ECSA/LPT EC Council Module XXX EC-Council Database Penetration Testing Testing
Nov 08, 2014
ECSA/LPT
EC Council Module XXXEC-Council odu e
Database Penetration TestingTesting
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’d Physical Security
Database P i i
VoIP P i T iSecurity
Penetration TestingPenetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
List of Steps
1• Scan for default ports used by the database
1
2• Scan for non-default ports used by the database
3• Identify the instance names used by the database
4• Identify the version numbers used by the database
• Attempt to brute force password hashes from the database5
• Attempt to brute force password hashes from the database
6• Sniff database related traffic on the local wire
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
6
List of Steps (cont’d)
7. Microsoft SQL server testing:
• 7.1. Test for direct access interrogation• 7. 2. Scan for Microsoft SQL server ports ( TCP/UDP 1433)• 7. 3. Test for SQL Server Resolution Service (SSRS)• 7 4 Test for buffer overflow in pwdencrypt() Function• 7. 4. Test for buffer overflow in pwdencrypt() Function• 7. 5. Test for heap/stack buffer overflow in SSRS• 7. 6. Test for buffer overflows in extended stored procedures• 7. 7. Test for service account registry key
8 T h d d b k• 7. 8. Test the stored procedure to run web tasks• 7. 9. Exploit SQL injection attack • 7. 10. Blind SQL injection • 7. 11. Google hacks• 7. 12. Attempt direct-exploit attacks• 7. 13. Try to retrieve server account list • 7. 14. Using OSQL test for default/common passwords• 7 15 Try to retrieve sysxlogins table
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• 7. 15. Try to retrieve sysxlogins table• 7. 16. Brute-force SA account
List of Steps (cont’d)
8. Oracle server testing:
• 8.1.Port scan UDP/TCP ports ( TCP/UDP 1433)• 8.2.Check the status of TNS listener running at Oracle server• 8 3 Try to login using default account passwords• 8.3.Try to login using default account passwords• 8.4.Try to enumerate SIDs• 8.5.Use SQL plus to enumerate system tables
• 9.1.Port scan UDP/TCP ports ( TCP/UDP )
9. MySQL server database testing:
• 9.2.Extract the version of database being used• 9.3.Try to login using default/common passwords• 9.4.Brute-force accounts using dictionary attack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• 9.5.Extract system and user tables from the database
Step 1: Scan for Default Ports Used by the DatabaseUsed by the Database
Use port scanning tools such as Nmap to scan for port used by database.
Following are the default d f diff ports used for different
products like Oracle Database or Oracle Application Server:Application Server:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Scan for Default Ports Used by the Database (cont’d)Used by the Database (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Scan for Default Ports Used by the Database (cont’d)Used by the Database (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Scan for Default Ports Used by the Database (cont’d)Used by the Database (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Scan for Default Ports Used by the Database (cont’d)Used by the Database (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Scan for Non-Default Ports Used by the DatabasePorts Used by the Database
Following are the some other ports used by Oracle:
Service Port Notes
sql*net 66 Oracle SQL*NET
SQL*Net 1 1525 Registered as orasrv
tlisrv 1527 -
hcoauthor 1529 -
Oracle Remote Data Base 1571 rdb-dbs-disp
oracle-em1 1748 -oracle em1 1748
oracle-em2 1754 -
Oracle-VP2 1808 -
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oracle-VP1 1809 -
Step 2: Scan for Non-Default Ports Used by the Database (cont’d)Used by the Database (cont d)
Service Port Notes
oracle? 2005Registered as "berknet" for 2005 TCP, oracle for 2005 UDP
Oracle GIOP 2481 giop
Oracle GIOP SSL 2482 giop-ssl
Oracle TTC 2483ttc. Oracle may use this port to replace 1521 in future
Oracle TTC SSL 2484 ttc-ssl
OEM Agent 3872 Oem-agent
Oracle RTC-PM port 3891 rtc-pm-port
Oracle dbControl Agent 3938 dbcontrol agent
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oracle dbControl Agent 3938 dbcontrol_agent
Step 3: Identify the Instance Names Used by the DatabaseNames Used by the Database
Specify a unique name while configuring an instance of Notification Services
Instance name used to identify instance database objects
Instance resources are located by Notification Services using the instance nameInstance resources are located by Notification Services using the instance name
Instance name must be kept short, and based on unchanging entities
Database supports multiple instances, but only one instance can be a default instance
Instance name criteria:
• Same version• Same edition• Same language• Same clustered state
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Run WinSID to find instances of Oracle database
Step 4: Identify the Version Numbers Used by the DatabaseNumbers Used by the Database
To check the version information for example, the Oracle database simply connect and login the Oracle database, simply connect and login to the Oracle database with SQL *Plus. After login, you will see:
• SQL*Plus: Release 9.2.0.6.0 - Production on Tue Oct 18 17:58:57 2005
Oracle Universal Installer check for Oracle Version information
Examples: Oracle8i, 9i, 10g, 11i
Version 0.6
