MS SQL Server
exec xp_cmdshell 'dir c:\'
exec xp_cmdshell 'net user borat Password123 /add'
exec xp_cmdshell 'net localgroup administrators borat /add'
Oracle
If we have an Open account what could we check for?
Privileges and learn about that account.
Object Privileges Views
select * from ALL_TAB_PRIVS;
select * from ROLE_TAB_PRIVS;
select * from ALL_SYS_PRIVS;
select * from ROLE_SYS_PRIVS;
select * from ALL_USERS;
List all object privileges
SELECT GRANTEE,
OWNER,
GRANTOR,
PRIVILEGE,
GRANTABLE
FROM DBA_TAB_PRIVS
ORDER BY GRANTEE
List all system privilege grants made to roles and users
SELECT * FROM DBA_SYS_PRIVS;
List of all object privileges
SELECT TABLE_NAME, PRIVILEGE, GRANTABLE
FROM DBA_TAB_PRIVS
List all the column-specific privileges
SELECT GRANTEE,
TABLE_NAME,
COLUMN_NAME,
PRIVILEGE
FROM DBA_COL_PRIVS;
List all roles granted to other roles
SELECT * FROM ROLE_ROLE_PRIVS;
List all system privileges granted to roles
SELECT * FROM ROLE_SYS_PRIVS;
List all table privileges granted to roles
SELECT * FROM ROLE_TAB_PRIVS;
Check to see if PII data columns are visible
— All the following are PII element.
—
— ssn
— bank account number
— first
— last
— full name
— address
— dob
— mother's maiden
— medical
— finger prints
— photo
— passport data
— disiplinary data
— driver'sl no
— email
— telephone
select object_name object,
object_type type,
owner owner
from dba_objects
where owner<>'SYS'
and ((upper(object_name) like '%USER%'
and upper(object_name) not like 'USER_%')
or upper(object_name) like '%USR%'
or upper(object_name) like '%PASSWD%'
or upper(object_name) like '%PWD%'
or upper(object_name) like '%PASS%'
or upper(object_name) like '%SSN%'
or upper(object_name) like '%SOCIAL%'
or upper(object_name) like '%TAX%'
or upper(object_name) like '%ACCOUNT%'
or upper(object_name) like '%ACCOUNT%NUM%'
or upper(object_name) like '%FIRST%'
or upper(object_name) like '%LAST%'
or upper(object_name) like '%NAME%'
or upper(object_name) like '%ADDRESS%'
or upper(object_name) like '%ADD%'
or upper(object_name) like '%DOB%'
or upper(object_name) like '%BIRTH%'
or upper(object_name) like '%MOTHER%'
or upper(object_name) like '%MAIDEN%'
or upper(object_name) like '%MEDICAL%'
or upper(object_name) like '%FINGER%'
or upper(object_name) like '%PHOTO%'
or upper(object_name) like '%PASSPORT%'
or upper(object_name) like '%DRIVER%'
or upper(object_name) like '%DRVR%'
or upper(object_name) like '%MAIL%'
or upper(object_name) like '%TEL%'
or upper(object_name) like '%TELEPHONE%'
or upper(object_name) like '%PASS%'
)
and object_type in('VIEW','TABLE')
union
select table_name object,
column_name type,
owner owner
from dba_tab_columns
where owner<>'SYS'
and (upper(column_name) like '%USER%'
or upper(column_name) like '%USR%'
or upper(column_name) like '%PASSWD%'
or upper(column_name) like '%PWD%'
or upper(column_name) like '%PASS%'
or upper(column_name) like '%SSN%'
or upper(column_name) like '%SOCIAL%'
or upper(column_name) like '%TAX%'
or upper(column_name) like '%ACCOUNT%'
or upper(column_name) like '%ACCOUNT%NUM%'
or upper(column_name) like '%FIRST%'
or upper(column_name) like '%LAST%'
or upper(column_name) like '%NAME%'
or upper(column_name) like '%ADDRESS%'
or upper(column_name) like '%ADD%'
or upper(column_name) like '%DOB%'
or upper(column_name) like '%BIRTH%'
or upper(column_name) like '%MOTHER%'
or upper(column_name) like '%MAIDEN%'
or upper(column_name) like '%MEDICAL%'
or upper(column_name) like '%FINGER%'
or upper(column_name) like '%PHOTO%'
or upper(column_name) like '%PASSPORT%'
or upper(column_name) like '%DRIVER%'
or upper(column_name) like '%DRVR%'
or upper(column_name) like '%MAIL%'
or upper(column_name) like '%TEL%'
or upper(column_name) like '%TELEPHONE%'
)
/
Check to see if the account could INSERT or UPDATE data to other schema objects
select *
from all_tab_privs
order by grantor
Using our Scan account, what can we check for?
