Transcript How_to_Hack_a_Databasex

How to hack a database
a few ideas
Eric Selje
Eric Selje
Madison, WI
@EricSelje
Salty Dog Solutions, LLC
[email protected]
Database Developer
Madfox since 1995
Geek lunch since 2010
Before I begin…
 Thank you Sponsors!
o Please visit the sponsors during the vendor break from 2:45 – 3:15
and enter their end-of-day raffles
 Event After Party
o Dave and Buster’s in Southdale Center. 3rd floor by Macy’s starting
at 6:15
 Want More Free Training?
o PassMN meets the 3rd Tuesday of every month. https://mnssug.org/
3 | 10/10/2015
Session Title Here
Super Smart Super Serious Hackers Only?
Recipe for a hack
1.
2.
3.
4.
5.
6.
Start w/ a Pre-mixed Box of readily available tools
Add a few minutes of easily obtained know-how (ie google)
Scoop in a cup of blind luck
Dash of bitters
Top with heaping helping of lax security
Mix well
“Hack”
"to do something with a system that it wasn’t mean to do“
• Stealing data
• Deleting it altogether
• Altering data
“Database”
Any sensitive store - SQL Server down to text file full of
passwords
How to Hack a database






Steal it in person
Access it onsite
Sniff the Network
Scam your way in
Plant some Malware
Inject some SQL
Steal the entire Databases




Grab a backup
Find “Leaked” data
Get physical access
Find a vulnerable employee
Offsite backups
Offsite backups - Cloud
Find Data “leakage”
• Public Source
Repos
• ODBC
Connectons
• Passwords
• Keys
• TempDB
• Fake Mirrors
Get onsite via Social Engineering
 PHYSICAL
 Tailgating
 Uniforms
 VIRTUAL
 Spam
 Spearphishing
Once your physically onsite
 Server Room
 Tapes / External Drives
 Removable Drives
 Lockable Faceplates on servers
 Locked down KVM console
 Unlocked Workstations
 Trash
Sniff around the network
Get on the “same network”
Public wi-fi, vpn, inside
• SSMS
 Sql browser
 “Hey, I’m here!”
 Nmap
GET VIRTUALLY ONSITE
SPAM
SPEARPHISHING
Find vulernabilities
Day Zero
 When a patch is released,
hackers reverse engineer
the code to see how the
vulnerability can be exploited.
 Websites set up to lure and
exploit
Malware
 Tricks to Delivered
 Sent by Spam/Spearphising
 USB Drive
 P2P Networks
 Rootkit / Backdoor
 Access Remotely
 Turn off unused protocols/ports
 More info on Blackhat.com
 Collects passwords (Zeus)
 RAM Scraping
stealing entire Databases (recap)
 Stealing backups
 Finding “Leaked” data
 Gaining access, physically or virtually
 Disgruntled /
Vulnerable Employees
SQL INJECTION!
Example of sql injection
http://www.slideshare.net/billkarwin/sql-injection-myths-and-fallacies
Sql injection
INSERT INTO license (plateNo) VALUES (‘ZU0666’); DROP TABLE license;
Sql injection
FIND A SITE susceptible to sql injection
There are 3rd Party Tools created just so you can test whether
your site is susceptible, but there's nothing to stop you from
testing whether other sites are as well.
 sqlmap
 arachni
 IronWasp
 Hav
“Google dorks”
Inept or foolish people as revealed by Google.
This Google Query Finds all the XLS spreadsheets that
have the word UserName and Password in it.
Entire websites devoted to this:
Google dorks
So what?
Ready made lists
Kali linux
Linux distro explicitly designed for penetration testing
http://tools.kali.org/tools-listing
• wi-fi crackers
• Brute force password crackers
• Website vulnerabilities
• Network sniffers
• Network mappers
• Sql exploits
Use sqlmap
Open source penetration testing
 Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server,
Microsoft Access, IBM DB2, SQLite, et al
 Full support for six SQL injection techniques: boolean-based blind, timebased blind, error-based, UNION query-based, stacked queries and outof-band.
 Support to enumerate users, password hashes, privileges, roles,
databases, tables and columns.
 Automatic recognition of password hash formats and support for
cracking them using a dictionary-based attack.
 Support to dump database tables
sqlmap
DEMO!
More Sql tools
Mssql_enum
 The “mssql_enum” is an admin module that will accept a set
of credentials and query a MSSQL for various configuration
settings.
mssql_exec
 The “mssql_exec” admin module takes advantage of the
xp_cmdshell stored procedure to execute commands on the
remote system. If you have acquired or guessed MSSQL
admin credentials, this can be a very useful module.
Think like a hacker, Act like a CSO
Use the same vulnerability testing tools that to find holes in
your security
PRINCIPLE OF LEAST PRIVILEGE
PENETRATE YOURSELF
READ UP ON SECURITY
• https://blog.netspi.com/author/scott-sutherland/
• https://www.simple-talk.com/sql/databaseadministration/how-to-get-sql-server-security-horriblywrong/
Thank you!
 Let’s keep the conversation going…
 @EricSelje on Twitter
 [email protected]
Evaluations!
 Remember to fill out your online evaluations for the event and
any sessions you have attended. They will be online until
10/17/15.
http://www.sqlsaturday.com/453/eventeval.aspx
http://www.sqlsaturday.com/453/sessions/sessionevaluation.aspx
39 | 10/10/2015
Session Title Here