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Identify the Version Numbers Used by the Database (cont’d)Used by the Database (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Attempt to Brute-Force Password Hashes from the DatabasePassword Hashes from the Database
Use tools such as Orabf to brute force password hashesp
Orabf is a brute force/dictionary tool for Oracle hashes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Sniff Database Related Traffic on the Local WireTraffic on the Local Wire
Sniffing determines number of database
connections
Use packet sniffing tools such as to sniff data packets from a data packets from a
network
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Microsoft SQL Server TestingTesting
Test for direct access interrogationg
Scan for Microsoft SQL Server ports ( TCP/UDP 1433)
Test for SQL Server Resolution Service (SSRS)
Using OSQL test for default/common passwords
Try to retrieve Sysxlogins table
B t f SA t
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Bruteforce SA account
Step 7.1: Test for Direct Access InterrogationInterrogation
Direct or ad hoc access enables users to directly access the yunderlying data structures
Write special queries using asterisks (*) to directly interrogate database
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.2: Scan for Microsoft SQL Server Ports ( TCP/UDP 1433)Server Ports ( TCP/UDP 1433)
Port 1433: Microsoft's SQL server, including the desktop editions that are often silently installed with other Microsoft applications, opens and services queries delivered over incoming TCP connections through this port.
Use a post scanning tool to scan port 1433 for Microsoft SQL server services.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.3: Test for SQL Server Resolution Service (SSRS)Resolution Service (SSRS)
SSRS is used to provide referral services for multiple server instances i h hirunning on the same machine.
S UDP t f SQL S R l ti S i (SSRS)Scan UDP port 1434 for SQL Server Resolution Service (SSRS).
Alternately ping UDP port 1434 from another SQL server a reply Alternately, ping UDP port 1434 from another SQL server, a reply confirms SSRS.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.3: Test for SQL Server Resolution Service (SSRS) (cont’d)Resolution Service (SSRS) (cont d)
Check the hidden database instances and probe deeper into the t i d system using command:
sqlping3cl.exe -scantype [range, list, stealth] -StartIP q p g yp [ g , , ][IP] -EndIP [IP]-IPList [FileName] -UserList [FileName] -PassList [FileName] -Output [FileName]
Run SQLPing v 2.5 tool to look for SQL Server system and find their version numbers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.4: Test for Buffer Overflow in pwdencrypt() Functionin pwdencrypt() Function
pwdencrypt() function compares user supplied password with the pwdencrypt() function compares user supplied password with the stored password while logging in.
Buffer overflow in pwdencrypt() function provides a chance to an Buffer overflow in pwdencrypt() function provides a chance to an intruder to run the arbitrary code in the SQL server, sending a crafted password value.
Check the unchecked buffer in password encryption procedure and bulk insert procedure.
Check the incorrect permission on SQL Server service account registry key.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
key.
Step 7.5: Test for Heap/Stack Buffer Overflow in SSRSBuffer Overflow in SSRS
Run arbitrary code by sending a crafted request to port 1434/udp.y y g q p 434/ p
Scan the UDP port 1434 at the firewall.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.6: Test for Buffer Overflows in Extended Stored Proceduresin Extended Stored Procedures
Check the extended stored procedures that cause stack buffer overflow. p
Check the publicly assessable database queries and filter it before processing.processing.
Try to load and execute a database query that calls one of the affected functions.
Run the arbitrary code with the escalated privileges of the SQL service account.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.7: Test for Service Account Registry KeyAccount Registry Key
Alter the SQL service account registry key by "xp_regwrite" extended d dstored procedure.
Pretend as an administrator to escalate the privileges that allows to p gweaken the security policy of SQL server.
This allows the attacker to run any query or command with the rights of This allows the attacker to run any query or command with the rights of the operating system.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.8: Test the Stored Procedure to Run Web TasksProcedure to Run Web Tasks
Log into a SQL server. Log into a SQL server.
Run the stored procedure for web tasks.Run the stored procedure for web tasks.
Attempt to delete, update, or insert new web tasks in order to l t i ilescalate privileges.
Login
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.9: Exploit SQL Injection AttackAttack
An SQL injection attack enables user to read the details of the d t bdatabase.
Run special queries to gain access to the
•EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''=‘
database, such as:
p )•EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '__w%') AND ''=‘
Use an automated tool, such as SQL Injector.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Test for SQL Injection Attack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.10: Blind SQL Injection
A blind SQL injection tt k bl attack enables
unauthorized user to exploit web applications and back end SQL serversand back-end SQL servers.
