1 The Database Hacker's Handbook: Defending Database Servers by David Litchfield et al. John Wiley & Sons 25 (5 pages) ISBN: Written by four of the world's top security experts, this book teaches you how to identify vulnerabilities, how attacks are carried out, and how to stop the carnage of database hackers. Table of Contents The Database Hacker's Handbook Defending Database Servers Preface Introduction Part I - Introduction Chapter 1 - Why Care About Database Security?
Packet Sniffer SDK components/libraries set are intended for using in Windows applications for network packets capture and packets generation tasks without using preinstalled packet drivers. Features: Packet Sniffer SDK is a library set that sniffs out packets flowing on a network and analyze what`s happening on the net. This is for Win32 platforms. The package does not require any pre. Download Description Version Size Date HTTP; Microolap TCPDUMP for Windows Trial version of TCPDUMP for Windows based on Packet Sniffer SDK. Supported OS versions: Windows XP, WinXP x64, Windows Vista, Vista x64, Windows 2003, Win2003 x64, Windows 2008, Windows 2012, Windows 8, Windows 10, Windows Server 2016. Red Hat Enterprise Linux 7 System Administrator's Guide Deployment, Configuration, and Administration of Red Hat Enterprise Linux 7.
105 DB2 Processes Before we examine how DB2 can be attacked and how it should be defended, let's look at some of the terminology used when talking about DB2. A computer running DB2 is known as a host. Each host can have one or more instances of DB2 and each instance can have one or more databases. In a default install two instances are created one known as DB2 and the other as DB2CTLSV.
If the sample database has been installed, then this can be found in the instance named DB2. The tools database, toolsdb, can often be found in this instance as well. The Satellite control database, satctldb, if installed, can be found in the instance named DB2CTLSV. Each instance listens on its own distinct TCP port. For example, the DB2 instance listens on TCP port 5 and the DB2CTLSV instance listens on TCP port 501 (on Windows, DB2 can be configured to listen on named pipes, as well).
Further to this there is the DB2 Database Administration Server, otherwise known as the DAS. The DAS listens on TCP and UDP port 523. As the name implies, the DAS is responsible for dealing with database administration requests. Figure 6-1 shows a stylized representation of the processes that are integral to DB2.
Instances, and its databases, are held in a process called DB2SYSCS on Windows or DB2SYSC on Linux. If you're wondering what the DB2FMP process is it's a host process for running fenced routines. Just in case the routine is buggy or behaves badly in some way, so as not to crash the main database process routines are generally loaded into db2fmp that is, the routine is 'fenced.' Administration requests are received by the DAS (DB2DASRRM). Figure 6-1: DB2 processes.106 Tip When I first started looking into DB2 security one of the most frustrating problems I had was simply trying to connect the DB2 client to a remote system. I'm sure if I'd read the documentation this wouldn't have been quite so frustrating and for those out there, who like me have a 'right-here, right-now, right-away' mentality, I'll quickly describe how to hook up the client to a remote system. First, run the db2 client from a command line and when at the db2 prompt, enter the following: catalog tcpip node mynode remote server 5 This creates a node called mynode locally.
It points to a server listening on TCP port 5 on IP address Next, you need to tell the client what database to connect to. You can do this with catalog database toolsdb as mydb at node mynode Note that you use mynode from the previous command and give the database a name of mydb. These are completely arbitrary you can call them what you want. Toolsdb is the name of the database on the remote instance. With this done you can then connect to the server.
Connect to mydb user root using quib1e where root is the user and quib1e is the (somewhat poor) password. The session should flow as follows: db2 = catalog tcpip node mynode remote server 5 DB2I The CATALOG TCPIP NODE command completed successfully.
DB21056W Directory changes may not be effective until the directory cache is refreshed. Db2 = catalog database toolsdb as mydb at node mynode DB2I The CATALOG DATABASE command completed successfully. DB21056W Directory changes may not be effective until the directory cache is refreshed. Db2 = connect to mydb user administrator using 'foobar!!' Database Connection Information Database server SQL authorization ID Local database alias = DB2/NT = ADMINIST.
= MYDB db2 = select 1 from sysibm.sysdummy record(s) selected. Db2 =107108 DB2 Physical Database Layout It's important to know the physical file locations where DB2 has been installed and this varies from operating system to operating system. We'll look at the default locations for Windows and Linux.
DB2 on Windows When DB2 is installed on Windows the main database server files are installed in C:Program FilesIBMSQLLIB. For each DB2 instance a directory is created in the SQLLIB directory, for example, DB2 and DB2CTLSV. In these directories, you can find dump files that relate to access violations and so on. It is often useful to look through these because they can show interesting bits of information.
