Hack Your SQL Server Database Before the Hackers Do

Transcription

1 Note: This article was edited in Oct. 2013, from numerous Web Sources. TJS At the Install: The default install for SQL server makes it is as secure as it will ever be. DBAs and developers will eventually create databases with inadequate security. Then they will give users and groups too much access to its data. If that is not enough, they will then build Web sites or Web applications that indirectly give untrusted masses access to sensitive enterprise data. Suddenly, SQL Server is a security nightmare. Of course, a DBA can do all of the above things securely, but how many DBAs are thoroughly versed in Database and Web application security? If a DBA is careful, they monitor the entire attack surface. For an already busy DBA, maybe even working only in a small enterprise, diligent monitoring can be a full-time occupation. Furthermore, as security time moves inexorably forward, more and more sophisticated web initiated attacks into database servers emerge, and often are all too easy to miss, even for a diligent DBA. Bottom line: DBAs need proper security tools. Early SQL Server Hacks: SQLSnake and SQL Slammer Prior to 2003, the Microsoft SQL Administrator user s default password was blank. Sadly, many administrators were installing SQL Servers on the Internet with that configuration. The Microsoft database engine MSDE 2000 exhibited two buffer overflow vulnerabilities. If the MSDE 2000 process runs in the security context of a domain user or the local SYSTEM account, successful exploitation of these security holes will mean a total compromise of the target system. These can be exploited by a remote attacker without ever having to authenticate to the server. In 2003, an Internet-based worm called SQLSnake roamed and attempted to spread from SQL server to SQL server, taking advantage of the blank administrator password. The SQLSnake worm targets TCP port 1433, the default port used for Microsoft SQL Server traffic. The worm is non-destructive, but once it infects a machine it sends an configuration information to ixltd@postone.com. The SQL Slammer worm was based on an SQL Server vulnerability, but the worm s code did not use the SQL language. Instead, it exploited a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products. Microsoft had issued a critical patch for this SQL server vulnerability on July 24, 2002, but many, including some at Microsoft, did not install this critical patch. Slammer was launched on January 25, Database Security 2013: Hack your SQL Server before they do Page 1

2 Slammer caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. Slammer spread rapidly, infecting most of its 75,000 victims within ten minutes. SQL-Slammer sends a 376 byte long UDP packet to port 1434 using random targets at a very high rate. Vulnerable systems will immediately start sending identical 376 byte packets once they are infected. The worm sends traffic to random IP addresses, including multicast IP addresses, causing a Denial of Service on the target network. Single infected machines reported traffic in excess of 50 Mb/sec after being infected. Many more database attacks come from either privilege escalation, SQL injection, or finding the database user passwords. This article will not cover privilege escalation or SQL injection attacks. Instead, much of this article will focus on cracking database user passwords. Here Come the Tools: Dozens of database tools can simplify the task of building in and maintaining security an SQL Server system and its databases. The tools run from free to expensive, single to general purpose, simple to complex. Not only can the good guys use them, but we all know that the bad guys are using the same tools to probe and poke into your servers. Table 1 shows some useful tools. Database Security 2013: Hack your SQL Server before they do Page 2

3 Using the Tools When the SQLSnake worm appeared, it revealed an SQL Server Browser service vulnerability, exposing information about available database servers to attackers. As a result, finding SQL Server instances running on your network can be problematic. Using SQLPing find all the instances SQLPing 3.0 from SQLSecurity.com attempts to detect SQL Server and MSDE instances, including multiple SQL Server instances installed on a single physical server. It also has the ability to challenge passwords through brute force probes. There are several known ways to scan and find running instances, and SQLPing takes advantage of them all. SQLPing is easy to use, but there is little documentation for it. SQLPing can actively ping the network, or simply search the Active Directory (AD) for any SQL Server registrations and check the SQL Server Browser Service to see whether any servers have broadcast their existence. Active scans are more accurate and more clearly reveal activity on your SQL Server network. SQLPing will also perform dictionary and brute-force password checking. However, the brute-force password checks are less robust than the specially developed password cracking tools. Security Best Practices Analyzer (SBPA) - your known SQL Server Instances One all the SQL Server instances are known, the next task is to evaluate how secure they are. The Microsoft SQL Server 2005 Best Practices Analyzer is a free and easyto-use tool which easily catches all of your low hanging fruit security vulnerabilities. The SBPA can scan SQL Server instances on a local or a remote machine. SBPA accesses the registries and other resources, so it is best to run it locally. To scan your entire SQL Server network, you need to be a domain or local administrator with permissions on the each remote machine s registry. The tool has various options for selecting which components to scan for in each instance and can import or export component lists. You can also select which databases to include in the scan; the default is to scan all databases, including the system databases. The analyzer defines a large set of rules that define best practices, and you can control which rules it uses to scan a particular server. A scan can take anywhere from a few minutes to a very long time, depending on the number of server instances and components you select. The scan checks more than 100 server and database issues related to known vulnerabilities, then produces its report. Each issue discovered includes a brief description, often a link to the Help file, and an Database Security 2013: Hack your SQL Server before they do Page 3