Use the Absinthe tool to exploit the web application.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.11: Google Hacks
Google searches SQL server errors that enable unauthorized users to Google searches SQL server errors that enable unauthorized users to find database and vulnerabilities in SQL server.
h k l i h ' “ l kiCheck out Google queries at Johnny Long's “Google Hacking Database”: http://johnny.ihackstuff.com/index.php?module=prodreviews
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.12: Attempt Direct-exploit AttacksAttacks
Direct-exploit attacks allow users to perform code injection and gain th i d d li unauthorized command line assess.
Use the Metasploit tool to direct-exploit attack.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.13: Try to Retrieve Server Account ListAccount List
A server account list contains SQL login IDs and data of the t d connected servers.
Use the following command to access the account list:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.13: Try to Retrieve Server Account List (cont’d)Account List (cont d)
When user manages to access the account list, it will show the outputthe output.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.14: Using OSQL Test for Default/Common PasswordsDefault/Common Passwords
The osql utility is a Microsoft® Win32® command prompt utility for ad hoc interactive execution of Transact SQL utility for ad hoc, interactive execution of Transact-SQL statements and scripts.
The osql utility is typically used in these ways:
• Users interactively enter Transact-SQL statements in a manner similar to working on the command prompt. The results are displayed in the command prompt window.U b i l j b i h if i i l T• Users submit an osql job either specifying a single Transact-SQL statement to execute or pointing the utility to a text file that contains Transact-SQL statements to execute.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.15: Try to Retrieve Sysxlogins TableSysxlogins Table
Access information for an SQL server is stored in the sysxlogins system Q y g ytable.
The Sysxlogins system table stores qualified user and group names.
Sysxlogins table is queried first to retrieve login name and SID of user using SUSER_SNAME() and SUSER_SID() functions.
If sysxlogins table does not match the requested username or SID, then Windows Local Security Authority (LSA) is queried for the information
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows Local Security Authority (LSA) is queried for the information.
Try to Retrieve Sysxlogins Table ViewsViews
Sysxlogins system table resides only in the master y g y ydatabase containing information regarding logins of users and can only be accessed through the following views:
• Syslogins: SQL server login information is provided by interpreting the “status column”interpreting the status column
• Sysremotelogins: Each remote user is allocated one row in the table to call remote stored procedures on the SQL server
• Sysoledbusers: Allocates one row each for user and password imapping
sp_addlogin: The system stored procedure to create a new login
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
account in the sysxlogins system table
SQL Server System Tables
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7.16: Brute-force SA Account
SA is a built-in database administrator login
A brute-force attack is trying every possible combination of characters as password until correct password is found
Use password cracking tools such as THC Hydra to brute-force SA login p g y gpassword
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Oracle Server Testing
Port scan UDP/TCP ports ( TCP/UDP )1433)
Check the status of TNS listener running lat Oracle server
Try to login using default account passwords
Try to enumerate SIDsTry to enumerate SIDs
Use SQL plus to enumerate system tables
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Use SQL plus to enumerate system tables
Port Scanning Basic Techniques
The basic port scan tries to know which port is open or available to The basic port scan tries to know which port is open or available to probe in.
TCP connect(): The connect() system call provided by an OS is used to TCP connect(): The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed.
Strobe: A strobe does a narrower scan, only looking for those services the attacker knows how to exploit.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Port Scanning Advanced TechniquesTechniques
Fragmented packet port scan
SYN scan
FIN scanFIN scan
Bounce scan
Finger
UDP scanningg
ICMP scan
Fi i i OS
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Fingerprinting an OS
Step 8.1: Port Scan UDP/TCP Ports ( TCP/UDP 1433) Ports ( TCP/UDP 1433)
Use a port scanning tool such as Nmap to scan for ports Use a port scanning tool such as Nmap to scan for ports 1433.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8.2: Check the Status of TNS Listener Running at Oracle ServerListener Running at Oracle Server
The TNS Listener Process is a independent process that connects p pdatabase and resides in the software layer of both client and server.
TNS Listener establishes connections between the Oracle server and a S s e e es ab s es co ec o s be ee e O ac e se e a d aclient application allowing valid users who has permissions to control database, and OS to execute arbitrary code.
To find the TNS Listener, use port scanners like Nmap and amap.
If Listener is not password protected, to get SID use the following command:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• tnscmd10g.pl status –h <ip-address>
Step 8.2: Check the Status of TNS Listener Running at Oracle Server (cont’d)g ( )
The Oracle TNS Listener is the lynchpin between a user/web server The Oracle TNS Listener is the lynchpin between a user/web server offering connection and the back-end database.
