jetlib.sec » Tags » mysql-oracle

Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [1] Exposed Services and Admin Interfaces

Exposed Services:

An example of exposed services and making sure you check for default and common passwords. so first example is a VNC server with  no password. This gives us a HIGH severity finding

 The following is a VNC server with a password of "password"

see the problem? Same thing goes for SSH, Telnet, FTP, etc.  Don't forget about databases as well, MS SQL, MySQL, Oracle, Postgres listening out to the Internet at large.



Admin Interfaces:

Admin interfaces can be gold. the problem is 1) you have to find them on the random ass port they are running on and 2) you have to get eyes on them. this can be a hassle/problem/hard to do.

So to bring the "low" to it.  some random HTTP server gets you this in Nessus

Now, to be fair this could be totally accurate, but the point is you need to look at what is being served on this HTTP server, could be something could be nothing, no way to know unless you look.  Finding useful HTTP pages on all the random ports can be challenging.

Here is a possible methodology for doing it:

1. Nmap your range
2. Import your nmap results into metasploit
3. Use the db_ searches to pull out a list of hosts & ports
4. With the magic of scripting languages make that list into an html page(s)
5. Use linky to open all those links

Kinda goes like this:
after you have imported your nmap results, uses the services option.
If its populated you'll get a list or results like the below
Output that stuff to a CSV

msf > services -o /tmp/demo.csv

Take that CSV and run some ruby on it


The above code will output an html file that you can open with linky
linky will open each link in a new tab allowing you a way to get eyes on each of those random HTTP(S) services.

You can now start intelligently trying default passwords or viewing exposed content.

Thoughts?

-CG

Tags:  nbsp admin server don atlanta bsides mysql-oracle vnc-server  

Everyone that knows me knows that I'm a huge LSO supporter. I wouldn't be where I am today without everything I learned from Joe and LearnSecurityOnline.

He let me get a preview of his new Advanced Penetration Testing (APT): Pentesting High Security Environments course.

The syllabus is available here:
http://www.learnsecurityonline.com/component/content/article/3-admin/222-apt

I got to look at a good chunk of the labs and its top notch training, plus you get it live from Joe who is by far one of the best instructors out there.

Of particular interest to me is the attacking from the web section:

Attacking From the Web

1. XSS to command-shell

2. SQL Injection to command-shell
MS-SQL
MySQL
Oracle

3. File Handling to command-shell

File Upload to command-shell
RFI to command-shell
LFI to command-shell

Course Dates
Course dates are 17th - 21st May 2010 Greenbelt Maryland
http://www.learnsecurityonline.com/component/content/article/3-admin/222-apt

2 Day version at Brucon 22-23 September 2010
http://2010.brucon.org/index.php/Training_1#description

Tags:  security-environments mysql-oracle apti Learn security online