Choosing tools

As with wireless networks, operating systems, and so on, you need good tools if you’re going to find the database security issues that count. The following are my favorite tools for testing database security:

• Advanced SQL Password Recovery (https://www.elcomsoft.com/asqlpr.html) for cracking Microsoft SQL Server passwords.
• Cain & Abel (www.oxid.it/cain.html) for cracking database password hashes.
• Nexpose (https://www.rapid7.com/products/nexpose) for performing in-depth vulnerability scans.
• SQLPing3 (www.sqlsecurity.com/downloads) for locating Microsoft SQL Servers on the network, checking for blank passwords for the sa account (the default SQL Server system administrator), and performing dictionary password-cracking attacks.

You can also use network vulnerability scanners, such as Nexpose, along with exploit tools, such as Metasploit, for your database testing.

Finding databases on the network

The first step in discovering database vulnerabilities is figuring out where they’re located on your network. It sounds funny, but many network admins I’ve met aren’t even aware of various databases running in their environments. This situation is especially true of the free SQL Server Express database software editions that users can download and run on your network.

I can’t tell you how often I find sensitive production data, such as credit card and Social Security numbers, being used in test databases that are wide open to abuse by curious insiders or even external attackers who have made their way into the network. Using sensitive production data in the uncontrolled areas of the network such as sales, software development, and quality assurance is a data breach waiting to happen.

The best tool I’ve found to discover Microsoft SQL Server systems is SQLPing3 (see Figure 16-1).

SQLPing3 can even discover instances of SQL Server hidden behind personal firewalls, such as Windows Firewall. This feature is nice, as Windows Firewall is enabled by default in Windows 7 and later.

If you have Oracle in your environment, Pete Finnigan has a great list of Oracle-centric security tools at www.petefinnigan.com/tools.htm that can perform functions similar to those of SQLPing3.

Cracking database passwords

SQLPing3 also serves as a nice dictionary-based SQL Server password-cracking program. As Figure 16-1 shows, it checks for blank sa passwords by default. Another free tool for cracking SQL Server, MySQL, and Oracle password hashes is Cain & Abel, shown in Figure 16-2.

You simply load Cain & Abel, click the Cracker tab at the top, select Oracle Hashes in the bottom-left corner, and click the blue plus symbol at the top to load a user name and password hash to start the cracking. You can also select Oracle TNS Hashes at bottom left and attempt to capture Transport Network Substrate hashes off the wire when capturing packets with Cain. You can do the same for MySQL password hashes.

The commercial product ElcomSoft Distributed Password Recovery (https://www.elcomsoft.com/edpr.html) can also crack Oracle password hashes. If you have access to SQL Server master.mdf files (which are often readily available on the network due to weak share and file permissions, as I outline later in this chapter), you can use ElcomSoft's Advanced SQL Password Recovery to recover database passwords immediately.

You may stumble across some legacy Microsoft Access database files that are password protected as well. No worries: The tool Advanced Office Password Recovery can get you right in. There are also many end-of-life or unsupported versions of Access still around. Running a vulnerability scanner such as Nexpose to uncover flaws can prove beneficial. Depending on the findings, you might then be able to use Metasploit to demonstrate what can happen.

As you can imagine, these password-cracking tools are great ways to demonstrate the most basic of weaknesses in your database security. They’re also nice ways to underscore the problems with critical files scattered across the network in an unprotected fashion.

Another good way to demonstrate SQL Server weaknesses is to use SQL Server Management Studio (https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms) to connect to the database systems you now have the passwords for and to set up backdoor accounts or browse around to see (and show) what’s available. Practically every unprotected SQL Server system I come across has sensitive personal financial or healthcare information available for the taking. It simply takes a query such as the following to access the records in any given table:

select * from tablename

Scanning databases for vulnerabilities

As with operating systems and web applications, some database-specific vulnerabilities can be rooted out only by using the right tools. I use Nexpose to find such issues as the following:

• Buffer overflows.
• Privilege escalations.
• Password hashes accessible through default/unprotected accounts.
• Weak authentication methods enabled.

A great all-in-one commercial database vulnerability scanner for performing in-depth database checks — including user-rights audits in SQL Server, Oracle, and so on — is AppDetectivePRO (https://www.trustwave.com/Products/Database-Security/AppDetectivePRO). AppDetectivePRO can be a good addition to your security testing tool arsenal if you can justify the investment.

Many vulnerabilities can be tested from both an unauthenticated outsider’s perspective as well as a trusted insider’s perspective. The important thing is to review the security of your databases from as many angles as reasonably possible. As I’ve said before, if a database is out there and accessible, people are going to play with it.

