RE: Pentesting on databases?

["Ziots, Edward" <EZiots () Lifespan org>]

Good tools are found in the Backtrack sqlmap, sqlbrute, and what Eric
has already detailed below. I second the Metasploit modules, I have
found the same, but a lot SQL instances can be toppled with SA and weak
passwords, if you get that its game over, enable XP_cmdshell, own the
box, and harvest credentials, and use those to jump throughout the
domain or system, because I bet they used the same credentials on each
of the SQL instances. (IMHO in most cases)


Z

Edward Ziots
CISSP, Security +, Network +
Security Engineer
Lifespan Organization
eziots () lifespan org


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Eric Schultz
Sent: Wednesday, March 21, 2012 11:01 AM
To: stayp0s
Cc: pen-test () securityfocus com
Subject: Re: Pentesting on databases?

Hey stayp0s,

here are a few things you may want to test:

1.SA accounts with blank passwords
2.Unauthorized user accounts that can access the DB. For MSSQL,
sometimes the domain user group gets added to the access list.
3.SQL injection on the applications that use the database 4.Open
shares/applications on the database server 5. Any unpatched
vulnerabilties (nmap can display service pack level I believe)

For the first two, you can use metasploit modules. for MSSQL, the
auxillary/admin/mssql/mssql_enum module has given me good information,
excpet the publically availible stored procedures returned a few false
positives (the stored procedures didnt exist, but the module said they
could be run).

If you find valid credentials, you can use a program to test
conenctivity to the database and see if you can read/modify/insert data,
views or edit functions. I use Navicat, but the free version stopped
being offered. There should be similar tools out there.


Hope this helps,
Eric Schultz
Blue Canopy


On 3/21/12, stayp0s <stayp0s.sec () gmail com> wrote:
> Hi list,
>
> I'm planning do a pen testing to ensure running databases(mysql, 
> postgreSQL, and so on) are secure.
> Anyone has useful reference guidelines about that?
>
> Thank you!
>
> ----------------------------------------------------------------------
> -- This list is sponsored by: Information Assurance Certification 
> Review Board
>
> Prove to peers and potential employers without a doubt that you can 
> actually do a proper penetration test. IACRB CPT and CEPT certs 
> require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------