Chapter 25: PostgreSQL: Discovery and Attack

Finding Targets

PostgreSQL is not configured for network access by default, so it is first worth considering how to determine its presence given local access to a system. This is achieved by examining the process list for " postmaster " or "postgres." On Unix systems the PostgreSQL local socket is typically located in /tmp and is named s.PGSQL.5432. It can be determined by listing listening TCP and Unix sockets via netstat “l.

Many deployment scenarios require the database to be remotely available. PostgreSQL typically listens on port 5432 TCP. An attacker may therefore perform a simple sweep of the network for systems that respond to TCP SYN packets on port 5432 in order to determine the presence of PostgreSQL servers:

 $ nmap -sS 10.0.0.0/24 -p 5432     Starting nmap 3.70 (http://www.insecure.org/nmap) Interesting ports on 10.1.1.248: PORT     STATE SERVICE 5432/tcp open  postgres Nmap run completed -- 1 IP address (1 host up) scanned in 4.907 seconds 

An administrator may choose to change the port on which the postmaster listens, possibly as an obfuscation measure to slow down an attacker. It is simple, however, to detect a listening postmaster. A PostgreSQL client such as psql could be used to attempt connection. Given that the username, database, SSL connection option, and host from which the connection originates must have an entry in the pg_hba.conf file, an attacker is unlikely to match a valid entry on an initial probe. Thus the expected response would be something like the following:

 $ psql -h 10.0.0.1 -p 2345 d test U test psql: FATAL:  no pg_hba.conf entry for host "10.0.0.1", user "test",  database "test", SSL off 

The initial PostgreSQL protocol exchanges commence with the client sending a startup message to the postmaster, which will typically result in an ErrorResponse message (as shown above in friendly format), an authentication type message, or an AuthenticationOK message. A number of tools exist that attempt to identify applications based on their responses to various inputs. A popular such tool, amap, wrongly identifies PostgreSQL as MySQL. If amap is run with the “b (banner) switch, however, the ErrorResponse message is displayed:

 $ amap -b 10.0.0.1 2345 amap v4.6 (www.thc.org) - APPLICATION MAP mode   Protocol on 10.0.0.1:2345/tcp matches mysql - banner: ESFATALC0A000Munsupported frontend protocol  65363.19778 server supports 1.0 to 3.0Fpostmaster.cL1287RProcessStartupPacket 


Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net