Finding Targets

The first step to attacking Sybase servers is locating them in the network. This section describes a number of techniques for locating Sybase servers.

Scanning for Sybase

As previously noted, Sybase normally listens on a number of well-known TCP ports ”5000 “5004, 8181, and 8182. It is very easy to configure Sybase to listen on different ports, but these well-known ports can be a big help. Port scanning tools such as Fyodor's nMap ( http://www. insecure .org/nmap/ ) are the best way to locate hosts with specific known open ports.

If you have remote registry access to Windows boxes in a network, it can be useful to check for ODBC data sources. Simply search

 HKEY_LOCAL_MACHINE\Software\ODBC 

for "SybaseServerName" and "NetworkAddress" and you will see the hostnames IP addresses and TCP ports for any Sybase data sources that are configured on the host in question.

LDAP queries can also help, if the organization has an LDAP infrastructure.

Sybase Version Numbers

Sybase responds to failed authentications with a packet that contains the major and minor version number of the server, so sniffing a failed authentication response packet will normally give you the version number. The packet looks something like this:

 Ethernet Header ... IP Header ... TCP Header     Source port: 5000     Dest port: 1964     Flags: 0x18 (ACK PSH ) ... Raw Data 04 01 00 4e 00 00 00 00 ad 14 00 06 05 00 00 00  (   N            ) 0a 73 71 6c 20 73 65 72 76 65 72 0c 05 00 00 e5  ( sql server     ) 23 00 a2 0f 00 00 01 0e 05 5a 5a 5a 5a 5a 00 01  (#        ZZZZZ  ) 00 0e 00 4c 6f 67 69 6e 20 66 61 69 6c 65 64 2e  (   Login failed.) 0a 00 00 00 00 fd 02 00 02 00 00 00 00 00        (              ) 

The 4 bytes immediately following the string "sql server" is the version number ”0x0c = 12, 0x05 = 5, so the version number of this host is 12.5.0.0. The version number obtained in this fashion isn't the whole story ”you'd need to authenticate and select @@version to get that ”but it can at least give you some kind of indication. The server that sent the preceding packet was actually running ASE 12.5.1.

It is possible to obtain the version number of a Sybase server using a slightly truncated authentication packet. From our experimentation, the truncated authentication attempt is not logged, even if the authentication logging options are set. This is fine though, because we don't actually want to attempt an authentication; we just want to get the server's version information in the error response.

To enable logging of both failed and successful authentication attempts, execute the following:

 sp_configure 'log audit logon failure', 1  sp_configure 'log audit logon success', 1 

You can find the "C" source code that implements a quick-and-dirty tool to get the Sybase version via a truncated authentication packet at the end of this chapter.

Snooping Authentication

In a default, "out of the box" configuration, Sybase transmits passwords in clear text over the network. This is such an obvious and known security risk that almost all organizations will have employed some kind of mitigation ”either taking Sybase's recommendation and deploying one of the more advanced authentication methods , for example, Kerberos, or using an encrypted IPSec tunnel or similar. Nonetheless, default configurations do occasionally crop up, so be aware that traffic from Sybase clients to the normal Sybase server ports, 5000 “5004, may well have plaintext passwords in it.

As with most native database authentication mechanisms, man-in-the-middle attacks are also possible. This scenario occurs when an attacker pretends to be the database server. Normally he would have to compromise a DNS or WINS server to do this, but depending on the name resolution infrastructure in the network this may be straightforward.



Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net