Loading
Notes
Study Reminders
Support
Text Version

Techniques for Operating System, Database and Application Hardening

Set your study reminders

We will email you at these times to remind you to study.
  • Monday

    -

    7am

    +

    Tuesday

    -

    7am

    +

    Wednesday

    -

    7am

    +

    Thursday

    -

    7am

    +

    Friday

    -

    7am

    +

    Saturday

    -

    7am

    +

    Sunday

    -

    7am

    +

Minimizing the surface area and the attack area on operating systems and databases is a key tenet of operational security let's talk about techniques for operating system database and application hardening in configuration management a baseline is an agreed-upon description of the attributes of a product at a point in time which serves as a basis for defining change a change is a movement from this baseline state to a next state the identification of significant changes from the baseline state is the central purpose of baseline identification typically significant states are those that receive a formal approval status either explicitly or implicitly an approval status may be marked individually when a prior definition for that status has been established by project leaders nevertheless this approval status is usually recognized publicly thus a baseline may also mark an approved configuration item that a project plan has been signed off for in terms of execution generally a baseline may be a single work product or a set of work products that can be used as a logical basis for comparison a baseline may also be established as the basis for subsequent select activities when the work products meet certain criteria such activities may be attributed with formal approval conversely the configuration of a project or product often reflects one or more baselines the current configuration refers to the current status current audit or metrics similarly frequency should be considered now this should include all revisions of all items or the latest revisions of the items or the product a baseline security check is an organizational instrument with the help of interviews the status quo of an existing network relative to the number of security measures implemented from the it baseline protection catalogs can be investigated so what happens here is as you gather this notion of a dispensable baseline or whether an asset is dispensable as you gather this notion of a baseline you can identify what a default security posture is for a system in a given state of time and you may identify that as you audit on an ongoing basis that these baselines tend to modify or creep sometimes we will need to track those modifications and we may actually update our baseline to include certain changes and other times that when we detect deviations from the security baseline it may be an actual security vulnerability that we've introduced and we may need to mitigate that reverting back to the security baseline that was originally put into place a baseline security check gives information about measures which are still missing and from this what follows is what remains to be done to achieve baseline protection now not all measures suggested by a baseline check need to be implemented peculiarities are to be taken into account it could be that several more or less unimportant applications are running on a server which have lesser protection needs now in totality however those applications are to be provided with a higher level of protection this is kind of a cumulative effect the applications running on the server determine the need for protection and this connection it should be noted that several it apps can run on an it system and when this occurs the application with the greatest need for protection determines the iit systems protection category many vendors provide baseline security configuration templates or best practices for their platforms some general best practices are disabled services and features that aren't being used for instance a windows operating system can have ftp file and print sharing and a number of other services enabled but if it's only functioning as a web server then we're necessarily opening this server up to different attack vectors the same holds true with networking devices databases and applications as well in computing hardening is usually the process of securing a system by reducing its surface of vulnerability which is larger when a system performs more functions now in principle a single functioning system may be an appliance for instance is more secure than a multi-purpose one in principle a single purpose machine is more secure than a multi-purpose one reducing available ways of attack typically include the removal of unnecessary software unnecessary usernames or logins and the disabling or removal of unnecessary services there are various methods of hardening linux systems this may involve among other measures applying patches to the kernel such as exec shield or packs closing open ports setting up intrusion detection systems and firewalls and there are also hardening scripts and tools like linus bastille linux and js for solaris and apache http php hardener that can be run for example which deactivate unneeded services and provide other protective measures another best practice is to disable unused application and operating system service accounts and to make sure that no shared accounts are being used server hardening checklists should be incorporated into the operating system build process or into a golden virtual machine image and these checklists should be audited and updated on a periodic basis so having a checklist and implementing it's on thing but we need to periodically validate the os against the baseline because things change in computing environments sometimes the application of a patch may open up or enable a service for instance it's important to distinguish between software-based vulnerabilities which require patching for remediation and configuration-based vulnerabilities which can be mitigated now achieving a hard and secure build standard is really what a hardening program is all about and this provides a constant level of security configuration hardening presents a uniquely tough challenge as the level to which you can harden depends on your environment applications and working practices for example removing web and ftp services from a host are good basic harding practices however if the host needs to act as a web server then this isn't going to be a sensible hardening measure similarly if you need remote access to the host via the network then you'll need to open firewall ports and enable terminal server services or ssh services