Welcome back to our series on red teams! Here, we’re explaining the tools and concepts behind the in-house organizations designed to test a company’s defenses. We started by introducing Kali Linux, a foundational operating system for penetration testing.
Let’s take a fresh look at one of the many, many tools embedded in Kali Linux – sqlmap. sqlmap is an important tool for penetration testers because it makes it easy to create SQL injection attacks, one of the primary techniques that attackers use to compromise databases.
SQL injection attacks work by exploiting vulnerable fields in inputs that are connected to databases. For example, an attacker might find a login form for your network, input SQL code instead of a username and password, and then retrieve the entire contents of your credential database. These vulnerabilities were discovered as early as 1998, and yet two decades later they still lead the OWASP Top 10.
Sqlmap is valuable for red teams because it makes SQL injection easy. The application can handle everything from finding vulnerable fields to generating malicious SQL code, as well as everything in between. It can even help you export or delete data from a compromised database. Here’s how to get started.
Step One: Find a Vulnerable Form
One of the most useful parts of sqlmap is its ability to find vulnerable forms within a website automatically. For example, you can use sqlmap to run a simple “http get” command on your target domain while also specifying a kind of input form to look for. After receiving this command, sqlmap will crawl the target domain, find out if it is protected by firewalls, find injectable forms, identify the databases behind the forms, and then identify the specific commands that will unlock them.
If you’re worried about detection, you can also make this process more specific. For example, let’s say that you’ve used a different method to find a web page containing a vulnerable input – Google dorking is a popular technique. Here, you can use sqlmap to interrogate the form directly and find out how many databases are linked to the vulnerable input, as well as what kind of database they are and what commands can manipulate them.
Step Two: Exfiltrate Data
Sqlmap stores the data it learns about websites. To obtain information about a vulnerable site that you mapped using the “http get” command, all you need to do is target sqlmap at that site once again, this time appending the “tables” command.
This will give you the name of each table stored within the databases behind a vulnerable input. For instance, you might find a table called “users,” or “accounts,” or “credentials.” These are all databases that a hacker – or a red team member – would be very interested to examine.
To find the contents of a table, extend your command with “-T” plus the name of the table you’re interested in – for example “-T accounts.” Adding the “--dump" command will cause sqlmap to export all the data you’ve found and save it in an Excel file for your perusal.
Congratulations! The file you found is full of passwords – but they’re hashed. No matter. You can certainly use a dedicated hash cracking tool to unscramble the passwords, but sqlmap has a built-in hash cracking tool if you’re impatient. Feel like there’s more information deeper into the network? You can even use sqlmap to get shell, meaning that you can insert data into the table.
(WARNING: unless you are very confident in your skills as a red team member, you should probably stop once you have shell – without inserting anything – as chances are good that you could delete or corrupt the database entirely).
Use Safe-T to Protect Against SQL Injection
It is absolutely unnerving to consider how easy it is to use a free tool like sqlmap to penetrate websites. With no special skills, and using only the advice found on online tutorials, a relatively-unskilled attacker can do real damage to an undefended business.
As you’ll notice, however, the power of this tool (and others like it) all starts with its ability to map sites. Point it at a URL and off it goes, with options that give it a good chance of avoiding web application firewalls.That’s where Safe-T comes in. Our solutions hides your network from traditional reconnaissance, preventing these tools from working easily. Without this level of ease, most hackers will simply move on. Want to learn more? Contact Safe-T today!