29 Database Penetration Testing

ECSA/LPT
Module XXIX
EC-Council
Database Penetration
Testing
Step1: Scan for Default Ports
Used by the Database
Use port scanning tools such as Nmap to scan for port used by database
Following are the default ports used for different products like Oracle Database or Oracle Application Server:
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Step2: Scan for Non-Default
Ports Used by the Database
 Following are the some other ports used by Oracle:
Service Port Notes
sql*net 66 Oracle SQL*NET
SQL*Net 1 1525 Registered as orasrv
tlisrv 1527 -
coauthor 1529 -
Oracle Remote Data Base 1571 rdb-dbs-disp
oracle-em1 1748 -
oracle-em2 1754 -
Oracle-VP2 1808 -
Oracle-VP1 1809 -
Step 3: Identify the Instance
Names Used by the Database
Specify a unique name while configuring an instance of Notification Services
Instance name used to identify instance database objects
In stance resources are loca

ted bNyNo tifica tiSon Ser ces
vi using th ein stance name
Instance name must be kept short, and based on unchanging entities
Database supports multiple instances, but only one instance can be a default instance
Instance name criteria:

• Same version
• Same edition • Same
language • Same
clustered state
Run WinSID to find instances of Oracle database

Step 4: Identify the Version
Numbers Used by the Database
To check the version information for

example, the Oracle database, simply connect
and login to the Oracle database with SQL
*Plus. After login, you will see:
• SQL*Plus: Release 9.2.0.6.0 - Production on Tue Oct 18
17:58:57 2005
Oracle Universal Installer check for Oracle

Version information
Ex amples: Oracle8i, 9i, 10g, 11i…
Step5: Attempt to Brute-force
Password Hashes from the Database
Use tools such as Orabf to brute force password hashes

Orabf is a brute force/dictionary tool for Oracle hashes
Step 6: Sniff Database Related
Traffic on the Local Wire
Sniffing determines
number of database
connections
Use packet sniffing

tools such as to
sniff data packets
from a network
Step 7: Microsoft SQL Server
Testing
Test for direct access interrogation
Scan for Microsoft SQL Server ports ( TCP/UDP

1433)
Test for SQL Server Resolution Service (SSRS)
Using OSQL test for default/common passwords
Try to retrieve Sysxlogins table
Bruteforce SA account
Step 8: Oracle Server Testing
Port scan UDP/TCP ports ( TCP/UDP

1433)
Check the status of TNS listener

running at Ora cle server
Try to login using default account

passwords
Try to enumerate SIDs
Use SQL plus to enumerate system

tables
Step 9: MySQL Server Database Testing
Port scan UDP/TCP ports

( TCP/UDP )
Extra ct the version of

database being used
Try to logon using

default/common passwords
Brute force accounts using

dictionary attack
Extract system and user

tables from the database
Dictionary Attack Tools
Following are some of the Dictionary attack tools:
• Cain & Abel

• John the Ripper
• THC Hydra
• Aircrack •
L0phtcrack •
AirSnort •
SolarWinds •
Pwdump
• RainbowCrack
• Brutus
Dictionary Attack Tool: Cain &
Abel
Password recovery tool for Microsoft Operating
Systems
Allows easy recovery of various kind of passwords by

sniffing:
• Network
• Cracking encrypted passwords using Dictionary
• Bru te-Force and Cryp tan alysis atta cks
• Recording VoIP conversations
• Decoding scrambled passwords
• Recovering wireless network keys
• Revealing password boxes
• Uncovering cached passwords
• Analyzing routing protocols
Its main purpose is simplified recovery of passwords

and credentials from various sources
Dictionary Attack Tool: SQLdict
SQLdict: Is a basic single ip brute-force MS SQL Server password utility that can
carry outad dictionary atta ck again st a named SQL account
The use of this tool is simple, just specify the IP address being attacking, the
user account up against and then load an appropriate wordlist to try via the
Load Password File button
Recap
In this module we learnt:
How to scan Default and Non-Default ports of Database
How to identify Instance names, Version numbers of

database servers
How to test Microsoft SQL Server, Oracle Server, and

MySQL Server Database
How to enumerate SIDs and crack lo gin passwords


29 Database Penetration Testing

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

29 Database Penetration Testing

Uploaded by

Copyright:

Available Formats

ECSA/LPT

sql*net 66 Oracle SQL*NET

SQL*Net 1 1525 Registered as orasrv

Oracle Remote Data Base 1571 rdb-dbs-disp

Specify a unique name while configuring an instance of Notification Services

Instance name used to identify instance database objects

In stance resources are loca

Instance name must be kept short, and based on unchanging entities

Instance name criteria:

Run WinSID to find instances of Oracle database

To check the version information for

Oracle Universal Installer check for Oracle

Use tools such as Orabf to brute force password hashes

Use packet sniffing

Scan for Microsoft SQL Server ports ( TCP/UDP

Test for SQL Server Resolution Service (SSRS)

Using OSQL test for default/common passwords

Try to retrieve Sysxlogins table

Port scan UDP/TCP ports ( TCP/UDP

Check the status of TNS listener

Try to login using default account

Try to enumerate SIDs

Use SQL plus to enumerate system

Port scan UDP/TCP ports

Extra ct the version of

Try to logon using

Brute force accounts using

Extract system and user

Following are some of the Dictionary attack tools:

• Cain & Abel

Allows easy recovery of various kind of passwords by

Its main purpose is simplified recovery of passwords

In this module we learnt:

How to scan Default and Non-Default ports of Database

How to identify Instance names, Version numbers of

How to test Microsoft SQL Server, Oracle Server, and

How to enumerate SIDs and crack lo gin passwords

You might also like

sqlnet 66 Oracle SQLNET