Choosing tools

These are my favorite tools for testing storage security:

• nmap (http://nmap.org) for port scanning to find live storage hosts.
• SoftPerfect Network Scanner (https://www.softperfect.com/products/networkscanner) for finding open and unprotected shares.
• FileLocator Pro (https://www.mythicsoft.com) for finding specific files and information.
• Nexpose for performing in-depth vulnerability scans.

Finding storage systems on the network

To seek out storage-related vulnerabilities, you first have to figure out what’s where. The best way to get rolling is to use a port scanner and, ideally, an all-in-one vulnerability scanner such as Nexpose or LanGuard. Also, given the fact that many storage servers have built-in web servers, you can use such tools as Acunetix Web Vulnerability Scanner and Netsparker to uncover web-based flaws. You can use these vulnerability scanners to gain good insight into areas that need further inspection, such as weak authentication, unpatched operating systems, and cross-site scripting.

A commonly overlooked storage vulnerability is that many storage systems can be accessed from both the demilitarized zone (DMZ) segment and the internal network segment(s). This vulnerability poses risks to both sides of the network. Be sure to check manually to see whether you can reach the DMZ from the internal network, and vice versa.

You can also perform basic file permission and share scans (as outlined in Chapter 12) in conjunction with a text search tool to uncover sensitive information that no one on the network should have access to. Digging down further, a quick means for finding open network shares is to use SoftPerfect Network Scanner’s share scanning capabilities, as shown in Figure 16-3.

As you can see in Figure 16-3, Network Scanner enables you to perform a security and security permission scan for all devices or simply folders. I recommend selecting Specific Account in the Authentication section and then clicking Manage so that you can enter a domain account for the network that has general user permissions. This technique provides a good level of access to determine which shares are accessible.

When Network Scanner completes its scan, the shares showing Everyone in the Shared Folder Security column are the shares that need attention. I rarely complete a security assessment without coming across such shares open to the Windows Everyone group. Just as common is seeing the directories and files within these shares that are accessible to any logged-in Windows user to open, modify, delete, and do whatever else they please. How’s that for accountability?

Rooting out sensitive text in network files

When you find open network shares, scan for sensitive information stored in files such as .pdf, .docx, and .xlsx files. The process is as simple as using a text search utility such as FileLocator Pro. Alternatively, you can use Windows Explorer or the find command in Linux to scan for sensitive information, but that process is too slow and cumbersome for my liking.

You'll be amazed by what you come across stored insecurely on users’ desktops, server shares, and more, such as the following:

• Employee health records
• Customer credit card numbers
• Corporate financial reports
• Source code
• Master database files

The sky’s the limit. Such sensitive information should be protected by good business practices, and it’s also governed by state, federal, and international regulations, so make sure that you find it and secure it.

Do your searches for sensitive text while you’re logged in to the local system or domain as a regular user — not as an administrator. This practice gives you a better view of regular users who have unauthorized access to sensitive files and shares that you thought were secure. When using a basic text search tool such as FileLocator Pro, look for the following text strings:

• DOB (for dates of birth)
• SSN (for Social Security numbers)
• License (for driver’s-license information)
• Credit or CCV (for credit-card numbers)

Don’t forget about your mobile devices when seeking sensitive, unprotected information. Everything from laptops to USB drives to external hard drives is fair game to the bad guys. A misplaced or stolen system can create a costly data breach. The same can be said for cloud-based file sharing services such as OneDrive and Sharefile.

The possibilities for information exposure are endless. Start with the basics, and peek only into common files that you know may have some juicy info in them. Limiting your search to these files will save you a ton of time:

• .txt
• .doc and .docx
• .rtf
• .xls and .xlsx
• .pdf

Figure 16-4 shows a basic text search with FileLocator Pro. Notice the files located on different parts of the server.

FileLocator Pro can also search for content inside .pdf files to uncover sensitive data.

To speed the process, use Spirion's Sensitive Data Manager (https://www.spirion.com). This product, formerly known as IdentityFinder and since rolled into the company’s enterprise data discovery platform, is a neat tool designed for scanning storage devices for sensitive, personally identifiable information. It can also search inside binary files such as PDFs.

For a second round of testing, you could perform your searches while logged in as an administrator. You’re likely to find a lot of sensitive information scattered about. It might seem worthless at first, but it can highlight sensitive information stored in places where it shouldn’t be or that network administrators shouldn’t be able to access.

Testing is highly dependent on timing, searching for the right keywords, and looking at the right systems on the network. You likely won’t root out every single bit of sensitive information, but this effort shows you where certain problems are, which helps you justify the need for stronger access controls and for better IT and security management processes.