on that host otherwise these should always be removed or disabled to help secure that host conversely patching is a much simpler discipline with a general rule that latest versions are always the best and most secure just make sure to test it and so it doesn't bring down the system as we learned in this section minimizing the attack surface area of operating systems and databases and apps is a key tenet of operational security a baseline is an agreed description of the attributes of a product at a point in time which serves as a basis for identifying change. A change is a movement from this baseline state to the next state and the identification of significant changes from the baseline state is the central purpose of baseline identification having security baseline checklists that drive operating system database network and app builds ensure that they're deployed in a hardened state to begin with next we periodically audit these devices against that baseline and then subsequently update our build checklists as needed.
So we're going to start exploring MySQL database security and so as part of that process what we want to do is build a mysql lab environment and so the first step is to have a linux operating system available i mean you can certainly use windows but for our purposes i think linux would be more beneficial and that we have so many more command line options and tools available to us so i'm actually just going to go ahead and install my sql from the the repository now as we go through the MySQL server i'm installing 5.5 i usually like to install about a version back for the purpose of some of these labs it recommends that we set up a root user for the mysql database so we're certainly going to go ahead and do that and we'll set up a password for that root user and then repeat that password choose ok and then go through the rest of the installation process here so next thing we're going to do is run the my sql secure installation script so this is kind of a best practice script that you should run that will take care of certain things like removing anonymous users or making sure that you have a root password set we can as you can see here disallow root login remotely which is definitely a good idea you usually want to ssh into your machine for security purposes and we can modify some of the authorization tables as well using the script okay so what we've done is we've installed mysq server 5.5 okay you can see we run the mysql dash dash version and we have run the security script now that's not a be all end-all security script but it's a decent start so this is great but the next thing we need to do is actually put some data in the database because if we're going to be testing against this database we need to make sure that there's a data set for us to leverage as part of the testing process so there are various scripts that we can use and run but in particular there is a set of tables or data sets that are on the my SQL site that we can download and run to populate some sample tables and sample that database data so i've went ahead and started the mysql service and we're going to try connecting to it from the terminal first and the tool that we use to connect to my sql is the mysql admin tool and i need to make sure that i put a space in between the my sql admin and the dash p now that we've tested the connection of mysql from the command line we also want to install install the MySQL workbench tool so it's a gui for mysql that will do a lot of common administrative type tasks such as you know schem modification or addition of tables or imported data sets or you know any of the common administrative activities for the mysql database now like most databases that are linux based you know you can do most of this stuff from the command line and a lot of administrators will do a combination of command line work and then work in the GUI all right so we use mysql admin from the command line and we've certainly verified that we can connect there we can see that the database is running has been running for about 10 minutes now and of course mysql is an open source database but the company was acquired by oracle and they have commercial versions of it for our purposes we're just using the open source standard edition of my sql and you know i think it's important to look at my sql from a security perspective because you know there are there are statistics out there that say that easily a majority of the databases on the internet that are internet facing utilize mysql so it is a target rich environment okay so we've installed the mysql workbench and the next thing we want to do is go ahead and start the utility so we can we start up our gui and what we're going to do is create a connection and the standard connection port for my sql is 3306 and remember we created a root user and password for the mysql service we do a quick test and we see that that as a correct username and password and so we open up the workbench and now we can see that the service is running we can see things such as client connections user privileges so we're really getting our lab up and running now so some of the next things that we want to do is make sure that we have schemas and data sets set up now what i ran earlier installed a very base data set but we need to install a richer data set so what we're going to do is we'll shortly go to the web and download that one of the stored procedures or packages off of the mysql site that will install the sakila database which is a database that's a sample data set so now we're going to need as I mentioned that data set you can see that we've got some sql statements that build out the schema and the data sets that we've downloaded so we're going to go ahead and run that and start in earnest populating the contents of this database so we've got a mysql prompt and in order to do the population we choose to source and we're going to point to the scripts that we downloaded that will build out the schema and contents of the tables and foreign key relationships for this sakila database, okay so you can see that quite a bit of data has been populated it happened very quickly so we point to this killer database and we want to look at some of the tables and just verify that they're there and they certainly are and this sample the database appears to be a database that has information about movies and actors and movie rentals so it's just a sample database click on the webofsecurity.com link for the latest in cybersecurity news test prep materials including sample test questions flashcards e-books hands-on labs study notes and special offers for newly released cybersecurity training content.

