SlideShare a Scribd company logo

Leverage plain text database connections with SQLViking

Download as PPTX, PDF
J
Jonn Callahan

SQLViking is a post exploitation tool written in Python focused on leveraging unencrypted connections between database and web servers. It is comprised of two pieces: one passive and one active. The passive piece, dubbed Scout, sits on the wire and silently collects information passed between database servers and clients. The active piece, Pillage, leverages TCP injection to run arbitrary queries against a database without credentials or man in the middling. SQLViking was designed with extensibility in mind allowing the open source community to easily add support for new databases without needing to touch any of the actual logic of the tool itself via Python's abstract base classes. This talk will cover how the tool works from a functional perspective as well as existing and future features. It will also discuss the root issue which allows this tool to work and how to protect yourself against such an attack.

Technology
1 of 25
Bio • AppSec analyst for nVisium. Cut my teeth in the DoD working on a .NET stack. Love researching and learning all things security from hardware to crypto to social engineering.
What’s a sqlviking? • Post exploitation tool that leverages plain text connections between database server and clients • Why pwn the database when all the data you could ever want is flying over the network in plain text?
Inspiration
Inspiration
Structure • Python 2.7.x (blame scapy) • Broken up into two pieces – Scout: passive – Pillage: extremely intrusive • Built with extensibility in mind; adding new database support is very easy
Using SQLViking • python sqlviking -c <config_file.txt> • Config file allows you to: – Specify target databases – Pre-load queries to run via Pillage – How to handle data logging • Menu allows for most of this functionality to be modified during runtime
Config
UI
Scout
Scout • Pulls traffic off the wire, parses, and stores – Builds database schema – Stores captured credentials – Correlates queries with their results
Demo! • Demo gods be damned, I made a video
Pillage
Pillage • Leverages TCP injection to run arbitrary queries against a database • Extremely intrusive, will break open connections • How this effects web servers and other clients varies pretty greatly
TCP Overview
TCP Overview • Biggest take away: – Seq/ack numbers are predictable – No authenticity verification • What happens if we put a packet on the wire with valid seq/ack and a spoofed MAC/IP?
TCP Injection!
Demo!
More Pillage Fun • MySQL authentication protocols – mysql_native_password: secure! – mysql_old_password: broke as hell, but still supported • Leverage pillage to direct clients to use mysql_old_password auth protocol • Login attempt fails but now you have a valid credential pair
MySQL Handshake
MySQL Handshake
The Fix • Encrypt everything! – Traffic can be wrapped in TLS – Use a cipher that supports PFS (DH key exchange) – Enable certificate verification for both server and client • SSL can be disabled in transit via MiTM pre-MySQL 5.7.x/6.x (BACKRONYM attack)
Future Improvements • Fingerprinting – Parse all TCP traffic and attempt to identify as database traffic • Encryption support – So you stole some private keys, eh? Looks like we’re back in business! • More databases supported!
Dir/File Breakdown • TODO
Repo https://github.com/atticuss/sqlviking

Recommended

Javaee7 jsr356-websocket
Javaee7 jsr356-websocketJavaee7 jsr356-websocket
Javaee7 jsr356-websocketJini Lee
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX, Inc.
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsNGINX, Inc.
 
Drupal 8 and NGINX
Drupal 8 and NGINX Drupal 8 and NGINX
Drupal 8 and NGINX NGINX, Inc.
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWhat is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWPSFO Meetup Group
 
Flawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusFlawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusPeter Guagenti
 
Analyzing NGINX Logs with Datadog
Analyzing NGINX Logs with DatadogAnalyzing NGINX Logs with Datadog
Analyzing NGINX Logs with DatadogNGINX, Inc.
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Miguel Zuniga
 

Recommended

Javaee7 jsr356-websocket
Javaee7 jsr356-websocketJavaee7 jsr356-websocket
Javaee7 jsr356-websocketJini Lee
 
NGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX for Application Delivery & Acceleration
NGINX for Application Delivery & AccelerationNGINX, Inc.
 
Benchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsBenchmarking NGINX for Accuracy and Results
Benchmarking NGINX for Accuracy and ResultsNGINX, Inc.
 
Drupal 8 and NGINX
Drupal 8 and NGINX Drupal 8 and NGINX
Drupal 8 and NGINX NGINX, Inc.
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWhat is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWPSFO Meetup Group
 
Flawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusFlawless Application Delivery with NGINX Plus
Flawless Application Delivery with NGINX PlusPeter Guagenti
 
Analyzing NGINX Logs with Datadog
Analyzing NGINX Logs with DatadogAnalyzing NGINX Logs with Datadog
Analyzing NGINX Logs with DatadogNGINX, Inc.
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Miguel Zuniga
 
What's New in NGINX Plus R8
What's New in NGINX Plus R8What's New in NGINX Plus R8
What's New in NGINX Plus R8NGINX, Inc.
 
Lcu14 Lightning Talk- NGINX
Lcu14 Lightning Talk- NGINXLcu14 Lightning Talk- NGINX
Lcu14 Lightning Talk- NGINXLinaro
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Cloudflare
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
Python for the Network Nerd
Python for the Network NerdPython for the Network Nerd
Python for the Network NerdMatt Bynum
 
What's New in Nuxeo Platform 7.3
What's New in Nuxeo Platform 7.3 What's New in Nuxeo Platform 7.3
What's New in Nuxeo Platform 7.3 Nuxeo
 
HTTP/2: Ask Me Anything
HTTP/2: Ask Me AnythingHTTP/2: Ask Me Anything
HTTP/2: Ask Me AnythingNGINX, Inc.
 
Mini-Training: NancyFX
Mini-Training: NancyFXMini-Training: NancyFX
Mini-Training: NancyFXBetclic Everest Group Tech Team
 
Maximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXMaximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXNGINX, Inc.
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureNGINX, Inc.
 
Introduction to Nginx
Introduction to NginxIntroduction to Nginx
Introduction to NginxKnoldus Inc.
 
zigbee
zigbeezigbee
zigbeemahamad juber
 
AtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for ConfluenceAtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for ConfluenceAtlassian
 
MuleSoft ESB Filtering data instead of Looping
MuleSoft ESB Filtering data instead of LoopingMuleSoft ESB Filtering data instead of Looping
MuleSoft ESB Filtering data instead of Loopingakashdprajapati
 
Introduce warden
Introduce wardenIntroduce warden
Introduce wardenHieu Nguyen Trung
 
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0NGINX, Inc.
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Evidence 2 My Daily Routine
Evidence 2 My Daily Routine Evidence 2 My Daily Routine
Evidence 2 My Daily Routine Karitho Cortez
 
04 07 h_wh_alexandraangeloff
04 07 h_wh_alexandraangeloff04 07 h_wh_alexandraangeloff
04 07 h_wh_alexandraangeloffalexangeloff
 
天道仁礼
天道仁礼天道仁礼
天道仁礼Yufei Hsu
 
HOW TO GET A VISA
HOW TO GET A VISAHOW TO GET A VISA
HOW TO GET A VISAKaritho Cortez
 

More Related Content

What's hot

What's New in NGINX Plus R8
What's New in NGINX Plus R8What's New in NGINX Plus R8
What's New in NGINX Plus R8NGINX, Inc.
 
Lcu14 Lightning Talk- NGINX
Lcu14 Lightning Talk- NGINXLcu14 Lightning Talk- NGINX
Lcu14 Lightning Talk- NGINXLinaro
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Cloudflare
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
Python for the Network Nerd
Python for the Network NerdPython for the Network Nerd
Python for the Network NerdMatt Bynum
 
What's New in Nuxeo Platform 7.3
What's New in Nuxeo Platform 7.3 What's New in Nuxeo Platform 7.3
What's New in Nuxeo Platform 7.3 Nuxeo
 
HTTP/2: Ask Me Anything
HTTP/2: Ask Me AnythingHTTP/2: Ask Me Anything
HTTP/2: Ask Me AnythingNGINX, Inc.
 
Maximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXMaximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXNGINX, Inc.
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureNGINX, Inc.
 
Introduction to Nginx
Introduction to NginxIntroduction to Nginx
Introduction to NginxKnoldus Inc.
 
AtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for ConfluenceAtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for ConfluenceAtlassian
 
MuleSoft ESB Filtering data instead of Looping
MuleSoft ESB Filtering data instead of LoopingMuleSoft ESB Filtering data instead of Looping
MuleSoft ESB Filtering data instead of Loopingakashdprajapati
 
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0NGINX, Inc.
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 

What's hot (18)

What's New in NGINX Plus R8
What's New in NGINX Plus R8What's New in NGINX Plus R8
What's New in NGINX Plus R8
 
Lcu14 Lightning Talk- NGINX
Lcu14 Lightning Talk- NGINXLcu14 Lightning Talk- NGINX
Lcu14 Lightning Talk- NGINX
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012
 
Python for the Network Nerd
Python for the Network NerdPython for the Network Nerd
Python for the Network Nerd
 
What's New in Nuxeo Platform 7.3
What's New in Nuxeo Platform 7.3 What's New in Nuxeo Platform 7.3
What's New in Nuxeo Platform 7.3
 
HTTP/2: Ask Me Anything
HTTP/2: Ask Me AnythingHTTP/2: Ask Me Anything
HTTP/2: Ask Me Anything
 
Mini-Training: NancyFX
Mini-Training: NancyFXMini-Training: NancyFX
Mini-Training: NancyFX
 
Maximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXMaximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINX
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference Architecture
 
Introduction to Nginx
Introduction to NginxIntroduction to Nginx
Introduction to Nginx
 
zigbee
zigbeezigbee
zigbee
 
AtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for ConfluenceAtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for Confluence
 
MuleSoft ESB Filtering data instead of Looping
MuleSoft ESB Filtering data instead of LoopingMuleSoft ESB Filtering data instead of Looping
MuleSoft ESB Filtering data instead of Looping
 
Introduce warden
Introduce wardenIntroduce warden
Introduce warden
 
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 

Viewers also liked

Evidence 2 My Daily Routine
Evidence 2 My Daily Routine Evidence 2 My Daily Routine
Evidence 2 My Daily Routine Karitho Cortez
 
04 07 h_wh_alexandraangeloff
04 07 h_wh_alexandraangeloff04 07 h_wh_alexandraangeloff
04 07 h_wh_alexandraangeloffalexangeloff
 
天道仁礼
天道仁礼天道仁礼
天道仁礼Yufei Hsu
 
01 04 wh_alexandra_angeloff
01 04 wh_alexandra_angeloff01 04 wh_alexandra_angeloff
01 04 wh_alexandra_angeloffalexangeloff
 
How to import productcaro
How to import productcaroHow to import productcaro
How to import productcaroKaritho Cortez
 
Tcp Analysis Through wiresshark
Tcp Analysis Through wiressharkTcp Analysis Through wiresshark
Tcp Analysis Through wiressharkSuman_kumari1
 
Pramod K Shukla Resume
Pramod K Shukla ResumePramod K Shukla Resume
Pramod K Shukla ResumePramod Shukla
 

Viewers also liked (9)

Evidence 2 My Daily Routine
Evidence 2 My Daily Routine Evidence 2 My Daily Routine
Evidence 2 My Daily Routine
 
04 07 h_wh_alexandraangeloff
04 07 h_wh_alexandraangeloff04 07 h_wh_alexandraangeloff
04 07 h_wh_alexandraangeloff
 
天道仁礼
天道仁礼天道仁礼
天道仁礼
 
HOW TO GET A VISA
HOW TO GET A VISAHOW TO GET A VISA
HOW TO GET A VISA
 
01 04 wh_alexandra_angeloff
01 04 wh_alexandra_angeloff01 04 wh_alexandra_angeloff
01 04 wh_alexandra_angeloff
 