4 option to stop checking the rule for any or all SQL Server instances for future scans, when appropriate. Microsoft Baseline Security Analyzer MBSA The MBSA claims to support SQL Server, but its real value is to check that you have the latest patches installed. One of the first tasks in system hardening is to install the latest patches, so MBSA performs this important task for SQL server installations. Database Password Creation, Storage, and Cracking -- MS SQL Server Strong passwords are the foundation of a secure server. Many SQL Server instances have users from outside Microsoft s Active Directory. Such SQL servers cannot always use Integrated Windows authentication methods. In these instances, SQL developers have to create users and their passwords. This can lead to many SQL Server users with weak passwords. Microsoft SQL Server stores each user separate password as a hash in a system table. SQL Server 2000 would uppercase the password, hash it with the SHA1 hash, and then store the hash in the system table. SQL Servers 2005 and 2008 no longer uppercased the passwords before hashing, but SHA1 was still used to hash the passwords. SQL Server 2012 uses SHA2-512 to hash the passwords, so these password hashes are much more resistant to being cracked than previously. But with faster systems and SHA-512 cracker tools, they will still be breakable. SQL Servers have long used the native HASHBYTES function to create hashes when needed, such as for user passwords. Earlier HASHBYTES versions used the SHA1 hashing algorithm, but SQL Server 2012 improves password security by using the SHA_512 hash. The newer SHA-3 hash, introduced in November, 2012, was the result of a 6 year US Government sponsored contest to produce a much better hashing algorithm, is not supported. The Microsoft Technet snippets below show how to use HASHBYTES for password hashing. HASHBYTES Algorithmic Choices HASHBYTES ( '<algorithm>', 'input' } ) <algorithm>::= MD2 MD4 MD5 SHA SHA1 SHA2_256 SHA2_512 Using HASHBYTES in a Program nvarchar(4000); = CONVERT(nvarchar(4000),'dslfdkjLK85kldhnv$n000#knf'); SELECT GO Database Security 2013: Hack your SQL Server before they do Page 4

5 Despite the new SHA3 hash, SQL Server still makes all of the login information accessible from the view master.sys.sql_logins. Using this table, you can determine the user names as well as the associated password hashes. Of course the DBA has access to this table, but if can be done, the following simple SQL command can get the password hashes: 1 2 INSERT INTO mydatabase.password_table_copy SELECT * FROM master.sys.sql_logins Password Creation and Storage in Other Databases Users of Oracle, MySQL, and Sybase ASE-15 can find their password hashes and crack them through similar methods. Once the hashes are found, they can be exported to text files, where a cracking program can be used to determine the passwords. See the related article for more information on modern hash cracking systems. NGSSQLCrack and Cain & Abel Password Cracking Tools NGSSQLCrack from Next Generation Security Software is probably the easiest database password cracking tool to use. NGSSQLCrack borrows techniques from the free LophtCrack Windows password cracking tool of the 1990 s. NGSSQLCrack is commercial, but a free test download is also available. NGSSQLCrack runs on MS SQL Server versions 7/ 2000/ 2005/2008, Oracle 8i/9i/10g/11g, Sybase ASE 15, and MySQL 4.1, 5.0, 5.1 & 5.5. NGSSQLCrack will connect to the SQL Server instance of your choice and grab the SQL login password hashes. It also allows the password hashes to be manually entered or copied into the tool. It can use both dictionary and bruteforce attacks and provides some simple options for customizing the session. You can also specify your own dictionary file and character set including case-insensitive options for the brute-force attacks. It can take a long time to perform a complete crack, depending on the size of your dictionary file, the character set you select for the brute-force analysis, and the password size range you select. The tool reports any passwords it discovers immediately. Database Security 2013: Hack your SQL Server before they do Page 5