In this section we're going to take a look at my sequel security architecture as well as some exploits now we've set up a sql or mysql lab in previous lesson and right now we're going to take a look at some of the sample data so i just did a show tables and that shows us some of the the tables and data that we have populated the database with now mysql is an isam storage engine which is index sequential access method engine and it happens to be the default storage engine for my sequel so as a result there are several files that it stores on disk and of course if i'm looking to compromise the system uh it's going to be helpful to know where these files are and what the purpose of those files are because i might be able to get operating system level access and open those files up directly so you have the frm file you have the myd file and the myd is the actual data file itself and the frm is is a descriptor and then you have the dot myi file which is the index for those database tables so now we know a little bit about how the storage mechanism is set up for my sql and the next thing we're going to take a look at is the security architecture of my sql so in other words you know what are the security authentication mechanisms what are the authorization controls that are built into the mysql platform and so the first thing we're going to take a look at is the user structure in the user table so we'll run a describe mysql.user and this is the base user table and so what we're looking at here is a number of fields in that user table you have host user there's a password field that would be pretty valuable potentially for an attacker now the password field though does not obviously contain clear text passwords those passwords are kept as a double sha-1 hash in my sql now as we analyze these fields we can see that there are not only the username and password fields but there are certain fields that outline privileges okay so you can see create routine priv alter routine privilege create user privilege so these are at this level being defined across the entire database and the entire mysql installation now we can get more granular at a database level and a table level which we'll get into momentarily so some of these privileges like alter routine and trigger privileges as i mentioned are outlined here and we can grant users those privileges directly here but typically this not recommended the best practices to use the administrative interface or some of the built-in commands within mysql now we can get a little more granular and start defining privileges that are actually at the database level now i've installed a database the sakila database which is just a sample data set that contains you know information about actors and movies but we can go into that database itself and modify some of the privileges associated just with that database so we're kind of honing in and we're getting more specific to a given database as opposed to setting up permissions and authorization across the whole system now another point here that's worth noting is that my sequel's a little bit unique in that you can actually define some host level security mechanisms and some databases do not provide that capability so we've taken a look at some of the authorization structures within the sql database now if i'm looking to audit or attack the system one of the first steps is the enumeration process and of course as we go in we learn about ethical hacking you know you have to find what you're looking for first and so nmap's a great tool for that and we can just do a quick scan and we know that mysql listens on port 3306 by default now does that mean that every mysql server will be listening on that port not necessarily it can be configured to listen onto other ports but even if it's listening on a different port we can actually do things like banner checks which we'll talk about later so let's go ahead and use nmap to do a simple scan for the 3306 listener and on our network here so we've got a few switches the port switch 3306 voila so we have my mysql happens to be on the local host no big surprise the host is up we can see that it is a mysql service. Okay now we can actually go in and get a little more granular now that we have identified that there's a mysql service running on this particular target or ip address and so one of the next steps in the enumeration process really would be to find out maybe what version of my sequel this particular server is running because once we collect that type of information then as an attacker you know what we can do is cross-reference that with let's say known vulnerabilities in that particular version and then subsequently find exploits and unleash those exploits on this particular instance okay and we can use a tool like net exploit now here we're going to go ahead and use Netcat of course netcat is a very versatile utility it's actually used as a payload in a lot of exploits if we do the connection on 3306 we actually get a banner back from the MySQL server stating that hey I’m running MySQL server 5.5.50 and i happen to be running it on ubuntu 1404. Well as I mentioned before as an attacker this is extremely valuable information now on the flip side there are some things that we can do as administrators to not give out this type of valuable information but it is given out by default okay so the mysql instance is as i mentioned is 5.5 we're running on ubuntu 1404 and i'll show you here in just a minute how we can go out and now that we know the version information we can do a little bit of research to see okay you know what vulnerabilities are out there specific to this version okay so we're going to check out a database called the exploit database it's exploit db com and the exploit database as the name suggests contains a data set i think around 35000 at least if not more of vulnerabilities and in some cases has information specific to actual exploits so let's go ahead and open up our browser and so here is yeah there you go 35 484 exploits have been archived here okay so we can do searches on particular terms in our case we are interested in mysql we know that we're running five five five now that's a fairly recent version you know it's the older versions that tend to be more susceptible because the bug fixes are not in place all right so