Simple sentnece
Simple sentneceSimple sentnece
Simple sentnece
 
How to import productcaro
How to import productcaroHow to import productcaro
How to import productcaro
 
Tcp Analysis Through wiresshark
Tcp Analysis Through wiressharkTcp Analysis Through wiresshark
Tcp Analysis Through wiresshark
 
Pramod K Shukla Resume
Pramod K Shukla ResumePramod K Shukla Resume
Pramod K Shukla Resume
 

Similar to Leverage plain text database connections with SQLViking

SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
"Clouds on the Horizon Get Ready for Drizzle" by David Axmark @ eLiberatica 2009
"Clouds on the Horizon Get Ready for Drizzle" by David Axmark @ eLiberatica 2009"Clouds on the Horizon Get Ready for Drizzle" by David Axmark @ eLiberatica 2009
"Clouds on the Horizon Get Ready for Drizzle" by David Axmark @ eLiberatica 2009eLiberatica
 
Best practices of building data streaming API
Best practices of building data streaming APIBest practices of building data streaming API
Best practices of building data streaming APIConstantine Slisenka
 
Using OpenStack In a Traditional Hosting Environment
Using OpenStack In a Traditional Hosting EnvironmentUsing OpenStack In a Traditional Hosting Environment
Using OpenStack In a Traditional Hosting EnvironmentOpenStack Foundation
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldDave Stokes
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
Ruslan Belkin And Sean Dawson on LinkedIn's Network Updates Uncovered
Ruslan Belkin And Sean Dawson on LinkedIn's Network Updates UncoveredRuslan Belkin And Sean Dawson on LinkedIn's Network Updates Uncovered
Ruslan Belkin And Sean Dawson on LinkedIn's Network Updates UncoveredLinkedIn
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfMenakaDevi14
 
Puppet Camp Tokyo 2014: Keynote
Puppet Camp Tokyo 2014: KeynotePuppet Camp Tokyo 2014: Keynote
Puppet Camp Tokyo 2014: KeynotePuppet
 
Fixing twitter
Fixing twitterFixing twitter
Fixing twitterRoger Xia
 
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...smallerror
 
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...xlight
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
PyCon India 2012: Celery Talk
PyCon India 2012: Celery TalkPyCon India 2012: Celery Talk
PyCon India 2012: Celery TalkPiyush Kumar
 
APT iTest and Velocity 7.3 Use Cases.pptx
APT iTest and Velocity 7.3 Use Cases.pptxAPT iTest and Velocity 7.3 Use Cases.pptx
APT iTest and Velocity 7.3 Use Cases.pptxRajeshParmar99
 
Introduction to Apache NiFi dws19 DWS - DC 2019
Introduction to Apache NiFi dws19 DWS - DC 2019Introduction to Apache NiFi dws19 DWS - DC 2019
Introduction to Apache NiFi dws19 DWS - DC 2019Timothy Spann
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applicationsITCamp
 
John adams talk cloudy
John adams talk cloudyJohn adams talk cloudy
John adams talk cloudyJohn Adams
 

Similar to Leverage plain text database connections with SQLViking (20)

SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
"Clouds on the Horizon Get Ready for Drizzle" by David Axmark @ eLiberatica 2009
"Clouds on the Horizon Get Ready for Drizzle" by David Axmark @ eLiberatica 2009"Clouds on the Horizon Get Ready for Drizzle" by David Axmark @ eLiberatica 2009
"Clouds on the Horizon Get Ready for Drizzle" by David Axmark @ eLiberatica 2009
 
Best practices of building data streaming API
Best practices of building data streaming APIBest practices of building data streaming API
Best practices of building data streaming API
 
Using OpenStack In a Traditional Hosting Environment
Using OpenStack In a Traditional Hosting EnvironmentUsing OpenStack In a Traditional Hosting Environment
Using OpenStack In a Traditional Hosting Environment
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Ruslan Belkin And Sean Dawson on LinkedIn's Network Updates Uncovered
Ruslan Belkin And Sean Dawson on LinkedIn's Network Updates UncoveredRuslan Belkin And Sean Dawson on LinkedIn's Network Updates Uncovered
Ruslan Belkin And Sean Dawson on LinkedIn's Network Updates Uncovered
 
Real time web apps
Real time web appsReal time web apps
Real time web apps
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdf
 
Puppet Camp Tokyo 2014: Keynote
Puppet Camp Tokyo 2014: KeynotePuppet Camp Tokyo 2014: Keynote
Puppet Camp Tokyo 2014: Keynote
 
Fixing twitter
Fixing twitterFixing twitter
Fixing twitter
 
Fixing_Twitter
Fixing_TwitterFixing_Twitter
Fixing_Twitter
 
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
 
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
Fixing Twitter Improving The Performance And Scalability Of The Worlds Most ...
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
PyCon India 2012: Celery Talk
PyCon India 2012: Celery TalkPyCon India 2012: Celery Talk
PyCon India 2012: Celery Talk
 
APT iTest and Velocity 7.3 Use Cases.pptx
APT iTest and Velocity 7.3 Use Cases.pptxAPT iTest and Velocity 7.3 Use Cases.pptx
APT iTest and Velocity 7.3 Use Cases.pptx
 
Introduction to Apache NiFi dws19 DWS - DC 2019
Introduction to Apache NiFi dws19 DWS - DC 2019Introduction to Apache NiFi dws19 DWS - DC 2019
Introduction to Apache NiFi dws19 DWS - DC 2019
 
Mihai tataran developing modern web applications
Mihai tataran developing modern web applicationsMihai tataran developing modern web applications
Mihai tataran developing modern web applications
 
John adams talk cloudy
John adams talk cloudyJohn adams talk cloudy
John adams talk cloudy
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Leverage plain text database connections with SQLViking

  • 1.
  • 2. Bio • AppSec analyst for nVisium. Cut my teeth in the DoD working on a .NET stack. Love researching and learning all things security from hardware to crypto to social engineering.
  • 3. What’s a sqlviking? • Post exploitation tool that leverages plain text connections between database server and clients • Why pwn the database when all the data you could ever want is flying over the network in plain text?
  • 6. Structure • Python 2.7.x (blame scapy) • Broken up into two pieces – Scout: passive – Pillage: extremely intrusive • Built with extensibility in mind; adding new database support is very easy
  • 7. Using SQLViking • python sqlviking -c <config_file.txt> • Config file allows you to: – Specify target databases – Pre-load queries to run via Pillage – How to handle data logging • Menu allows for most of this functionality to be modified during runtime
  • 9. UI
  • 10. Scout
  • 11. Scout • Pulls traffic off the wire, parses, and stores – Builds database schema – Stores captured credentials – Correlates queries with their results
  • 12. Demo! • Demo gods be damned, I made a video
  • 14. Pillage • Leverages TCP injection to run arbitrary queries against a database • Extremely intrusive, will break open connections • How this effects web servers and other clients varies pretty greatly
  • 16. TCP Overview • Biggest take away: – Seq/ack numbers are predictable – No authenticity verification • What happens if we put a packet on the wire with valid seq/ack and a spoofed MAC/IP?
  • 18. Demo!
  • 19. More Pillage Fun • MySQL authentication protocols – mysql_native_password: secure! – mysql_old_password: broke as hell, but still supported • Leverage pillage to direct clients to use mysql_old_password auth protocol • Login attempt fails but now you have a valid credential pair
  • 22. The Fix • Encrypt everything! – Traffic can be wrapped in TLS – Use a cipher that supports PFS (DH key exchange) – Enable certificate verification for both server and client • SSL can be disabled in transit via MiTM pre-MySQL 5.7.x/6.x (BACKRONYM attack)
  • 23. Future Improvements • Fingerprinting – Parse all TCP traffic and attempt to identify as database traffic • Encryption support – So you stole some private keys, eh? Looks like we’re back in business! • More databases supported!