Embed Size (px)
Citation preview
ECSA/LPT
Module XXIX EC-Council Database Penetration Testing
Step1: Scan for Default Ports Used by the Database
Use port scanning tools such as Nmap to scan for port used by database
Following are the default ports used for different products like Oracle Database or Oracle Application Server:
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Step2: Scan for Non-Default Ports Used by the Database
Following are the some other ports used by Oracle:
Service Port Notes
sql*net 66 Oracle SQL*NET
SQL*Net 1 1525 Registered as orasrv
tlisrv 1527 -
coauthor 1529 -
Oracle Remote Data Base 1571 rdb-dbs-disp
oracle-em1 1748 -
oracle-em2 1754 -
Oracle-VP2 1808 -
Oracle-VP1 1809 -
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Step 3: Identify the Instance Names Used by the Database
Specify a unique name while configuring an instance of
Notification Services Instance name used to identify instance
database objects In st ance resources are l oca ted bNyNo tifica tiSon Ser vi ces us i ng th ein st ance name
Instance name must be kept short, and based on unchanging entities
Database supports multiple instances, but only one instance can be a default instance
Instance name criteria:
• Same version • Same edition • Same language • Same clustered state
Run WinSID to find instances of Oracle database
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Step 4: Identify the Version Numbers Used by the Database
To check the version information for example, the Oracle database, simply connect and login to the Oracle database with SQL
*P l us. A f ter l og i n, you w ill see:
• SQL*Plus: Release 9.2.0.6.0 - Production on Tue Oct 18 17:5 8 :57 2005
Oracle Universal Installer check for Oracle Version information
Ex amples: Oracle8i, 9i, 10g, 11i…
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Step5: Attempt to Brute-force Password Hashes from the Database
Use tools such as Orabf to brute force
password hashes Orabf is a brute
force/dictionary tool for Oracle hashes
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Step 6: Sniff Database Related Traffic on the Local Wire
Sniffing determines number of
database connections
Use packet sniffing tools such as to sniff data packets from a network
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Step 7: Microsoft SQL Server Testing
Test for direct access interrogation
Scan for Microsoft SQL Server ports ( TCP/UDP 1433)
Test for SQL Server Resolution Service
(SSRS) Using OSQL test for
default/common passwords Try to
retrieve Sysxlogins table Bruteforce SA account
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Step 8: Oracle Server Testing
Port scan UDP/TCP ports ( TCP/UDP 1433 )
Check the status of TNS listener runn i ng at Ora cl e server
Try to login using default account passwor d s
Try to enumerate SIDs
Use SQL plus to enumerate system tables
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Step 9: MySQL Server Database Testing
Port scan UDP/TCP ports ( TCP/UDP )
Extra ct th e vers i on o f database being used
Try to logon using default/common passwords
Brute force accounts using dictionary attack
Extract system and user tables from the database
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Dictionary Attack Tools
Following are some of the Dictionary attack tools:
• Cain & Abel • John the Ripper • THC Hydra • Aircrack • L0phtcrack • AirSnort • SolarWinds • Pwdump • RainbowCrack • Brutus
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Dictionary Attack Tool: Cain & Abel
Password recovery tool for Microsoft Operating Systems
Allows easy recovery of various kind of passwords by sniffing:
• Network • Cracking encrypted passwords using Dictionary
• Bru te-F orce an d Cryp tan alysis atta ck s • Recording VoIP conversations • Decoding scrambled passwords • Recovering wireless network keys • Revealing password boxes • Uncovering cached passwords • Analyzing routing protocols
Its main purpose is simplified recovery of passwords and credentials from various sources
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Dictionary Attack Tool: SQLdict
SQLdict: Is a basic single ip brute-force MS SQL Server password utility that can carry ou tad dicti onary a tta ck aga in st a name d SQL accoun t
The use of this tool is simple, just specify the IP address being attacking, the user account up against and then load an appropriate wordlist to try via the Load Password File button
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
Recap
In this module we learnt:
How to scan Default and Non-Default ports of Database
How to identify Instance names, Version numbers of database servers
How to test Microsoft SQL Server, Oracle Server, and MySQL Server Database
How t o enumera te SID s an d crac k lo gi n passwor d s
Copyright © by EC-Council EC-Council All Rights reserved. Reproduction is strictly prohibited
