DATABASE PENETRATION

TESTING
TAZMEEN FATIMA
 PENETRATION TESTING METHODOLOGY
OWASP
• Communication with the customer.
Pre-engagement • Outline the logistics of the test, expectations, legal implications, objectives
Interactions and goals
• Gain as much information as possible about the desired target.
Information Gathering • Domain names, network hosts, public and private IP blocks, routing tables,
SSL certificates, open ports .

Threat Modeling • To map threats that can occur in an organization and give ranks to the
discovered vulnerabilities and potential risks.

Vulnerability analysis • The process of identifying, enumerating, and prioritizing the vulnerabilities
in a system.

Exploitation • To exploit the found vulnerabilities using any program, script or tool.

Post- Exploitation • Any actions taken after a session is opened. A session is an open shell from a
successful exploit.

Reporting • A document contacting detailed analysis of the vulnerabilities found.

 DATABASE PENETRATION TESTING
The objective is to:
• Find common and uncommon weaknesses in a database.
• Gain admin level access to the database.

Steps have been explained using SQL Server Database.

SQL Server Ports:
• 1433 TCP. Client Database connectivity
• 1434 UDP. Returns the IP address and port number of SQL Server instance.
• 2433 TCP Default port when the "Hide server" check box is selected in the
TCP/IP properties of the Server Network Utility.
 1- Scanning and Identifying the Server ports.
This can be done by pinging the network
using:

SQLPing tool:
• SQLPing Gathers the TCP port of each
instance by querying the SQL Server
Resolution Service on port 1434.
• Instance version and supported netlibs
are identified.
• Supports IP ranges.
• Also checks for weak passwords using
wordlists

SQL Ping tool interface

 Osql command:
• OSQL is a command line tool provided by Microsoft that allows user to issue
commands to Microsoft SQL Server.
• Only returns a list of server names and instances.
• To run OSQL, simply bring up terminal and type OSQL followed by any
required switches.
OSQL -?

• -S <sql-server-name> - the name of the SQL Server, including instance, if applicable.

• -d <database-name>- the name of the database on which the operation is to be performed.
• -U <user-name> - the SQL Server user account under which to run the specified command.
• -P <password> - the password associated with the specified user account.
• -E - use NT authentication to interact with SQL Server
• -Q "<SQL-command>" - the command to issue to SQL Server.
• -i <file-of-SQL-commands> - a file containing one or more commands to issue to SQL Server.
 2- Server Account Acquisition and Enumeration:
We have searched for the open ports, and possible
weak passwords, usernames etc. Now we have to
acquire any account. This can be done via a brute
force attack.

SQLDict tool:
• SQLdict is a basic single IP brute-force MS SQL
Server password utility tool.
• Used to carry out a dictionary attack against a
specified IP address and a single user usually the sa
account.
• Enumeration is one of the crucial phases in penetration testing. The result of
the enumeration can lead to discovery of vulnerabilities that can be directly
exploited.
• Enumeration allows to gather information such as usernames, group names,
host names, algorithms etc.
• To enumerate a database and get server accounts we can use Nmap to
retrieve database information such as database name, table’s records,
username, password and etc.
• Nmap can also be used with Metasploit for enumeration.
The Following Script Performs Automatic Enumeration Using
Nmap And Metasploit
Using this script comes in handy when not much is known about the service

Warning: if there are multiple login attempts from the same account, they may get
blocked.
 USING METASPLOIT
• Metasploit can alone be used for
enumeration but needs msf
credentials i.e. username and
password.
• Using Metasploit, we can set
username and password, steal
NTLM, gather information and
perform privilege escalation. The
script attached elucidates how it
can be done:
 3- GET ALL USERS AND ROLES
Every database has users and have roles assigned to them. These
users have different privileges assigned to them based on their
responsibilities.

SQL server has different users and roles assigned to them. Such as
:
• Admin account sa : which is null by default. Newer versions of
SQL however, have mandated the sa account to have a
complex password.
• Dbadmin who can create, alter, drop or restore databases.
• Distributor admin: server login used for SQL replication
 4-Perform Privilege Escalation

• Privilege escalation attack exploits weaknesses in a system to elevate access to a network,

application and mission critical systems.
• We use privilege escalation to get system admin privileges and execute commands from
the host.
 5- Create a Report
When you have the access to the admin account, you can perform various admin level tasks-
meaning, that you have successfully penetrated the database.
You must now create a report listing all the vulnerabilities that were present in the system and
how you exploited them.
Other databases:
Other databases can be penetrated using the aforementioned steps. Given below are some of the
ports used by different database servers:
Common Ports In ORACLE:
Oracle Listener
• 1521 (default)
• 1522 – 1529 Alternate ports
Oracle HTTP Server
• 7777, 4443 (SSL)
Oracle XDB (XML DB)
• 8080 (HTTP)
• 2100 (FTP)
MYSQL
• Default listener port 3306/TCP.
• Default database login
– Login: root
– Password: -<no password>