How to Minimize Database Vulnerabilities to Avoid Getting Hacked
Database systems, such as Microsoft SQL Server, MySQL, and Oracle, have lurked behind the scenes, but their value and their vulnerabilities have finally come to the forefront. Yes, even the mighty Oracle that was once claimed to be unhackable is susceptible to similar exploits as its competition. With the slew of regulatory requirements governing database security, hardly any business can hide from the risks that lie within.
Tools to detect database hacking risks
As with wireless, operating systems, and so on, you need good tools if you’re going to find the database security issues that count. The following are some tools for testing database security:
Advanced SQL Password Recovery for cracking Microsoft SQL Server passwords
Cain & Abel for cracking database password hashes
QualysGuard for performing in-depth vulnerability scans
SQLPing3 for locating Microsoft SQL Servers on the network, checking for blank sa (the default SQL Server system administrator account) passwords, and performing dictionary password-cracking attacks
You can also use exploit tools, such as Metasploit, for your database testing.
Find databases on the network
The first step in discovering database vulnerabilities is to figure out where they’re located on your network. It sounds funny, but many network admins aren’t even aware of various databases running in their environments. This is especially true for the free SQL Server Express database software that anyone can download and run on a workstation or test system.
Using sensitive data in the uncontrolled areas of development and quality assurance (QA) is a data breach waiting to happen.
The best tool to discover Microsoft SQL Server systems is SQLPing3.
SQLPing3 can discover instances of SQL Server hidden behind personal firewalls and more — a feature formerly only available in SQLPing2’s sister application SQLRecon.
If you have Oracle in your environment, Pete Finnigan has a great list of Oracle-centric security tools at www.petefinnigan.com/tools.htm that can perform functions similar to SQLPing3.
Crack database passwords
SQLPing3 also serves as a nice dictionary-based SQL Server password-cracking program. It checks for blank sa passwords by default. Another free tool for cracking SQL Server, MySQL, and Oracle password hashes is Cain & Abel.
The commercial product Elcomsoft Distributed Password Recovery can also crack Oracle password hashes.
If you have access to SQL Server master.mdf files, you can use Elcomsoft’s Advanced SQL Password Recovery to recover database passwords immediately.
You might stumble across some legacy Microsoft Access database files that are password protected as well. No worries: The tool Advanced Office Password Recovery can get you right in.
As you can imagine, these password-cracking tools are a great way to demonstrate the most basic of weaknesses in your database security. One of the best ways to go about proving that there’s a problem is to use Microsoft SQL Server 2008 Management Studio Express to connect to the database systems you now have the passwords for and set up backdoor accounts or browse around to see what’s available.
In practically every unprotected SQL Server system, there’s sensitive personal financial or healthcare information available for the taking.
Scan databases for vulnerabilities
As with operating systems and web applications, some database-specific vulnerabilities can be rooted out only by using the right tools. You can use QualysGuard to find such issues as
Password hashes accessible through default/unprotected accounts
Weak authentication methods enabled
Database listener log files that can be renamed without authentication
A great all-in-one commercial database vulnerability scanner for performing in-depth database checks — including user rights audits on SQL Server, Oracle, and so on — is AppDetectivePro. AppDetectivePro can be a good addition to your security testing tool arsenal if you can justify the investment.
Many vulnerabilities can be tested from both an unauthenticated outsider’s perspective as well as a trusted insider’s perspective. For example, you can use the SYSTEM account for Oracle to log in, enumerate, and scan the system (something that QualysGuard supports).