Another interesting file is the db2diag.log file. This contains all sorts of useful information. The actual data files can be found in directories off the root of the drive. For each database instance there is a directory off the root, for example, C:DB2 and C:DB2CTLSV. Under these directories is another called NODE, and under this is SQL1 to SQLX and SQLDBDIR. Various files relating to the instance and each database in the instance can be found in here.
DB2 on Linux The main database server files can be found in the /opt/ibm/db2/ directory but many of these files are linked to from elsewhere. When DB2 is installed three new accounts are created: dasusr1, db2fenc1, and db2inst1. Each of these accounts is given a home directory, off /home, and these directories contain (or link to) the relevant files. The dasusr1 is responsible for running the DAS. /home/dasusr1 contains a directory called das and under here are directories such as adm, which contains the DAS binaries, and dump. This dump directory contains a file called db2dasdiag.log, which can contain useful information. The db2inst1 user is responsible for running DB2 instances.
/home/db2inst1 contains two important directories: sqllib and db2inst1. The former contains database server specific files and the latter contains the data files. The db2fenc1 user is the account used for running fenced routines but nothing interesting can be found in its home directory.109 DB2 Logical Database Layout In DB2, database objects such as tables, views, triggers, and routines are stored in schemas. Important schemas are the SYSIBM, SYSCAT, SYSFUN, and SYSPROC schemas. The SYSIBM schema stores most of the default tables and the SYSCAT schema contains most of the views.
The SYSFUN schema contains the database functions (user defined functions, or UDFs) and the SYSPROC schema contains the database procedures. In DB2 terminology procedures and functions together are often described as routines.110 DB2 Authentication and Authorization Unlike Oracle and Microsoft SQL Server, which support database authentication and database accounts, DB2 exclusively uses the operating system for authentication purposes. What this means is that DB2 is immune to attackers gaining access via database accounts without a password, or accounts that have a default password. Oracle has a plethora of such accounts and Microsoft SQL Server, prior to service pack 3, was infamous for having no password set for the 'sa' login the most powerful login on the server. DB2 does not suffer from this kind of issue. That said, if the OS itself has an account without a password, or an account that has a default password, then needless to say, this can be abused by attackers but the same would be true for Oracle and Microsoft SQL Server.
Tcpdump Command In Windows 10
Indeed, when DB2 is installed some OS accounts are created and, in earlier versions of DB2, these OS accounts were given default passwords: All Operating Systems db2admin has a password of db2admin.nix db2fenc1 has a password of ibmdb2 db2inst1 has a password of ibmdb2 db2as has a password of ibmdb2 What this lack of database authentication also means is that there is no 'users' table as such; it's the operating system itself that stores this information. Although authentication is dealt with by the operating system, DB2 does support different authentication types that specify how (and where) the authentication takes place. First there is the SERVER authentication type. This is the default setting and implies that the server is responsible for authentication. If the DB2 server uses the SERVER authentication type, the clients send their username and password over the network in clear text, albeit in EBCDIC. The SERVERENCRYPT authentication type supports encryption using 56bit single DES.
How To Use Windump
Using this type, the client encrypts the username and password before sending it to the server. This provides for a more secure solution than type SERVER. At a minimum, the DB2 server should use the SERVERENCRYPT authentication type. Another type, CLIENT authentication, relegates the responsibility of authentication to the client: the line of thinking is that on a trusted network, if users can get onto the client, then they must be trusted and so no authentication is performed by the server. This is a dangerous assumption to make and the CLIENT authentication type should not be used.
Here's why: anyone, absolutely anyone can access the database server. If the account the user is logged onto as the client doesn't exist on the server, then it's irrelevant. The user still gets access as PUBLIC. Reiterating, CLIENT authentication should not be used. Two more authentication types are available: KERBEROS and KERBEROSENCRYPT. The former is used when both the client and server support Kerberos and the latter indicates that if Kerberos is not available, the server will fall back on the SERVERENCRYPT method. Note To set the server's authentication type, open the Control Center and right-click the instance in question.
Select Configure Parameters from the menu. In the Keyword column find Authentication and select the authentication type required. It is strongly advised not to use CLIENT authentication because attackers can abuse this to gain easy access to the DB2 server. Looking at authentication at the wire level you can determine if a given user account exists on a remote system by looking at the return code. After receiving a SECCHK DDM command the server replies with a SECCHKCD, or Security Check Code.
Tcpdump Windows Server 2016
The codepoint for SECCHKCD is 0x11A4 and the value is 1 byte in length. A value of 0x111 means that authentication was successful; a value of 0x0F indicates that the password is invalid; and a value of 0x13 indicates that the username is not valid. By looking at these return codes it's possible to enumerate users remotely by guessing. If the account doesn't exist you'll have a SECCHKCD of 0x13. If it's 0x, you not only got a username but you also got the password correct too. More than likely though, the result will be 0x0F password invalid. The following code can be used to authenticate a user.