Ethical Hacking: Improving Cybersecurity in Your Databases

By Kevin Beaver

Database systems — such as Microsoft SQL Server, MySQL, and Oracle — have lurked behind the scenes, but their value, security vulnerabilities and ability to be hacked have finally come to the forefront. Yes, even the mighty Oracle, which was once claimed to be unhackable, is as susceptible to exploits and hacks as its competition. With the slew of regulatory requirements governing database security, hardly any business can hide from the risks that lie within because practically every business (large and small) uses some sort of database, either in-house or hosted in the cloud.

Choosing tools for your ethical hack

As with wireless networks, operating systems, and so on, you need good tools for your ethical hack if you’re going to find the database security issues that count. The following are some great tools for testing database security:

  • Advanced SQL Password Recovery for cracking Microsoft SQL Server passwords.
  • Cain & Abel for cracking database password hashes.
  • Nexpose for performing in-depth vulnerability scans.
  • SQLPing3 for locating Microsoft SQL Servers on the network, checking for blank passwords for the sa account (the default SQL Server system administrator), and performing dictionary password-cracking attacks.

You can also use network vulnerability scanners, such as Nexpose, along with exploit tools, such as Metasploit, for the ethical hack of your database testing.

Finding databases on the network to identify vulnerabilities

The first step in discovering database vulnerabilities is figuring out where they’re located on your network. It sounds funny, but many network admins aren’t even aware of various databases running in their environments. This situation is especially true of the free SQL Server Express database software editions that users can download and run on your network.

It’s very common to find sensitive production data, such as credit card and Social Security numbers, being used in test databases that are wide open to abuse by curious insiders or even external attackers who have made their way into the network. Using sensitive production data in the uncontrolled areas of the network such as sales, software development, and quality assurance is a data breach waiting to happen.

The best tool for discovering Microsoft SQL Server systems is SQLPing3.

SQLPing3 hack databases
SQLPing3 can find SQL Server systems and check for missing sa account passwords.

SQLPing3 can even discover instances of SQL Server hidden behind personal firewalls, such as Windows Firewall. This feature is nice, as Windows Firewall is enabled by default in Windows 7 and later.

If you have Oracle in your environment, Pete Finnigan has a great list of Oracle-centric security tools that can perform functions similar to those of SQLPing3.

Hacking database passwords

SQLPing3 also serves as a nice dictionary-based SQL Server password-cracking program. It checks for blank sa passwords by default. Another free tool for cracking SQL Server, MySQL, and Oracle password hashes is Cain & Abel.

Cain & Abel crack passwords
Using Cain & Abel to crack Oracle password hashes.

You simply load Cain & Abel, click the Cracker tab at the top, select Oracle Hashes in the bottom-left corner, and click the blue plus symbol at the top to load a user name and password hash to start the cracking. You can also select Oracle TNS Hashes at bottom left and attempt to capture Transport Network Substrate hashes off the wire when capturing packets with Cain. You can do the same for MySQL password hashes.

The commercial product ElcomSoft Distributed Password Recovery can also crack Oracle password hashes. If you have access to SQL Server master.mdf files (which are often readily available on the network due to weak share and file permissions), you can use ElcomSoft’s Advanced SQL Password Recovery to recover database passwords immediately.

You may stumble across some legacy Microsoft Access database files that are password protected as well. No worries: The tool Advanced Office Password Recovery can get you right in. There are also many end-of-life or unsupported versions of Access still around. Running a vulnerability scanner such as Nexpose to uncover flaws can prove beneficial. Depending on the findings, you might then be able to use Metasploit to demonstrate what can happen.

As you can imagine, these password-cracking tools are great ways to demonstrate the most basic of weaknesses in your database security. They’re also nice ways to underscore the problems with critical files scattered across the network in an unprotected fashion.

Another good way to demonstrate SQL Server weaknesses is to use SQL Server Management Studio to connect to the database systems you now have the passwords for and to set up backdoor accounts or browse around to see (and show) what’s available. Practically every unprotected SQL Server system ethical hackers come across has sensitive personal financial or healthcare information available for the taking. It simply takes a query such as the following to access the records in any given table:

select * from tablename

Ethical hacking: Scanning databases for vulnerabilities

As with operating systems and web applications, some database-specific vulnerabilities can be rooted out only by using the right tools. You can use Nexpose to find such issues as the following:

  • Buffer overflows.
  • Privilege escalations.
  • Password hashes accessible through default/unprotected accounts.
  • Weak authentication methods enabled.

A great all-in-one commercial database vulnerability scanner for performing in-depth database checks — including user-rights audits in SQL Server, Oracle, and so on — is AppDetectivePRO. AppDetectivePRO can be a good addition to your security testing tool arsenal if you can justify the investment.

Many vulnerabilities can be tested from both an unauthenticated outsider’s perspective as well as a trusted insider’s perspective. The important thing is to review the security of your databases from as many angles as reasonably possible. I a database is out there and accessible, people are going to play with it.