Select from the DBA_USERS_WITH_DEFPWD data dictionary view
SELECT * FROM DBA_USERS_WITH_DEFPWD;
The DBA_USERS_WITH_DEFPWD lists the accounts that still have user default passwords.
Find all users and their associated information as defined in the database
SELECT USERNAME, PROFILE, ACCOUNT_STATUS
FROM DBA_USERS;
Privileges and learn about all the account.
List all object privileges
SELECT GRANTEE,
OWNER,
GRANTOR,
PRIVILEGE,
GRANTABLE
FROM DBA_TAB_PRIVS
ORDER BY GRANTEE
List all system privilege grants made to roles and users
SELECT * FROM DBA_SYS_PRIVS;
List of all object privileges
SELECT TABLE_NAME, PRIVILEGE, GRANTABLE
FROM DBA_TAB_PRIVS
List all the column-specific privileges
SELECT GRANTEE,
TABLE_NAME,
COLUMN_NAME,
PRIVILEGE
FROM DBA_COL_PRIVS;
List all roles granted to other roles
SELECT * FROM ROLE_ROLE_PRIVS;
List all system privileges granted to roles
SELECT * FROM ROLE_SYS_PRIVS;
List all table privileges granted to roles
SELECT * FROM ROLE_TAB_PRIVS;
Check to see if any of the use simple password cracker SQL to get all the User access
Check for the Version and Patch levels
Check to see the Parameters set for the ORACLE implementation
If we have the SYS or SYSTEM or DBA level access, what should we check for?
DBA_TS_QUOTAS view to list all tablespace quotas specifically assigned to each user.
SELECT * FROM DBA_TS_QUOTAS;
DBA_PROFILE view lists all profiles in the database and associated settings for each limit in each profile.
SELECT * FROM DBA_PROFILES
ORDER BY PROFILE;
Find the memory use for each user session, query the V$SESSION view.
SELECT USERNAME, VALUE || 'bytes' "Current UGA memory"
FROM V$SESSION sess, V$SESSTAT stat, V$STATNAME name
WHERE sess.SID = stat.SID
AND stat.STATISTIC# = name.STATISTIC#
AND name.NAME = 'session uga memory';
Username Password is entered into the database link. (10g or earlier)
SELECT DB_LINK, OWNER_ID FROM V$DBLINK;
If we get access to the UNIX server having Oracle installed?
Check to see the $ORACLE_HOME access and privileges
Check umask for oracle account
Make sure that files created by the ORACLE acount will have secure permissions by default. (umask 022)
Check to see oracle account is not part of root group
i. cat /etc/group
Check to see any other OS account does not have dba group
ii. cat /etc/group
Check to see the .dbf file permissions. Should be 600 for oracle is to run the database
Check to see any other OS account does not have dba group
iii. cat /etc/group
Oracle raw devices should have minimum permissions so only Oracle can use them.
iv. ls -al device/disk/volume
Usernames/ passwords in process list.
v. ps -aef
Usernames/ passwords in scripts.
#!/bin/bash/
find $ORACLE_HOME -name "*" -print | while read filename
do
echo "filename "$filename >>user.lis
egrep -I 'connect|sqlplus' $filename >> user.lis2>/dev/null
Usernames/ passwords in Environment variables.
Control files .ctl should have read and write only by Oracle.
Check if export files are accessible on the system. (This file will have USER$ and can be extracted.
find $ORACLE_HOME -name "*" -print | while read filename do egrep -I 'EXPORT' $filename >>exp.lis 2> /dev/null done