In this post, I would like to share knowledge and experience while doing Database Penetration Testing. The purpose of Penetration Testing is to find vulnerabilities within the system and simulate the controlled environment if there is any cybersecurity attack which will be exposed to the public.
Database type that security consultant will focus would be:
- Oracle Server
- MySQL Server
Why security consultant to do an assessment on the Database that been implemented within the organisation’s infrastructure because of to tested the following scenario:
- To check the privilege level access to the Database
- Also to check the privilege on the Operating System and listener/client that connected to Database.
- Security Consultant/ Ethical Hacker will verify the vulnerabilities on the system and don’t want to damage or steal any information
There’s a lot of tools that can be used for Database Penetration Testing activity but I will highlight a few of them as follows:
- dbpwaduit 0.8 is a java tool that will normally allow the tester to do an online audit of password quality that been stored on several database engines. The tools have been tested on Microsoft SQL Server 2000/2005, Oracle version 8 until 11, IBM DB2 Universal Database and lastly MySQL. For further information, can read here
- fuzzdb is a tool that finds security vulnerabilities that reside within the application including database structure and pattern. The tools contain a list of attack payload that it’s patterns include SQL Injection, NoSQL injection, authentication bypass and much more. For further information, can read here.
- hexorbase 6 is a tool capable of performing SQL queries and brute-force attacks against very common database servers such as MySQL, SQLite, SQL Server, Oracle and PostgreSQL. For further information, can read here.
- Metasploit is an open-source platform where it can support vulnerability research, exploit development and creating of a custom security tools. For further information, can read here
Recommendation or Workaround
For the Oracle Database to be secure, the Database Administrator need to secure the Listener by configure back the listener to accept or refuse requests from specific IPs. Database Administrator also need to create a new files name protocol.ora in the same directory as listener.ora
Another way to ensure the Oracle in a secure environment would be restrict the access to the Oracle database by setup a password to the listener