ECSA/ LPT EC Council M odu l e XXX EC - Council odu e Database Penetration Testing Testing Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing Fi ll Router and Internal Fi rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Password Cracking Stolen Laptop, PDAs and Cell Phones Social Engineering Application Cont’d EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Penetration Testing Penetration Testin g Penetration Testing Penetration Testin g Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Security Database Pii VoIP PiTi Security Penetration Testing P enetrat i on test i ng P enetrat i on T est i n g Vi d Vi rus an d Trojan Detection War Dialing VPN Penetration Testing Log Management Penetration Testing File Integrity Checking Blue Tooth and Hand held Device Penetration Testing Telecommunication And Broadband Communication Email Security Penetration Testin g Security Patches Data Leakage Penetration Testing End Here EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Communication Penetration Testing g Penetration Testing Penetration Testing List of Steps 1 • Scan for default ports used by the database 1 2 • Scan for non-default ports used by the database 3 • Identify the instance names used by the database 4 • Identify the version numbers used by the database • Attempt to brute force password hashes from the database 5 • Attempt to brute force password hashes from the database 6 • Sniff database related traffic on the local wire EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 6 List of Steps (cont’d) 7. Microsoft SQL server testing: • 7.1. Test for direct access interrogation • 7. 2. Scan for Microsoft SQL server ports ( TCP/UDP 1433) • 7. 3. Test for SQL Server Resolution Service (SSRS) • 7 4 Test for buffer overflow in pwdencrypt() Function • 7 . 4 . Test for buffer overflow in pwdencrypt() Function • 7. 5. Test for heap/stack buffer overflow in SSRS • 7. 6. Test for buffer overflows in extended stored procedures • 7. 7. Test for service account registry key 8 T h d d b k •7. 8 . T est t h e store d proce d ure to run we b tas k s • 7. 9. Exploit SQL injection attack • 7. 10. Blind SQL injection • 7. 11. Google hacks • 7. 12. Attempt direct-exploit attacks • 7. 13. Try to retrieve server account list • 7. 14. Using OSQL test for default/common passwords • 7 15 Try to retrieve sysxlogins table EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • 7 . 15 . Try to retrieve sysxlogins table • 7. 16. Brute-force SA account List of Steps (cont’d) 8. Oracle server testing: • 8.1.Port scan UDP/TCP ports ( TCP/UDP 1433) • 8.2.Check the status of TNS listener running at Oracle server • 8 3 Try to login using default account passwords • 8 . 3 . Try to login using default account passwords • 8.4.Try to enumerate SIDs • 8.5.Use SQL plus to enumerate system tables • 9.1.Port scan UDP/TCP ports ( TCP/UDP ) 9. MySQL server database testing: • 9.2.Extract the version of database being used • 9.3.Try to login using default/common passwords • 9.4.Brute-force accounts using dictionary attack EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • 9.5.Extract system and user tables from the database Step 1: Scan for Default Ports Used by the Database Used by the Database Use port scanning tools such as Nmap to scan for port used by database. Following are the default d f diff ports use d f or diff erent products like Oracle Database or Oracle Application Server: Application Server: EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 1: Scan for Default Ports Used by the Database (cont ’ d) Used by the Database (cont d) EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 1: Scan for Default Ports Used by the Database (cont ’ d) Used by the Database (cont d) EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 1: Scan for Default Ports Used by the Database (cont ’ d) Used by the Database (cont d) EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited [...]... language • Same clustered state Run WinSID to find instances of Oracle database EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 4: Identify the Version Numbers Used by the Database To check the version information for example, the Oracle database, simply connect and login database to the Oracle database with SQL *Plus After login, you will see: • SQL*Plus:... Prohibited Step 3: Identify the Instance Names Used by the Database Specify a unique name while configuring an instance of Notification Services Instance name used to identify instance database objects Instance resources are located by Notification Services using the instance name Instance name must be kept short, and based on unchanging entities Database supports multiple instances, but only one instance... Reserved Reproduction is Strictly Prohibited Step 6: Sniff Database Related Traffic on the Local Wire Sniffing determines number of database connections Use packet sniffing tools such as to sniff data packets from a network EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 7: Microsoft SQL Server Testing Test for direct access interrogation g Scan for Microsoft... Strictly Prohibited Step 7.11: Google Hacks Google searches SQL server errors that enable unauthorized users to find database and vulnerabilities in SQL server Check out Google queries at Johnny Long's “ h k l i h ' “Google Hacking l ki Database : http://johnny.ihackstuff.com/index.php ?module= prodreviews EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step...Step 1: Scan for Default Ports Used by the Database (cont’d) (cont d) EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 2: Scan for Non-Default Ports Used by the Database Following are the some other ports used by Oracle: Service Port Notes sql*net 66 Oracle SQL*NET SQL*Net 1 1525... 7.6: Test for Buffer Overflows in Extended Stored Procedures Check the extended stored procedures that cause stack buffer overflow p Check the publicly assessable database queries and filter it before processing Try to load and execute a database query that calls one of the affected functions Run the arbitrary code with the escalated privileges of the SQL service account EC-Council Copyright © by EC-Council... by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 7.9: Exploit SQL Injection Attack An SQL injection attack enables user to read the details of the database d t b Run special queries to gain access to the database, such as: • EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''=‘ p ) • EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE ' w%')... EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 4: Identify the Version Numbers Used by the Database (cont’d) (cont d) EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 5: Attempt to Brute-Force Password Hashes from the Database Use tools such as Orabf to brute force password hashes p Orabf is a brute force/dictionary tool for Oracle... 1748 - oracle-em2 1754 - Oracle-VP2 1808 - Oracle-VP1 1809 - EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 2: Scan for Non-Default Ports Used by the Database (cont’d) (cont d) Service Port Notes oracle? 2005 Registered as "berknet" for 2005 TCP, oracle for 2005 UDP Oracle GIOP 2481 giop Oracle GIOP SSL 2482 giop-ssl Oracle TTC 2483 ttc Oracle may use... Step 7.1: Test for Direct Access Interrogation Direct or ad hoc access enables users to directly access the y underlying data structures Write special queries using asterisks (*) to directly interrogate database EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 7.2: Scan for Microsoft SQL Server Ports ( TCP/UDP 1433) Port 1433: Microsoft's SQL server, including . and Internal Fi rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Password. Database Penetration Testing Testing Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing Fi ll Router and Internal Fi rewa ll Penetration. Strictly Prohibited Penetration Testing Penetration Testin g Penetration Testing Penetration Testin g Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Security Database Pii VoIP