• $ORACLE_HOME/bin/lsnrctl - This is the actual Listener control program
Files that control the listener are:
program.• $ORACLE_HOME/network/admin/listener.ora - The actual TNS
Listener config file.• $ORACLE_HOME/bin/tnslnsr - The actual listening process.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Oracle TNS Listener: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Finding the TNS Listener
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Listener Modes
Listener can be configured in one of threed
• Database: Provides network access to an Oracle databaseinstance
modes:
instance• PLSExtProc: Method for PL/SQL packages to access
operating system executables• Executable: Provides network access to operating system• Executable: Provides network access to operating system
executables
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8.3: Try to Login Using Default Account PasswordsDefault Account Passwords
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8.3: Try to Login Using Default Account Passwords (cont’d)Account Passwords (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8.3: Try to Login Using Default Account Passwords (cont’d)Account Passwords (cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8.4: Try to Enumerate SIDs
Use the Oracle Password Guesser (opwg) utility of Oracle Auditing l ( ) / l i l f d f lTools (OAT) to enumerate a SID/multiple SIDs for default usernames
and passwords.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8.5: Use SQL Plus to Enumerate System TablesEnumerate System Tables
SQL PLUS runs .sql scripts against Oracle
Run WinSID or a similar tool to look for service name
Ex: SERVICE_NAME=test.domain
To establish a connection to remote go to the command prompt and type:
• sqlplus user/[email protected]
Now from SQL> @c:\sql\sql (Script is located at c:\sql and is called sql sql)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
sql.sql)
SQL PLUS: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: MySQL Server Database TestingTesting
Port scan UDP/TCP ports (TCP/UDP)/ p ( / )
Extract the version of database being used
Try to logon using default/common passwords
Brute force accounts using dictionary attack
Extract system and user tables from the database
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9.1: Port Scan UDP/TCP Ports ( TCP/UDP)Ports ( TCP/UDP)
Use port scanning tools such as Nmap and scan TCP/UDP Use port scanning tools such as Nmap and scan TCP/UDP ports for MySQL Server Database services.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9.2: Extract the Version of Database being UsedDatabase being Used
SQLver extracts the version by querying the file, snetlib.dll without logging into servers
It TCP t It uses TCP port 1433
It just connects to the specified TCP port and start working
• sqlver <ip_address/hostname> <port_no.>
Execution:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9.3: Try to Login Using Default/Common PasswordsDefault/Common Passwords
Try passwords like admin administrator sa password etc Try passwords like admin, administrator, sa, password, etc.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9.4: Brute-force Accounts Using Dictionary AttackUsing Dictionary Attack
A method to break password-based security systems is by testing all d ibl dcommon words as possible passwords.
It can be done in two ways:
• Manually.• By making use of software and a database which contains millions
of possible words.of possible words.
h d k
It can be used to:
• Determine the decryption key.• Probe and break password mechanisms.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dictionary Attack Tools
Following are some of the dictionary attack tools:
• Cain & Abel• John the Ripper• THC Hydra• THC Hydra• Aircrack • L0phtcrack
AirSnort • AirSnort • SolarWinds • Pwdump
R i b C k • RainbowCrack • Brutus
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dictionary Attack Tool: Cain & AbelAbel
Password recovery tool for Microsoft operating systems
• Network
Allows easy recovery of various kind of passwords by sniffing:
• Cracking encrypted passwords using dictionary • Brute-force and cryptanalysis attacks• Recording VoIP conversations
D di bl d d• Decoding scrambled passwords• Recovering wireless network keys• Revealing password boxes• Uncovering cached passwordsUncovering cached passwords• Analyzing routing protocols
It i i i lifi d f d d d ti l
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Its main purpose is simplified recovery of passwords and credentials from various sources
Cain & Abel: Screenshot 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cain & Abel: Screenshot 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dictionary Attack Tool: SQLdict
SQLdict: Is a basic single ip brute-force MS SQL server password utility that can carry out a dictionary attack against a named SQL account.
The use of this tool is simple, just specify the IP address being attacking, the user account up against and then load an appropriate wordlist to try via the Load Password File buttonvia the Load Password File button.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 9.5: Extract System and User Tables from the Database User Tables from the Database
User tables contain information such as host, user names, passwords, and privileges to particular usersand privileges to particular users.
To extract system and user tables, go to User Administration from the database administration panel.p
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
In this module we learned:
• How to scan default and non-default ports of databases.H id if i i b f
In this module, we learned:
• How to identify instance names, version numbers of database servers.
• How to test Microsoft SQL servers, Oracle servers, and MySQL server databases MySQL server databases.
• How to enumerate SIDs and crack login passwords.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited