ECSA/ LPT
EC
Council
M
odu
l
e
XXX
EC
-
Council
odu e
Database Penetration
Testing
Testing
Penetration Testing Roadmap
Start Here
Information
Vulnerability External
Gathering
Analysis Penetration Testing
Fi ll
Router and
Internal
Fi
rewa
ll
Penetration Testing
Router

and

Switches
Penetration Testing
Internal

Network
Penetration Testing
IDS
Penetration Testing
Wireless
Network
Penetration Testing
Denial of
Service
Penetration Testing
Password
Cracking
Stolen Laptop, PDAs
and Cell Phones
Social
Engineering
Application
Cont’d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing
Penetration Testin
g
Penetration Testing

Penetration Testin
g
Penetration Testing Roadmap

(cont
’
d)
(cont d)
Cont’d
Physical
Security
Database
Pii
VoIP
PiTi
Security
Penetration Testing
P
enetrat
i
on test
i
ng
P
enetrat
i
on
T
est
i

n
g
Vi d
Vi
rus an
d

Trojan
Detection
War Dialing
VPN
Penetration Testing
Log
Management
Penetration Testing
File Integrity
Checking
Blue Tooth and
Hand held
Device
Penetration Testing
Telecommunication
And Broadband
Communication
Email Security
Penetration Testin
g
Security
Patches
Data Leakage

Penetration Testing
End Here
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication

Penetration Testing
g
Penetration Testing
Penetration

Testing
List of Steps
1
• Scan for default ports used by the database
1
2
• Scan for non-default ports used by the database
3
• Identify the instance names used by the database
4
• Identify the version numbers used by the database
•
Attempt to brute force password hashes from the database
5
•
Attempt to brute force password hashes from the database
6
• Sniff database related traffic on the local wire

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
6
List of Steps (cont’d)
7. Microsoft SQL server testing:
• 7.1. Test for direct access interrogation
• 7. 2. Scan for Microsoft SQL server ports ( TCP/UDP 1433)
• 7. 3. Test for SQL Server Resolution Service (SSRS)
•
7 4 Test for buffer overflow in pwdencrypt() Function
•
7
.
4
.
Test for buffer overflow in pwdencrypt() Function
• 7. 5. Test for heap/stack buffer overflow in SSRS
• 7. 6. Test for buffer overflows in extended stored procedures
• 7. 7. Test for service account registry key
8 T h d d b k
•7.
8
.
T
est

t
h
e


store
d
proce
d
ure

to

run

we
b
tas
k
s
• 7. 9. Exploit SQL injection attack
• 7. 10. Blind SQL injection
• 7. 11. Google hacks
• 7. 12. Attempt direct-exploit attacks
• 7. 13. Try to retrieve server account list
• 7. 14. Using OSQL test for default/common passwords
•
7 15 Try to retrieve
sysxlogins
table
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
•

7
.
15
.
Try to retrieve
sysxlogins
table
• 7. 16. Brute-force SA account
List of Steps (cont’d)
8. Oracle server testing:
• 8.1.Port scan UDP/TCP ports ( TCP/UDP 1433)
• 8.2.Check the status of TNS listener running at Oracle server
•
8 3 Try to login using default account passwords
•
8
.
3
.
Try to login using default account passwords
• 8.4.Try to enumerate SIDs
• 8.5.Use SQL plus to enumerate system tables
• 9.1.Port scan UDP/TCP ports ( TCP/UDP )
9. MySQL server database testing:
• 9.2.Extract the version of database being used
• 9.3.Try to login using default/common passwords
• 9.4.Brute-force accounts using dictionary attack
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

• 9.5.Extract system and user tables from the database
Step 1: Scan for Default Ports
Used by the Database
Used by the Database
Use port scanning tools
such as Nmap to scan for
port used by database.
Following are the default
d f diff
ports

use
d f
or
diff
erent

products like Oracle
Database or Oracle
Application Server:
Application Server:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Scan for Default Ports
Used by the Database (cont
’
d)
Used by the Database (cont d)
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Scan for Default Ports
Used by the Database (cont
’
d)
Used by the Database (cont d)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Scan for Default Ports
Used by the Database (cont
’
d)
Used by the Database (cont d)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Scan for Default Ports
Used by the Database (cont
’
d)
Used by the Database (cont d)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Scan for Non-Default
Ports Used by the Database
Ports Used by the Database
Following are the some other ports used by Oracle:

Service Port Notes
sql*net 66 Oracle SQL*NET
SQL*Net 1 1525 Registered as orasrv
tlisrv 1527 -
h
coaut
h
or 1529 -
Oracle Remote Data Base 1571 rdb-dbs-disp
oracle
-
em1
1748
-
oracle
em1
1748
oracle-em2 1754 -
Oracle-VP2 1808 -
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oracle-VP1 1809 -
Step 2: Scan for Non-Default Ports
Used by the Database (cont
’
d)
Used by the Database (cont d)
Service Port Notes
oracle? 2005

Registered as "berknet" for 2005 TCP, oracle for
2005 UDP
Oracle GIOP 2481 giop
Oracle GIOP SSL 2482 giop-ssl
Oracle TTC 2483
ttc. Oracle may use this port to replace 1521 in
future
Oracle TTC SSL 2484 ttc-ssl
OEM Agent 3872 Oem-agent
Oracle RTC-PM port 3891 rtc-pm-port
Oracle dbControl Agent
3938
dbcontrol agent
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oracle dbControl Agent
3938
dbcontrol
_
agent
Step 3: Identify the Instance
Names Used by the Database
Names Used by the Database
Specify a unique name while configuring an instance of Notification Services
Instance name used to identify instance database objects
Instance resources are located by Notification Services using the instance name
Instance resources are located by Notification Services using the instance name
Instance name must be kept short, and based on unchanging entities
Database supports multiple instances, but only one instance can be a default instance

Instance name criteria:
•Same version
• Same edition
• Same language
• Same clustered state
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Run WinSID to find instances of Oracle database
Step 4: Identify the Version
Numbers Used by the Database
Numbers Used by the Database
To check the version information for example,
the Oracle database simply connect and login
the Oracle database
,
simply connect and login
to the Oracle database with SQL *Plus. After
login, you will see:
• SQL*Plus: Release 9.2.0.6.0 - Production on Tue Oct 18 17:58:57
2005
Oracle Universal Installer check for Oracle Version information
Examples: Oracle8i, 9i, 10g, 11i
Version
0.6
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Identify the Version Numbers
Used by the Database (cont

’
d)
Used by the Database (cont d)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Attempt to Brute-Force
Password Hashes from the Database
Password Hashes from the Database
Use tools such as Orabf to brute force
p
assword hashes
p
Orabf is a brute force/dictionary tool for Oracle hashes
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Sniff Database Related
Traffic on the Local Wire
Traffic on the Local Wire
Sniffing determines
number of database

connections
Use packet sniffing
tools such as to sniff
data packets from a
data packets from a
network
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Microsoft SQL Server
Testing
Testing
Test for direct access interro
g
ation
g
Scan for Microsoft SQL Server ports ( TCP/UDP 1433)
Test for SQL Server Resolution Service (SSRS)
Using OSQL test for default/common passwords
Try to retrieve Sysxlogins table
Btf SA t
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
B
ru
t
e
f
orce
SA
accoun
t
Step 7.1: Test for Direct Access
Interrogation
Interrogation
Direct or ad hoc access enables users to directl

y
access the
y
underlying data structures
Write special queries using asterisks (*) to directly
interrogate database
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.2: Scan for Microsoft SQL
Server Ports ( TCP/UDP 1433)
Server Ports ( TCP/UDP 1433)
Port 1433: Microsoft's SQL server, including the desktop editions
that are often silently installed with other Microsoft applications,

opens and services queries delivered over incoming TCP
connections through this port.
Use a post scanning tool to scan port 1433 for Microsoft SQL
server services.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.3: Test for SQL Server
Resolution Service (SSRS)
Resolution Service (SSRS)
SSRS is used to provide referral services for multiple server instances
i h hi
runn
i
ng


on

t
h
e

same

mac
hi
ne.
S UDP t f SQL S R l ti S i (SSRS)
S
can
UDP
por
t
1434
f
or
SQL S
erver
R
eso
l
u
ti
on
S

erv
i
ce
(SSRS)
.
Alternately ping UDP port 1434 from another SQL server a reply
Alternately
,
ping UDP port 1434 from another SQL server
,
a reply
confirms SSRS.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.3: Test for SQL Server
Resolution Service (SSRS) (cont
’
d)
Resolution Service (SSRS) (cont d)
Check the hidden database instances and probe deeper into the
t i d
sys
t
em

us
i
ng


comman
d
:

s
q
l
p
in
g
3cl.exe
-
s
cant
yp
e
[
ran
g
e
,
list
,
stealth
]

-
S
tartIP
qp g

yp [ g , , ]
[IP] -EndIP [IP]-IPList [FileName] -UserList [FileName] -
PassList [FileName] -Output [FileName]
Run SQLPing v 2.5 tool to look for SQL Server system and find
their version numbers
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.4: Test for Buffer Overflow
in pwdencrypt() Function
in pwdencrypt() Function
pwdencrypt() function compares user supplied password with the
pwdencrypt() function compares user supplied password with the
stored password while logging in.
Buffer overflow in pwdencrypt() function provides a chance to an
Buffer overflow in pwdencrypt() function provides a chance to an
intruder to run the arbitrary code in the SQL server, sending a crafted
password value.
Check the unchecked buffer in password encryption procedure and bulk
insert procedure.
Check the incorrect permission on SQL Server service account registry
key.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
key.
Step 7.5: Test for Heap/Stack
Buffer Overflow in SSRS
Buffer Overflow in SSRS
Run arbitrar

y
code b
y
sendin
g
a crafted re
q
uest to
p
ort 1
434/
ud
p
.
yyg qp434/
p
Scan the UDP port 1434 at the firewall.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited