Updates from June, 2016 Toggle Comment Threads | Keyboard Shortcuts

  • Anıl Akduygu 16:27 on 19 June 2016 Permalink | Reply  

    Control MS SQL Server security with nmap 

    Capture

    At nmap there are many valuable scripts to control the secuirty  MS SQL server database. at this note I will show you how you can audit your SQL server with nmap

    Check sa account with null password

    ms-sql-empty-password

    Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

    One example

     

    nmap -p 1433 –script ms-sql-empty-password 192.200.11.11

    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 12:41 EDT
    Nmap scan report for 192.200.11.11
    Host is up (0.00064s latency).

    PORT     STATE SERVICE

    1433/tcp open  ms-sql-s

    | ms-sql-empty-password:

    |   [192.200.11.11:1433]

    |_    sa:<empty> => Login Success

    MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)
    Nmap done: 1 IP address (1 host up) scanned in 17.5

     

    If port 445 ( microsoft-ds service )  is open

    nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-all 192.200.11.11

    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 12:44 EDT

    Nmap scan report for 192.200.11.11

    Host is up (0.00059s latency).

    PORT    STATE SERVICE

    445/tcp open  microsoft-ds

    MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

     

    Host script results:

    | ms-sql-empty-password:

    |   [192.200.11.11:1433]

     

    Brute Force attacks

    nmap -p1433 –script ms-sql-brute 192.200.11.11

    Host is up, received arp-response (0.00064s latency).

    Scanned at 2016-06-12 12:20:41 EDT for 157s

    PORT     STATE SERVICE  REASON

    1433/tcp open  ms-sql-s syn-ack ttl 128

    | ms-sql-brute:

    |   [192.200.11.11:1433]

    |_    No credentials found

    MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

    Final times for host: srtt: 636 rttvar: 3138  to: 100000

    Dumping the password hashes of an MS SQL server

     

    If sa password is null

    nmap -p1433 –script ms-sql-empty-password,ms-sql-dump-hashes 192.200.11.11

    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 05:03 EDT

    Nmap scan report for 192.200.11.11

    Host is up (0.016s latency).

    PORT     STATE SERVICE

    1433/tcp open  ms-sql-s

    | ms-sql-dump-hashes:

    | [192.200.11.11:1433]

    |     sa:0x0200EC357FC5FA85256C4BC37667845B81E84C0F3CA9E7AD2BC7FB94FB698E5243FC5112C2B240884C44E71FD45195BB60B4AAF63D24B909C5945285793D0605E4D09E886849

    |     ##MS_PolicyTsqlExecutionLogin##:0x0200251457811E7CB37A8C9746EC742325673A60D16B98DF182FCF7E4410A2FB1B03C36B2E60A68BB269C7D47B3C43F6CB485365CF5D171A48171B6DA6DB74CDEA40759E9DFC

    |     ##MS_PolicyEventProcessingLogin##:0x0200F8A9BBBADB33E242C190EE82D15BB47564F46C5BF7B29B0124F32DCFF96837F9F243BD054F0A0D2B8D5C4D95F885B30EAA47F94F7FBBD3EA613DF64F05E14659742EB868

    Getting Information

    Attempts to determine configuration and version information for Microsoft SQL Server instances.

    No credentials are required

    nmap -p1433-1900 –script ms-sql-info 192.200.11.11

    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 11:55 EDT
    Nmap scan report for 192.200.11.11
    Host is up (0.00096s latency).
    Not shown: 467 closed ports
    PORT STATE SERVICE
    1433/tcp open ms-sql-s
    MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

    Host script results:
    | ms-sql-info:
    | 192.200.11.11:1433:
    | Version:
    | number: 11.00.3128.00
    | Post-SP patches applied: true
    | Service pack level: SP1
    | Product: Microsoft SQL Server 2012
    | name: Microsoft SQL Server 2012 SP1+
    |_ TCP port: 1433

     

    Running command shell on MS SQL servers

    To run dir command on windows server , if the sa account password is null,

    nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=”,ms-sql-xp-cmdshell.cmd=”dir” 192.200.11.11

    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 05:38 EDT
    Nmap scan report for 192.200.11.11
    Host is up (0.00046s latency).
    PORT STATE SERVICE
    1433/tcp open ms-sql-s
    | ms-sql-xp-cmdshell:
    | [192.200.11.11:1433]
    | Command: dir
    | output
    | ======
    | Volume in drive C has no label.
    | Volume Serial Number is 1E1E-6DAB
    | Null
    | Directory of C:\Windows\system32
    | Null
    | 19/06/2016 01:51 <DIR> .
    | 19/06/2016 01:51 <DIR> ..
    | 30/09/2013 16:44 <DIR> 0409
    | 02/01/2016 12:33 <DIR> 1033
    | 18/06/2013 07:48 160 @OpenWithToastLogo.png
    | 18/06/2013 08:04 120 @TileEmpty1x1Image.png
    | 22/08/2013 03:39 3,812,352 accessibilitycpl.dll
    | 22/08/2013 04:45 39,424 ACCTRES.dll

     

    Running SQL Query

    Runs a query against Microsoft SQL Server (ms-sql).