6 If you want to get into industrial-strength password cracking, use the free, cross-platform Cain & Abel. C & A gives you many more options than NGSSQLCrack for gathering, sniffing, and cracking all kinds of passwords from Windows and other OSs as well as SQL Server along with much more robust cracking options. C & A is a true hacker s tool, and you ll probably need to spend some time learning how to use it effectively. It s scary how well C & A can crack passwords. Hopefully, after using C & A, you will never again create a simple or short password for any use whatsoever. SQL Vulnerability Analyzers -- The Metasploit Project and NGSSQuirreL Many SQL Server hacking tools are niche products, focusing on one aspect of security such as password strength or port visibility. But there are literally hundreds of potential vulnerabilities in a product as complex as SQL Server, and it would take the most diligent administrator years to find all the problems. That s where a comprehensive, industrial-strength vulnerability scanner is a lifesaver. Many such commercial vulnerability scanners are available, most of which are general network analyzers that happen to include scans of SQL Server instances. The heavyweight database scanner is the Metasploit Project, which is describes as an open source platform for developing, testing, and using exploit code. It uses the Metasploit Framework, a development platform that supports creating both security tools and exploits. The framework is largely the reason for Metasploit s wide use by both ethical and black-hat hackers, since it s relatively easy to adapt the tools for specific purposes. Over the years, many of SQL Server s vulnerabilities have been discovered using these tools. Metasploit isn t for the faint of heart, but it s incredibly powerful. Much of Metasploit s power is used for evil, and you can almost bet it s being used right now on your servers. At the very least, you should assume that it is! NGSSoftware also offers the NGSSQuirreL for SQL Server. This is a powerful SQL Server security analyzer that performs more than 700 tests to find most of the known vulnerabilities in various SQL Server versions. The product is a bit picky about getting started on a particular SQL instance, so much so that it might take you a half dozen tries to configure everything correctly to make a successful connection for a scan. Once you ve set up NGSSQuirreL correctly on your system, start the scan and go get some coffee. By the time you get a cup of coffee and return to your desk, the scan should have finished that s surprisingly quick and what you can expect for an NGSSQuirreL scan, even on a remote server over a broadband connection near the low end of the Database Security 2013: Hack your SQL Server before they do Page 6

7 speed range. After NGSSQuirreL finishes the scan, it displays an easily navigated tree view containing a lot of information about the SQL Server instance as well as the problems the tool found. NGSSQuirreL scans often reveal many more vulnerabilities than you expect, especially on a remote servers, sometimes even production servers. Each vulnerability found in the scan results list has plenty of information about the problem and what to do about it, along with lists of affected database or server objects, as needed. Not every problem that NGSSQuirreL finds means you have a serious security vulnerability, but taken together, they can indicate a server s potential vulnerability. The No-Brainer Security Tool -- Microsoft Update We have saved the very best SQL Server security tool of all for last. Running this tool regularly is essential to ensure secure database servers. But the tool Microsoft Update isn t exactly a hacker tool. A fully patched machine is one of your best defenses against new attacks. Microsoft s Patch Tuesday is the second Tuesday of the month. In hacker speak, Black Wednesday follows, as attackers develop new attacks overnight after Microsoft releases the details of newly patched vulnerabilities. As everyone knows, you need to test all Microsoft patches, especially the SQL Server updates before deploying them to production servers. Don t use Windows Update, which doesn t have nearly the reach of Microsoft Update. Third-party tools that perform similar functions to Microsoft Update are available as well. One Step Ahead of Hackers In this age of increasingly clever attacks on our database servers, administrators have to be diligent about monitoring and testing the security of their SQL Server machines. You can strengthen your database defenses by using the tools described in this document. Or, you can use similar ones to find out what hackers already know about your databases and servers. In either case, use some tools regularly to keep you database servers as secure as you can. Database Security 2013: Hack your SQL Server before they do Page 7