Tools:

bullet

Database Security

bullet

DBVisualiser

bullet

MatriXay

bullet

     MS SQL Server

bullet

           forceSQL

bullet

           piggy

bullet

           SQLat

bullet

           SQLdict

bullet

           SQLlhf

bullet

           SQLPing

bullet

           SQLPing2

bullet

           SQLPoke

bullet

           SQLRecon

bullet

           SQLVer

bullet

Oracle

bullet

           breakable

bullet

           check password

bullet

           Default Passwords

bullet

           DNS/HTTP enumeration

bullet

           LSNR Check

bullet

           OAK

bullet

           Oracle Auditing Tool

bullet

           Oracle Client

bullet

           Oracle Security Check

bullet

           OracSec

bullet

           Oscanner

bullet

           Orabf

bullet

           Oracle TNSLSNR

bullet

           scuba

bullet

           Service Register

bullet

           SIDGuess

bullet

           sidguesser

bullet

           sqlinjector

bullet

           SQL Plus

bullet

           TCP Scan

bullet

           TNSCmd

bullet

           TNSVer

bullet

           Winsid

bullet

SQL Injection    

bullet

     Sybase

bullet

           NGS Squirrel for Sybase

 

Pen Testing Framework:

bullet

Pen Test Framework  (html)

bullet

    Source  (FreeMind .mm format)

bullet

    PDF       (zip format)

bullet

Framework Poster available

bullet

Pre-site Template (html)

bullet

Pre-site Template (pdf)

bullet

Report Template (html)

bullet

Report Template (pdf)

bullet

Compliance Testing

 

Information:

bullet

IT Threats

bullet

RSS Feed


 
      

 

Sybase Vulnerability Assessment

 

To carry out a penetration test on a Sybase server a good starting place would be to utilise hydra to try and password crack the main sa account. If, however, the Sybase server is set to Integrated Authentication mode, you could be in trouble as you may have to go after a valid OS user account instead.  The following is not everything you can do interactively with a Sybase server, but its a good start.  Further information is available from the Sybase site, or try our old favourite Google.

 

Note: You require ‘sso_role’ and ‘sa_role’ roles to carry out the following on the targeted Sybase Application Server.  All the commands have been tested on Sybase ASE 15.  I have divided the check down into 5 specific areas:

  •   General  Security Settings

  •   Database Configuration

  •   User Based Security Settings

  •   Sybase Auditing Settings

  •   Network Security Settings

General  Security Settings:

Databases present on target server:

exec sp_helpdb

Another good starting point is to list what other servers the tested Sybase server is able to execute Remote Procedure Calls on:

exec sp_helpserver

Points to note from this are;

    No net password encryption - i.e. passwords sent across the network in clear text as opposed to the more secure encrypted format.

    RPC Security Model A    i.e. No security mechanisms (RPC Security Model B provides a plethora of Security Mechanisms for added security.)

What mode of Authentication is being used:

  • Standard - Default, Sybase internal authentication ONLY utilised.

  • Integrated - Reliant on host OS for authentication.

  • Mixed - OS Authentication tried, if not successful will revert back to Sybase internal mode.

To evaluate what version and some patching information about the targeted server:

You will notice from the above the Emergency Bug Fix (EBF) 12783 has been applied and you are dealing with a Windows 2000 install of Sybase ASE15.  You may also see Electronic Software Delivery (ESD), Interim Release (IR) noted in this information.

 

Database Configuration Settings:

 

Sybase ASE Server configuration details can be found by:

exec sp_configure

 

User Based Security Settings:

Enumerating groups on a Server

use DB_Name

exec sp_helpgroup

 

Further enumerating who is a member of which group

 

 

use DB_Name

exec sp_helpgroup Group_Name

 

Enumerating if password roles have "Null" passwords assigned to them.

select name from syssrvroles where password = NULL

Enumerating roles present on the server

select name, password, pwdate, status from syssrvroles

Obtaining more detailed information about the roles of a particular user

 

exec sp_displayroles User_Name, expand_down

 

Enumerating user accounts from a database

exec sp_helpuser

Obtaining password hashes for user accounts

select name, password from syslogins

 

Enumerating login information relating to a particular account

sp_displaylogin sa

You should be able to determine the following details:

  • Account Lockout status

  • Auto login script

  • Default Login Name

  • Default Database

  • Failed Login attempts

  • Maximum Failed login parameter

  • Password change status

  • Password expiry details

  • Password length

  • Roles assigned

Password settings can be obtained by:

exec sp_configure "password expiration interval"

exec sp_configure "check password for digit"     Enforce a single digit in password (Complexity rules)

exec sp_configure "minimum password length"

 

You should also ensure default system Sybase passwords are not present on the system.  Account details I have found to date may be found here.

 

Sybase Auditing Settings:

Check to see if auditing has been set on the system

exec sp_configure auditing

 

Check to see if failed login attempts are logged by the system

exec sp_configure "log audit logon failure"

As the value set in this example is 0 (default) failed attempts are not recorded.  It should be set to 1.

Check to see if successful login attempts are logged by the system.

exec sp_configure "log audit logon success"

As the value set in this example is 0 (default) successful attempts are not recorded.  It should be set to 1.

Check to see if auditing ceases if the logs become full

exec sp_configure "suspend audit when device full"


Network Security Settings:

You should also really check if Remote Server Access is allowed by Sybase

use master

exec sp_configure "allow remote access"

 

By default this is set to 1 and allowed.  If this is the case you may want to check all credentials that remote users utilise, to make sure appropriate rules are applied to them.

 

  © VulnerabilityAssessment.co.uk            Thursday May 17, 2007
hit counter
html hit counter