Re: Pentesting on databases?



Hey stayp0s,

here are a few things you may want to test:

1.SA accounts with blank passwords
2.Unauthorized user accounts that can access the DB. For MSSQL,
sometimes the domain user group gets added to the access list.
3.SQL injection on the applications that use the database
4.Open shares/applications on the database server
5. Any unpatched vulnerabilties (nmap can display service pack level I believe)

For the first two, you can use metasploit modules. for MSSQL, the
auxillary/admin/mssql/mssql_enum module has given me good information,
excpet the publically availible stored procedures returned a few false
positives (the stored procedures didnt exist, but the module said they
could be run).

If you find valid credentials, you can use a program to test
conenctivity to the database and see if you can read/modify/insert
data, views or edit functions. I use Navicat, but the free version
stopped being offered. There should be similar tools out there.


Hope this helps,
Eric Schultz
Blue Canopy


On 3/21/12, stayp0s <stayp0s.sec@xxxxxxxxx> wrote:
Hi list,

I'm planning do a pen testing to ensure running databases(mysql,
postgreSQL, and so on) are secure.
Anyone has useful reference guidelines about that?

Thank you!

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Pentesting on databases?
    ... To follow up on Eric's answer, I recommend sqlmap, you can use it to test SQL injection, and it does a very good job at that. ... Also if you managed to find valid credentials for the database, you can use it to connect to the database directly and perform multiple operations such as select, insert, drop, etc. ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • RE: Pentesting on databases?
    ... 3.SQL injection on the applications that use the database 4.Open ... you can use metasploit modules. ... actually do a proper penetration test. ... Information Assurance Certification Review ...
    (Pen-Test)
  • RE: oracle database scanner
    ... You could check out AuditPro - which is a commercial database and operating ... It works with Oracle, Sun Solaris, Linux, HP-UX, Windows (all ... Subject: oracle database scanner ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Pentesting on databases?
    ... However, if the database is already running on production environment, ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)