Powered by Blogger.
Home » » Module 09: Database Penetration Testing Methodology - Exercise 2: Performing Automated Database Penetration Testing Using Havij

Module 09: Database Penetration Testing Methodology - Exercise 2: Performing Automated Database Penetration Testing Using Havij

Written By AKADEMY on Thursday, July 4, 2019 | 10:19 PM

Exercise 2: Performing Automated Database Penetration Testing Using Havij

Scenario

Database Vulnerability Assessments are essential to a methodical and proactive way to deal with database security and diminish the danger connected with both web and database particular assaults and bolster agreeability with significant norms, laws & regulations.
Database Vulnerability Assessments are best utilized:
  • As a fast and economical method for surveying the danger connected with a database that is in operation yet has not (as of late) experienced a more extensive database security appraisal.
  • As a major aspect of a progressing defenselessness/design administration program, particularly in the backing of show of continuous agreeability with important models/regulations.
  • To evaluate less basic databases (i.e., databases with a moderate danger profile where the danger does not legitimize more prominent degree and meticulousness.
  • As a data gathering instrument to center entrance testing or code surveys.
Lab Duration15 Minutes
  1. Click Windows Server 2012 (Internal Network)and click Ctrl+Alt+Delete.
    Screenshot
  2. In the password field click Pa$$w0rd and press Enter.
    You can use the Type Password option from the Commands menu to enter the password.
    Screenshot
  3. In this lab, we will perform SQL injection on the database server located in the machine Database Server Subnet B (10.10.20.2) using a tool named Havij. The attack vector in this lab would be the website with the URL http://10.10.20.2/realhome.
    To install Havij, navigate to E:\ECSAv10 Module 09 Database Penetration Testing Methodology\Havij and double-click Havij 1.15 Free.exe.
    An Open File - Security Warning window appears; click Run and follow the wizard-driven installation steps to install Havij.
    Screenshot
  4. Once the installation is completed check Launch Havij option and click Finish button. Havij will launch automatically.
    Screenshot
  5. Havij main window appears as shown in the screenshot. Now in the Target field type http://10.10.20.2/queenhotel/about.aspx?name=coffee and click Analyze.
    Leave the other settings to default.
    Screenshot
  6. Havij will starts analyzing URL provided in target field as shown in the screenshot.
    Screenshot
  7. Click Info tab to view environment of target website hosted.
    Screenshot
  8. Now in the Info tab click on the Get button to obtain the complete details of the hosted machine.
    This will display the Hostname, current database, database used, and databases connected to it.
    Screenshot
  9. Now click on Tables tab to view the list of tables connected to the database. It will list out all the tables that are connected.
    Screenshot
  10. Now check on any of the databases listed in the left pane, and click GET Tables button to extract information.
    In this lab, we are going to extract Real_Homedatabase.
    Screenshot
  11. Havij will extract Tables from the database as shown in the screenshot. Now, check on the table to extract the columns and click Get Columns.
    In this lab, we will choose Login table to extract the columns.
    Screenshot
  12. The extracted columns from the database are shown in the screenshot. Now, we need to extract the login credentials of the website.
    So, check password and login_usernamecolumns to extract credentials. Once you checked these two options click Get Data button to extract credentials.
    Password and Username columns may vary as per your database connection.
    Screenshot
  13. Havij extracted the login credentials of the Real_Home database as shown in the screenshot.
    Screenshot
  14. To verify these credentials, launch a web browser, type http://10.10.20.2/realhome in the address bar and press Enter. Real Home webpage appears as shown in the screenshot below.
    In this lab, we will use Firefox browser to login.
    Screenshot
  15. Now use the following credentials to Login realhome website.
    Username: smith
    Password: smith@123
    and click Login button.
    Screenshot
  16. Now you have Successfully logged in with the extracted credentials by using Havij.
    Ignore the password remembering pop-up by clicking Don't Save.
    Screenshot
  17. Close all the opened windows.
In this lab you have learned how to extract Databases, Tables, Columns, and User Credentials using Havij
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT