SQL Server Security Attack Defense

2542 days ago, 873 views
PowerPoint PPT Presentation
2/26/2012. www.sqlsecurity.com. 2. Presentation Outline. IntroductionAttack FingerprintingAccount AcquisitionPrivilege EscalationSQL-InjectionDefenseTools (Scanners/Patches)Hardening ScriptsSecure DeploymentInput ValidationBest-Practices. 2/26/2012. www.sqlsecurity.com. 3. SQL Server Presence.

Presentation Transcript

Slide 1

SQL Server Security Attack & Defense Chip Andrews (www.sqlsecurity.com) January 2003 AtlantaMDF Users Group www.sqlsecurity.com

Slide 2

Presentation Outline Introduction Attack Fingerprinting Account Acquisition Privilege Escalation SQL-Injection Defense Tools (Scanners/Patches) Hardening Scripts Secure Deployment Input Validation Best-Practices www.sqlsecurity.com

Slide 3

SQL Server Presence Biztalk Server 2000 Commerce Server 2000 Application Center Server 2000 Third-Party Apps (SQL/MSDE) Tumbleweed Worldsecure Valadeo Technologies, Inc. O'Reilly & Associates, Inc. (WebBoard) Telemate.net Hierarchical File frameworks approaching later on (supposed connection amongst Yukon and Longhorn improvement) www.sqlsecurity.com

Slide 4

MSDE Proliferation Microsoft SQL Server Desktop Engine (some time ago the Microsoft Data Engine) Development systems (deft) frequently recommend every designer (or group) have a neighborhood database occurrence http://martinfowler.com/articles/evodb.html Visual Studio.NET introduces MSDE (vsDotNet/NetSDK) .NET Framework SDK (required for tests) Office XP www.sqlsecurity.com

Slide 5

Section 1 - Attack Fingerprinting/Discovery Acquiring Access Privilege Escalation Backdoors Covering tracks www.sqlsecurity.com

Slide 6

Discovery - Target Acquisition Server fingerprinting by means of IP stack distinguishing proof Nmap/nmapnt www.insecure.org/nmap www.eeye.com IIS Web Servers - a great wager SQL Server is driving it telnet targetname 80 HEAD/HTTP/1.0 www.netcraft.com Dig for insights about target database utilization Newsgroups Groups.google.com SQL discourse loads up (www.swynk.com) Job Postings Corporate site (click 'professions') www.monster.com and so on www.sqlsecurity.com

Slide 7

Discovery - Port Scanning Use nslookup/whois to decide IP addresses whois "target."@whois.arin.net TCP port 1433 (and 2433) SQL Server defaults to tune in on these ports since ip-attachments net-lib is introduced of course (alongside named funnels) Hosting suppliers are especially delicious targets UDP port 1434 (SQL Server Resolution Service) www.sqlsecurity.com

Slide 8

SQL Server Discovery – UDP 1434 Multiple instancing abilities of SQL Server 2000 make specification a useful necessity An extraordinarily shaped UDP parcel coordinated at port 1434 will bring about the SQL 2K audience administration to uncover data about each case of SQL Server running on that machine Packet Information Version (Inaccurate – does not demonstrate fix level) Instance names Net-libs bolstered TCP ports and pipe names Clustered status (bullseye!) www.sqlsecurity.com

Slide 9

Broadcast Discovery Since the audience may exist on numerous machines, it is conceivable to send a communicate UDP bundle to port 1434 to find all examples of SQL Server 2000 on a subnet Osql –L (will give back a crude posting) yet just of server names and just by means of communicate to Network subnets, for example, 192.168.1.x (with a veil) can be filtered utilizing a solitary parcel coordinated at Any system class works discover (Class A, B, C) www.sqlsecurity.com

Slide 10

SQLPing Utility http://www.sqlsecurity.com Directs a custom udp parcel at a particular target or subnet and counts the server data over various cases SQLPinging Listening.... ServerName:LANDROVER InstanceName:SQL2K IsClustered:No Version:8.00.194 tcp:1241 np:\\LANDROVER\pipe\MSSQL$SQL2K\sql\query ServerName:LANDROVER InstanceName:MSSQLServer IsClustered:No Version:7.00.623 np:\\LANDROVER\pipe\sql\query tcp:1433 rpc:LANDROVER www.sqlsecurity.com

Slide 11

Discovery – Service Enumeration sc \\machine_name inquiry bufsize= 60000|find "MSSQL" Requires Windows verified client and NetBIOS network Easily scriptable (supplant machine name with IP address) Provides an approach to see where SQL Servers exist on hosts even the server is not running or SQL TCP ports have been blocked www.sqlsecurity.com

Slide 12

Account Acquisition Common Accounts Sa (for the sake of all that is heavenly – don't leave this clear) distributor_admin (nor this one… ) Brute Force (blended security demonstrate) Attacks the inalienable shortcoming of the local SQL Server security display Multiple freeware instruments (sqldict, sqlpoke,sqlbf) Mssqlserver needs account lockouts or secret word multifaceted nature prerequisites Do we even need to specify invalid "sa" account passwords? www.sqlsecurity.com