sometimes we need to make the query a little more generic we'll just say okay mysql55 let's see if anything comes up in the exploit database here all right so my sequel five five we've got a few and notice that it mentions the platform right in this case it's a windows platform and based on what i've seen a lot of the vulnerabilities for my sql are specific to my sql running on the windows platform that's definitely not all of them but it does appear that it does seem to be more vulnerable on the windows platform now what's interesting here is you know we know about the vulnerability now but this actually outlines how we can create and compile and exploit so it actually shows us the source code for an exploit how to put that together on red hat linux basically it says hey install the mysql development package and then hear the commands to issue and basically we can develop this exploit and then take shell ownership and operating system ownership of that target machine so the next thing we're going to do is cover several of the attack vectors which can be exploited to compromise mysql installations and so these include things like sql injection and in addition to sql injection you know you also have bugs that are in the mysql platform which we just took a look at right we we saw the exploit database and we saw okay this particular version is vulnerable now our version here is not vulnerable because it's a little more up-to-date and not to mention the fact that it happens to be running on linux okay so what we did we just did a quick dump of the of one of the data files here or really the user table and in this case we're also going to take a look at the config file so this is a form of injection okay and what I mean by that is the injection is something that really indicates that we're breaking out of a box of some sort so fo instance within the runtime of the database if we can break out of that run time and access something that is at the operating system level then we've probably done some level of injection and the same holds true with let's say if i'm accessing via a php application and if i can inject some sql code in a form then i'm breaking out of the run time for the web server and then running code in the other runtime in this case would be my sql so the example we just showed here was one where we're kind of breaking through the database runtime and we've opened up operating system files okay so as an attacker you know step one is footprinting and you know then service enumeration we have to know what's out there but for an attacker once they gain access and once they conduct a successful exploit you know one of the next steps is to to hide their tracks and keep access okay so we're going to talk about keeping access and the potential installation and setup of a back door okay so an attacker is going to want to set up a back door but they're going to want to set that up discreetly and part of setting up a back door in the database will involve creating a user account but then we have to ask ourselves well how can we create a user account so that it's just not blatantly obvious to one of the mysq administrators we're going to take a look at just a kind of a dump of the user table here and this is just kind of a raw look at it if we look at the contents here you can see it's kind of messy we have lots of y's and pluses and minuses and it appears to be jumbled and if i wanted to create an account that didn't raise a lot of suspicion I would want it to sit neatly and nicely and discreetly within this visual set of data and what i might do is just create an account that's a capital y or an account named null if it allowed me to do that or a plus sign and some of these characters wouldn't be allowed but just on their own even a blank username so i'm going to go ahead and set upa username and look at the username i'm going to create now i'm adding look at me because i want us to find it okay in our example but you can see that i could leave look at me out and just create a username plus plus and when i do a dump of this user table well you can see our user there right but you can see very easily how i could have left out the look at me component and then it would be very obfuscated you know the fact that a you know attacker or otherwise had left an account or created an account in the system now granted you could probably look through logs and there's other places where you can get data but hiding your you know getting that access maintaining the access and covering your tracks these are all part of the steps in the process when attackers attempt to compromise systems now besides keeping access as i mentioned before you know another step is to elevate privileges right so we may have access but that access may not be at the privilege level that that we want you know the goal of every attacker essentially is to elevate to root access or super user access so how an attacker might do that if they had access then they could potentially grant all privileges and i'll show you how to run that command here but we grant all privileges on all the tables within mysql okay and so just as it suggests you know we're elevating a particular user and giving them all those privileges and i'm going to elevate the privileges of our user our discrete user plus look at me plus and give them full control and always remember to make sure you put in semicolon when you're entering sql commands all right so we've elevated the privileges of that user let's verify by looking at the privileges in the table to indicate whether or not that's been granted so we see grant usage on star.star to plus look at me then we see grant all privileges on my sequel to plus look at me so we have essentially elevated privileges of this user so the attacker found the service you know we did the nmap scan you conduct an exploit once you conduct tonight and that could be sql injection it could be via a bug and then once you've done that you want to elevate your privileges you want to create a back door maintain access and then cover your tracks so another interesting attack um from a my sequel perspective is for an attacker to use my sequel to actually crack its own passwords and you can actually create user defined functions and you can use the processing power of mysql itself to hack itself.

In this section we're going to focus on locking down security for mysql databases now as we already know mysql databases are prevalent on the web maybe 80 of the database is installed out there and the categories of controls that we're going to talk through here are patching of mysql bug fixes the controls we can implement at the os level we're going to talk about default user accounts and how to secure them we're going to walk through the principle of lease privilege access and how we can implement that next we're going to look at the reduction of the attack service configuration of logs and the actual secure baselining of the mysql configuration files themselves so these are the different categories of security and security lockdown type activities that we're going to look at now the first thing i want to take a gander at here are the release notes so the release notes are a valuable piece of information from a security standpoint because if we look through some of these release notes for the version in particular and we'll find our version which is 5550 or 5551 and if we look at that version we can see what bugs were fixed and in our case i'm actually going to look i've looked a version higher and i looked a version higher because i'm running five five five oh i looked at five five five one why did i do that well because i want to see what was fixed in that five five five one version because that means that in my five five five o version that i'm susceptible up to that particular bug and so that's why that's of particular interest now if you look at these release notes some of them will have specific callouts for security and this has actual security notes associated with it so that's important because if i want to audit this or if i want to try to compromise this device for testing purposes I can find out through the documentation potentially you know what that vulnerability is a description of it and we can look for exploits that have been potentially published on the web to actually compromise this version of the installation so patching is always kind of the first and foremost component of database security it's kind of the blocking and tackling of the database security world so in this security note you can see that there is an issue with the diffie-hellman key exchange length parameters for openssl and we can see more information about what bugs were fixed so if we turn this on its head now that we know what vulnerabilities there are we can look at this from a vulnerability perspective and from an exploit perspective now if we look at the specifics of these vulnerabilities with the security focus database securityfocus.com we can take a look down at the vendor which in this case since it's my sequel it's oracle and we can look at the version of my sql and that can be the community edition and there's more information if you just look at the plain my sequel edition and so i'm going to switch over here to just uh my sequel and find our version or something in the vicinity of our version interestingly enough we don't see 5.50 here and what that means is that there wasn't a particular vulnerability found for this version that doesn't mean that it's not vulnerable it just means that there wasn't a fix just for thi version so you can see we're running 5550 we can see we're running on 1404 ubuntu so any of the versions or vulnerabilities that are higher up than 5.50 we are potentially susceptible to okay it doesn' automatically mean that we're susceptible to them because some of these vulnerabilities may be specific to new code that's been added okay so it takes a little bit of examination to figure these things out but we know where to go you know we know that we have to identify the version we're running we know that we need to go look up the vulnerabilities in these particular versions and once we get that data then we can start looking at the specifics okay so we'll just go through here and we'll pick something that we can take a look at and maybe we can find a vulnerability and not only a vulnerability but we can find information specific to an exploit now there's a separate database for exploits that we'll explore momentarily.