Finding Targets

The first step to attacking Sybase servers is locating them in the network. This section describes a number of techniques for locating Sybase servers.

Scanning for Sybase

As previously noted, Sybase normally listens on a number of well-known TCP ports — 5000 5004, 8181, and 8182. It is very easy to configure Sybase to listen on different ports, but these well-known ports can be a big help. Port scanning tools such as Fyodor's nMap (http://www.insecure.org/nmap/) are the best way to locate hosts with specific known open ports.

If you have remote registry access to Windows boxes in a network, it can be useful to check for ODBC data sources. Simply search

HKEY_LOCAL_MACHINESoftwareODBC

for “SybaseServerName” and “NetworkAddress” and you will see the hostnames IP addresses and TCP ports for any Sybase data sources that are configured on the host in question.

LDAP queries can also help, if the organization has an LDAP infrastructure.

Sybase Version Numbers

Sybase responds to failed authentications with a packet that contains the major and minor version number of the server, so sniffing a failed authentication response packet will normally give you the version number. The packet looks something like this:

Ethernet Header
...
IP Header
...
TCP Header
    Source port: 5000
    Dest port: 1964
    Flags: 0x18 (ACK PSH )
...
Raw Data
04 01 00 4e 00 00 00 00 ad 14 00 06 05 00 00 00  (   N            )
0a 73 71 6c 20 73 65 72 76 65 72 0c 05 00 00 e5  ( sql server     )
23 00 a2 0f 00 00 01 0e 05 5a 5a 5a 5a 5a 00 01  (#        ZZZZZ  )
00 0e 00 4c 6f 67 69 6e 20 66 61 69 6c 65 64 2e  (   Login failed.)
0a 00 00 00 00 fd 02 00 02 00 00 00 00 00        (              )

The 4 bytes immediately following the string “sql server” is the version number — 0x0c = 12, 0x05 = 5, so the version number of this host is 12.5.0.0. The version number obtained in this fashion isn't the whole story — you'd need to authenticate and select @@version to get that — but it can at least give you some kind of indication. The server that sent the preceding packet was actually running ASE 12.5.1.

It is possible to obtain the version number of a Sybase server using a slightly truncated authentication packet. From our experimentation, the truncated authentication attempt is not logged, even if the authentication logging options are set. This is fine though, because we don't actually want to attempt an authentication; we just want to get the server's version information in the error response.

To enable logging of both failed and successful authentication attempts, execute the following:

sp_configure 'log audit logon failure', 1
sp_configure 'log audit logon success', 1

You can find the “C” source code that implements a quick-and-dirty tool to get the Sybase version via a truncated authentication packet at the end of this chapter.

Snooping Authentication

In a default, “out of the box” configuration, Sybase transmits passwords in clear text over the network. This is such an obvious and known security risk that almost all organizations will have employed some kind of mitigation — either taking Sybase's recommendation and deploying one of the more advanced authentication methods, for example, Kerberos, or using an encrypted IPSec tunnel or similar. Nonetheless, default configurations do occasionally crop up, so be aware that traffic from Sybase clients to the normal Sybase server ports, 5000 5004, may well have plaintext passwords in it.

As with most native database authentication mechanisms, man-in-the-middle attacks are also possible. This scenario occurs when an attacker pretends to be the database server. Normally he would have to compromise a DNS or WINS server to do this, but depending on the name resolution infrastructure in the network this may be straightforward.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.162.250