View database security from security attack instance

The Art of War Yue: Tse, Baizhanbudai. The confrontation between work and defense is the subject of information security, and understanding security attacks can better protect the security. This paper investigates the network information security attack, through understanding the path of hacker attack and technical means, let the reader establish the perceptual knowledge of the threat of information security attack, let the security practitioner more stand in the attacker's perspective to think about security protection.

650) this.width=650; "src=" http://s11.sinaimg.cn/mw690/001T9C8mzy6SMbyqVjI9a "title=" "style=" border:0px; Vertical-align:middle; "/>

The above story happened in a developed country, the time is not long, the protagonist Carl is a software development engineer, well versed in information security attacks, his intention to implement information security attack is very obvious, is to obtain economic benefits, not only through mischief to achieve the purpose of showing off.

Carl saw good luck in the newspaper. The company has developed rapidly, nearly a year of sales outlets throughout the country, according to Carl's development experience, there will be a large number of information systems to support good Luck Company's busy sales tasks. Carl speculates that the company may be in the process of rapid development, ignoring the construction of information security, there may be some loopholes in the system, while these loopholes may bring enormous economic benefits, so Karl plans to put good luck company as his attacking target.

Temptation and Action

650) this.width=650; "src=" Http://s7.sinaimg.cn/mw690/001T9C8mzy6SMbAwmzAd6 "title=" "style=" border:0px; Vertical-align:middle; "/>

Before launching the attack, Carl needed to gather more information about the company, and he immediately began a reconnaissance campaign against the good Luck company. The first thought is through the domain name management system to find good Luck company network address (IP address), by browsing the site, analysis of what business systems may have sensitive information, and even can use the identity of netizens to browse or register good luck Company's propaganda sites and forums, through the ordinary account login, It is easy to master the information systems used to complete the development technology. Through the Internet, Carl can be aware of the potential vulnerabilities of these development technologies, such as: ASP, PHP, JSP file Upload control vulnerabilities, SQL injection vulnerabilities, and so on.

probing into technical attack

650) this.width=650; "src=" http://s5.sinaimg.cn/mw690/001T9C8mzy6SMbCh6qE04 "title=" "style=" border:0px; Vertical-align:middle; "/>

Carl first scanned the IP of the lucky company, in order to avoid IDs (intrusion detection System) and IPs (Intrusion Prevention System) interception, Carl found a system on the Internet that can be used as scapegoat, Fragrouter software is installed (Fragrouter can help hackers evade intrusion detection and initiate IP-based attacks), preventing their systems from being exposed directly to the front of scanning traffic.

Carl uses Nmap software (NMAP provides four basic functions for host discovery, port scanning, service and version detection, OS detection, bypassing firewall/ids/ips, scanning web sites). Discover the Good luck corporate network in the DMZ (demilitarized zone) of TCP port 80 is open to the Web server, UDP 53 port is open DNS server, at the same time found a packet filtering firewall, at this point, the basic good Luck company Web Server area of the general structure.

Then, Carl uses the Nessus software to scan and analyze system vulnerabilities, to find existing security holes or services that do not have a security patch available, but the Nessus software does not find any exploits in the DMZ area of the company's network of good luck.

looking for a security breach

650) this.width=650; "src=" Http://s5.sinaimg.cn/mw690/001T9C8mzy6SMbE95ly24 "title=" "style=" border:0px; Vertical-align:middle; "/>

The opener did not dispel Karl's idea of attacking good luck, and he wanted to be inspired by the company's website to take the next step. In the description of the site, Carl quickly discovered that one of the company's sales outlets was not far from his home (Point a), a godsend. So, bring your own Linux installed laptop, run Wellreinter (is a wireless network finder, scanner can be used to discover the wireless network), which has an SSID called goluco041 access point, estimated 041 is the number of this point of sale. Then, using the Linux ifconfig command to modify the MAC address of MAC addresses to resolve the binding measures, into point A's internal network, and by the network according to the DHCP protocol assigned dynamic IP address.

Carl once again uses Nmap to scan to point A's server opened 22 ports, typically SSH services (administrators used to remotely manage the Linux operating system services), with system control functions. Carl runs the Hydra password guessing tool (Hydra Linux brute force hack tool, generates a powerful dictionary hack ssh using the password dictionary generator), and makes a password-by-word guessing for a series of regular user accounts such as root, admin, and operator. Carl is pleased that the Opterator account password is Rotarepo, only the account name reversal. Carl then uses this account to sign in to point A's server. Browse the system files and find a valuable file in a directory that records the transactions for more than 100 days, so Karl obtains more than 100,000 credit card information, including credit card number, cardholder name, expiry date, etc., which Carl sells on the online underground black market. , and take advantage of it.

Expand your victories

650) this.width=650; "src=" http://s2.sinaimg.cn/mw690/001T9C8mzy6SMbF5fz3c1 "title=" "style=" border:0px; Vertical-align:middle; "/>

Carl, with his attack on point A, took into account that the company was developing at an alarming rate, and Karl speculated that the network information systems at each point of sale might be deployed in the same way, thus taking the same approach to point B servers and getting another batch of credit card information. However, this type of attack is not easy, so Carl tries to try a more convenient approach.

climb to the top of the winning

650) this.width=650; "src=" Http://s16.sinaimg.cn/mw690/001T9C8mzy6SMbFGKTlff "title=" "style=" border:0px; Vertical-align:middle; "/>

Carl discovers the transaction information transmitted between the POS machine and the server through the sniffer program, which is a valuable information, showing that the point of sale also sends the transaction request to the servers in the other network, and that these transaction requests are sent in clear text and accept the destination server address of the authorization request information. This time Carl through point a compromised machine, through the VPN network connected to the good Luck company Headquarters Central network system server, run Nmap tool to the server port scan, found that the server open TCP443 port, indicating that the server should provide an HTTPS service, Responsible for handling all credit card transactions and managing the company's business.

In view of the attack on the Web application system, Carl has two ways, one is because the upload file type is not filtered or filtering mechanism is not strict can upload script files, upload file vulnerability by uploading files can be achieved to control the site permissions. The second is to use the Sqlmap tool to discover cross-site scripting and SQL injection vulnerabilities that take advantage of SQL injection vulnerabilities to get sensitive data from the backend database.

Of course, Carl. If it is a future-side database, you may also use the Nmap tool to scan the database server's port number, bypass the legitimate application to access the database, either by trying the default account password to log on to the database server, or through the application server to find the database access account, In the end, Carl obtained all the customer information from 200 points of sale, including more than 1 million credit card information.

Epilogue

650) this.width=650; "src=" http://s12.sinaimg.cn/mw690/001T9C8mzy6SMbGDYSv2b "title=" "style=" border:0px; Vertical-align:middle; "/>

Carl's attack has been a resounding victory, in order to cover up the trail, destroyed all the information about the credit card information attack, evacuate the scene of the attack, enjoy "victory".

The security response of the relevant institutions is also very timely, in a period of time, a large number of credit card users encounter fraudulent behavior, the credit card has a common denominator, that is, the company had a good luck in the credit card transactions, the regulator found that good luck company problems, and informed the company of good luck.

Good luck company launched internal investigation, confirmed that there has been a security incident, in accordance with the relevant laws, good luck company has to inform the credit card holder, and to perform the corresponding compensation. Thanks to Karl's credit card information theft, the company suffered a tragic reputation and economic losses.

To find out what attack Technologies Karl has used, the Anwarking will introduce you to the company's internal security operations for good luck.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1658878

View database security from security attack instance