later in this chapter), you can use ElcomSoft’s Advanced SQL Password Recovery (www.elcomsoft.com/asqlpr.html
) to recover database passwords immediately.
As you can imagine, these password-cracking tools are a great way to demonstrate the most basic of weaknesses in your database security. It’s also a nice way to underscore the problems with critical files scattered across the network in an unprotected fashion.
Another good way to demonstrate SQL Server weaknesses is to use Microsoft SQL Server 2008 Management Studio Express (www.microsoft.com/en-us/download/details.aspx?id=7593
) to connect to the database systems you now have the passwords for and set up backdoor accounts or browse around to see (and show) what’s available. In practically every unprotected SQL Server system I come across, there’s sensitive personal financial or healthcare information available for the taking.
As with operating systems and web applications, some database-specific vulnerabilities can be rooted out only by using the right tools. I use Nexpose to find such issues as:
Many vulnerabilities can be tested from both an unauthenticated outsider’s perspective as well as a trusted insider’s perspective. The important thing is to review the security of your databases from as many angles as reasonably possible. As I’ve said before, if it’s out there and accessible, people are going to play with it.
Keeping your databases secure is actually pretty simple if you do the following:
www.fortinet.com
) or Cisco (www.cisco.com
), and database-specific controls, such as those available from Imperva (www.imperva.com
) and Idera (www.idera.com
).http://technet.microsoft.com/en-us/library/cc677002.aspx
).Attackers are carrying out a growing number of storage-related hacks and use various attack vectors and tools to break into the storage environment. (Surely you know what I’m going to say next.) Therefore, you need to get to know the techniques and tools yourself and use them to test your own storage environment.
As with databases, practically every business has some sort of network storage housing sensitive information that it can’t afford to lose. That’s why it’s important to include both network storage (SAN and NAS systems) and traditional file shares in the scope of your security testing.
These are my favorite tools for testing storage security:
http://nmap.org
) for port scanning to find live storage hostswww.softperfect.com/products/networkscanner
) for finding open and unprotected shareswww.mythicsoft.com
)To seek out storage-related vulnerabilities, you have to first figure out what’s where. The best way to get rolling is to use a port scanner and, ideally, an all-in-one vulnerability scanner, such as Nexpose or LanGuard. Also, given that many storage servers have web servers built in, you can use such tools as Acunetix Web Vulnerability Scanner and Netsparker to uncover web-based flaws. You can use these vulnerability scanners to gain good insight into areas that need further inspection, such as weak authentication, unpatched operating systems, cross-site scripting, and so on.
You can also perform basic file permission and share scans (as outlined in Chapter 12) in conjunction with a text search tool to uncover sensitive information that everyone on the network should not have access to. Digging down further, a quick means for finding open network shares is to use SoftPerfect Network Scanner’s share scanning capabilities as shown in Figure 16-3.
As you can see in Figure 16-3, Network Scanner enables you to perform a security and security permission scan for all devices or simply folders. I recommend selecting Specific account in the Authentication section shown in Figure 16-3 and then click Manage so you can enter a domain account for the network that has general user permissions. This will provide a good level of access to determine which shares are accessible.
Once Network Scanner has completed its scan, the shares showing Everyone in the Shared Folder Security column points you to the shares that need attention. Hardly a security assessment goes by without coming across such shares open to the Windows Everyone group. Just as common is to see the directories and files within these shares that are also be accessible to any logged-in Windows user to open, modify, delete — whatever they please. How’s that for accountability!?
Once you find open network shares, you’ll then want to scan for sensitive information stored in files such as PDFs, .docx, and .xlsx files. It’s as simple as using a text search utility, such as FileLocator Pro or Effective File Search (www.sowsoft.com/search.htm
). Alternatively, you can use Windows Explorer or the find command in Linux to scan for sensitive information, but it’s just too slow and cumbersome for my liking.
You’ll be amazed at what you come across stored insecurely on users’ desktops, server shares, and more, such as:
The sky’s the limit. Such sensitive information should not only be protected by good business practices, but is also governed by state, federal, and international regulations see have to make sure that you find it and secure it.
The possibilities for information exposure are endless; just start with the basics and only peek into common files that you know might have some juicy info in them. Limiting your search to these files will save you a ton of time!
An example of a basic text search using FileLocator Pro is shown in Figure 16-4. Note the files found in different locations on the server.
FileLocator Pro also has the ability to search for content inside PDF files to uncover sensitive data.
To speed the process, you can use Sensitive Data Manager, a really neat tool designed for the very purpose of scanning storage devices for sensitive, personally identifiable information. It can also search inside binary files such as PDFs.
For a second round of testing, you could perform your searches logged in as an administrator. You’re likely to find a lot of sensitive information scattered about. It might seem worthless at first; however, this can highlight sensitive information stored in places it shouldn’t be or that network administrators shouldn’t have access to.
Like database security, storage security is not brain surgery. Keeping your storage systems secure is also simple if you do the following:
www.fortinet.com
) or WatchGuard Technologies (www.watchguard.com
) to ensure only the people and systems that need to access your storage environment can do so and nothing more.18.222.20.20