Slide 13

Account Acquisition (cont.) Connection strings (blended mode) Client registry (regedit) Imbedded in ASP source or customer side script (RDS) Config records (global.asa, connect.inc, web.config) Source code revelation IIS has had bounty (online.securityfocus.com) Sniffing (blended or NT security mode) Wifi systems L0phtcrack (to acquire NT account) Sniffing SQL (TCP 1433) activity (non SSL/RPC) Plaintext transmission of qualifications Passwords inconsequentially muddled (mix of Unicode sprinkled with a XOR operation) www.sqlsecurity.com

Slide 14

De-jumbling SQL Server Passwords www.sqlsecurity.com

Slide 15

Account Acquisition - SQL Injection Defined: The acquaintance of unintended SQL code with an application's database at runtime. This viably furnishes an aggressor with a SQL Server account by utilizing your application as a center man in the assault SQL infusion assaults seldom cautions IDS frameworks (exacerbated by SSL) Difficult to find every one of the regions of abuse since the main genuine arrangement is manual code survey No sum OS security, firewalls, fix steadiness will stop SQL infusion. The best arrangement is great coding hones www.sqlsecurity.com

Slide 16

SQL Injection Sample ASP Code Sample <% Set Conn = Server.CreateObject("ADODB.Connection") Conn.open "dsn=myapp;Trusted_Connection=Yes" Set RS = Conn.Execute("SELECT * from book_list where book_name='" & request.form("txtBookname") & "') %> www.sqlsecurity.com

Slide 17

SQL Injection Sample Cont. Consider if the aggressor scans for a book named: " union select name from sysobjects- - Single quote shuts the expected articulation Union proclamation annexes another dataset to the inquiry so the assailant can see data he needs Could simply call any put away methodology or DDL summon the aggressor needed given suitable level of benefit www.sqlsecurity.com

Slide 18

SQL Injection - Tricks assailants utilize UNION explanations to add information tore from other SQL "— " twofold hyphen remark pointer to shut out whatever remains of the proposed SQL Try a solitary quote in info fields to check whether the question comes up short (disappointment typically shows terrible information approval and conceivable misuse) executive master..xp_cmdshell 'ping HACKER_IP' to check for 'sa'- level exploitable hosts select name from sysobjects where sort = "u" can open tables to adventure Insert tablename executive sp_whatever – great approach to see yield of put away techniques Use @@version to return SQL Server and OS forms and Service Packs www.sqlsecurity.com

Slide 19

Account Acquisition – Buffer Overflows By flooding cushions on listening ports it is conceivable to pick up a framework shell on an un-fixed target server with the benefit level of the SQL Server benefit account (frequently LocalSystem) There are known assaults against both the SQL Resolution benefit by David Litchfield ( http://online.securityfocus.com/offer/5311 ) and the TCP SQL Service audience "Hi Bug" by Dave Aitel (http://lists.insecure.org/records/pen-test/2002/Aug/0016.html) Exploit code for both is "in the wild" Buffer floods exist remotely and in addition inside (benefit acceleration) through server works and broadened put away strategies www.sqlsecurity.com

Slide 20

Privilege Escalation Primary techniques Un-fixed Server bugs, for example, _Many_ amplified put away strategy benefit heightening assaults Multiple Openrowset vulnerabilities Check online.securityfocus.com/offer for the most recent Trojan put away techniques (sp_who for instance) Deferred gathering (EXECUTE) www.sqlsecurity.com

Slide 21

Privilege Escalation (cont.) Other strategies xp_regread (registry specification) Any ordinary client can see the administration setting by means of master..xp_regread "HKEY_LOCAL_MACHINE" ,'SYSTEM\CurrentControlSet\Services\MSSQLSERVER','ObjectName' Openrowset – heterogeneous inquiries can permit assailants to savage drive their way into different frameworks Errors in expanded put away systems and framework put away strategies SQLAgent Jobs - http://www.ngssoftware.com/advisories/mssql-esppu.txt Webtasks http://www.ngssoftware.com/advisories/mssql-webtasks.txt The rundown goes on… . See online.securityfocus.com for a total posting Bottom Line: on the off chance that you are not staying aware of patches then any client with SQL Server get to can inconsequentially lift benefit unless broad strides have been taken www.sqlsecurity.com

Slide 22

They're in as sysadmins - Now What? Make an indirect access SQL or NT account Insert trojan stretched out put away methodology to catch passwords/information/occasions Use tftp to pull in toolboxs Use this SQL Server to dispatch assaults against different hosts Install intermediary server to make this machine a stage for further aggressors on different frameworks Take your information and make you endure not surprisingly – conceivable outcomes are constrained just by the creative ability www.sqlsecurity.com

Slide 23

Attack Conclusion Take time to place yourself in the place of somebody who truly needs to get at you or your manager How far would you be able to get? Imagine a scenario in which the assailant is a previous worker. Do our guards coordinate the danger and hazard levels? Would be even know whether we were under assault? Examine your systems and figure out what individuals within and the outside can get to Brute-drive your own particular frameworks to make sure secret word many-sided quality and record approaches (if utilizing Windows security) are adequate Multitude of free apparatuses at www.sqlsecurity.com

Slide 24

Defense What would you be able to do to ensure against each level of assault? How would I stay up with the latest with fix