Pen Testing Framework:
Sybase Vulnerability Assessment
To carry out a penetration test on a Sybase server a good starting place would be to utilise hydra to try and password crack the main sa account. If, however, the Sybase server is set to Integrated Authentication mode, you could be in trouble as you may have to go after a valid OS user account instead. The following is not everything you can do interactively with a Sybase server, but its a good start. Further information is available from the Sybase site, or try our old favourite Google.
Note: You require ‘sso_role’ and ‘sa_role’ roles to carry out the following on the targeted Sybase Application Server. All the commands have been tested on Sybase ASE 15. I have divided the check down into 5 specific areas:
General Security Settings:
Databases present on target server:
Another good starting point is to list what other servers the tested Sybase server is able to execute Remote Procedure Calls on:
Points to note from this are;
No net password encryption - i.e. passwords sent across the network in clear text as opposed to the more secure encrypted format.
RPC Security Model A i.e. No security mechanisms (RPC Security Model B provides a plethora of Security Mechanisms for added security.)
What mode of Authentication is being used:
To evaluate what version and some patching information about the targeted server:
You will notice from the above the Emergency Bug Fix (EBF) 12783 has been applied and you are dealing with a Windows 2000 install of Sybase ASE15. You may also see Electronic Software Delivery (ESD), Interim Release (IR) noted in this information.
Database Configuration Settings:
Sybase ASE Server configuration details can be found by:
User Based Security Settings:
Enumerating groups on a Server
Further enumerating who is a member of which group
exec sp_helpgroup Group_Name
Enumerating if password roles have "Null" passwords assigned to them.
select name from syssrvroles where password = NULL
Enumerating roles present on the server
select name, password, pwdate, status from syssrvroles
Obtaining more detailed information about the roles of a particular user
exec sp_displayroles User_Name, expand_down
Enumerating user accounts from a database
Obtaining password hashes for user accounts
select name, password from syslogins
Enumerating login information relating to a particular account
You should be able to determine the following details:
Password settings can be obtained by:
exec sp_configure "password expiration interval"
exec sp_configure "check password for digit" Enforce a single digit in password (Complexity rules)
exec sp_configure "minimum password length"
You should also ensure default system Sybase passwords are not present on the system. Account details I have found to date may be found here.
Sybase Auditing Settings:
Check to see if auditing has been set on the system
exec sp_configure auditing
Check to see if failed login attempts are logged by the system
exec sp_configure "log audit logon failure"
As the value set in this example is 0 (default) failed attempts are not recorded. It should be set to 1.
Check to see if successful login attempts are logged by the system.
exec sp_configure "log audit logon success"
As the value set in this example is 0 (default) successful attempts are not recorded. It should be set to 1.
Check to see if auditing ceases if the logs become full
exec sp_configure "suspend audit when device full"
You should also really check if Remote Server Access is allowed by Sybase
exec sp_configure "allow remote access"
By default this is set to 1 and allowed. If this is the case you may want to check all credentials that remote users utilise, to make sure appropriate rules are applied to them.
|© VulnerabilityAssessment.co.uk Thursday May 17, 2007|
html hit counter