     

    nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=”,ms-sql-query.query=”SELECT * FROM syslogins” 192.200.11.11

    Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 06:02 EDT
    Nmap scan report for 192.200.11.11
    Host is up (0.00060s latency).
    PORT STATE SERVICE
    1433/tcp open ms-sql-s
    | ms-sql-query:
    | [192.200.11.11:1433]
    | Query: SELECT * FROM syslogins
    | sid status createdate updatedate accdate totcpu totio spacelimit timelimit resultlimit name dbname password language denylogin hasaccess isntname isntgroup isntuser sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin loginname
    | === ====== ========== ========== ======= ====== ===== ========== ========= =========== ==== ====== ======== ======== ========= ========= ======== ========= ======== ======== ============= =========== ========== ============ ========= ========= ========= =========
    | 0x01 9 Apr 08, 2003 14:10:35 Jun 12, 2016 14:50:31 Apr 08, 2003 14:10:35 0 0 0 00sa master \x02\xEC\x7F\xFA%Kv\x84\x81L<\xE7+\xFB\xFB\x8ECQ\xC2@L\xE7\xD4\x95`\xAA=\xB9\xC5Ry\x06\xE4\x9Eh us_english0 1 0 0 0 1 0 0 0 0 0 0 0 sa
    | 0x0106000000000009010000005FB6DAC7F7DB546D706711B128B5063888B01770 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLResourceSigningCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLResourceSigningCertificate##
    | 0x010600000000000901000000A0B7FCD6F6D5FA771521910A3B71A750568D6275 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLReplicationSigningCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLReplicationSigningCertificate##
    | 0x010600000000000901000000C2FB1C6E4485BB1056EBC85FD2CC2AD081390316 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLAuthenticatorCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLAuthenticatorCertificate##

     

  • Anıl Akduygu 11:05 on 12 June 2016 Permalink | Reply  

    Oracle TNS-poison attack 

    The TNS Poison attack is a type of man-in-the-middle attack. With this attack an attacker can hijack a session and can send SQL commands to database from this session. If the hijacked session user has some critical privileges ( like DBA roles )  the attacker can completely manipulate Oracle database.

     

    At this note, I will show you; how you can check that an Oracle database has this vulnerability and the solution for Oracle databases at Oracle 11.2 version.

     

    With nmap ( at Kali ) we can check The TNS Poison attack.   We can use; oracle-tns-poison.nse nmap script .This script has not been included in standard distribution. Therefore we add this script into nmap environment and after updating nmap we can use it

    First; get oracle-tns-poison.nse script from

    https://gist.github.com/JukArkadiy/3d6cff222d1b87e963e7   link.

    Nmap is a free and open source (license) utility for network discovery and security auditing. That’s why you can get all source from github .

    Get the script and put it in a file called oracle-tns-poison.nse  at /usr/share/nmap directory.

     

    1.png

    And update nmap with this new script

    1.png

    Now we are ready to use; oracle-tns-poison.nse script.

    But first I will show you the target database which has this vulnerability. This is an Oracle 11.2.0.4 database; at standard installation all databases have this vulnerability.  And the solution for this vulnerability is to change the listener configuration

    Therefore the initial configuration of the listener are given below.

    1

    Now check the vulnerability with this command;

    nmap –script=oracle-tns-poison.nse -p 1521 192.200.11.9

    As you see we have the vulnerability at this site.

    1.png

    The solution for this is to use Valid Node Checking For Registration for the all listeners ; (Metalink Doc ID 1600630.1)

    Simply add this parameter for all listeners ( we have one listener only )

    VALID_NODE_CHECKING_REGISTRATION_LISTENER=on

    1.png

     

    And rebounce the listener

    lsnrctl stop

    lsnrctl start

    1.png

     

    Now check the vulnerability again

    1.png

     

    It is done, It is not vulnerable.

     

    If  there was a scan listener  In this case ; we would use below configuration

     

    VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

    VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1

    REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(node1,node2)

    VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1

    REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(node1,node2)

     

    For Oracle 12c database there is no tns-poison vulnerability. Therefore all the time we advise DBAs to upgrade databases for the sake of security.

    I will make the same test with Oracle 12c database without any configuration;

    1.png

     

    And the listener.ora file

    1.png

    Check the vulnerability against this database.

    nmap –script=oracle-tns-poison.nse -p 1521 192.200.11.7

    1.png

    As you see ; Oracle 12c  is not vulnerable.

    Simply ; If you have Oracle 11g database and below , you have tns-poison vulnerability from the beginning. To protect your database ;  use Valid Node Checking For Registration  for Oracle 11g .

    if your version is Oracle 10g the solution is different and very  complicated. I do not want to mention the solution here.  Do not stay at Oracle 10g version ;  the solution is upgrade your database to 11g .

    If you have Oracle 12c ; you have nothing to do. You are secure againt tns-poision attack from the beginning   .

    Thanks.

    Anıl Akduygu

     

     

c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel