Thursday, May 26, 2005

CodeAsDocumentation by Martin Fowler

Here is the link. I agree with his opinions.

Tuesday, May 24, 2005

The Main Threats To A Web Server

The main threats to a Web server are:

  • Profiling
  • Denial of service
  • Unauthorized access
  • Arbitrary code execution
  • Elevation of privileges
  • Viruses, worms, and Trojan horses

See Securing Your Web Server in more detail.

Monday, May 23, 2005

Some Useful nslookup Commands


// SOA record
> set type=SOA

// zone transfer
> server DnsServer // set default server
> ls -d

// name servers
> set q=ns

// host address
> set q=a
// for IPv6 records > set q=aaaa

// reverse lookup
> set q=ptr

// mail server
> set q=mx

// host info - don't employ them
> set q=hinfo

// txt info
> set q=txt

// services
> set q=srv

// where services are located
> ls -t SRV

// some useful commands

nslookup can only use the DNS (not NetBIOS) resolver to obtain info, but Ping can use all available methods.


Phases of SQL Injection

Phases of SQL injection

1. Locating SQL injection vulnerabilities
2. Reverse engineering the vulnerable SQL query
3. Getting the results of arbitrary SQL queries
4. Enumeration of priviledges
5. Penetration of infrastructure

Adopted from Susan Young and Dave Aitel's book The Hacker's Handbook: The Strategy Behind Breaking into and Defending Networks

Thursday, May 19, 2005

Hacking the Windows SMB tutorial

Hacking the Windows SMB tutorial shows you how to hack the Windows SMB and provent to do that. Good tutorial!

Well-known Ports

The following is a list of well-known ports often used:

  • 20 // FTP data channel
  • 21 // FTP control channel
  • 23 // Telnet
  • 25 // SMTP
  • 53 // Connection-oriented DNS (resolution is on UDP 53); zone transfer
  • 69 // tftp.exe
  • 80
  • 88 // Kerberos
  • 88 //Internet Key Exchange (IKE)
  • 110 // POP3 (Mail)
  • 123 // Network Time Protocol
  • 135 // DCE Endpoints
  • 137 // NETBIOS Name Service
  • 138 // NETBIOS Datagram Service
  • 139 // SMB; NetBIOS session
  • 161 // SNMP
  • 389 // LDAP
  • 443
  • 445 // Common Internet File System / native SMB on Windows 2000 and higher
  • 500 // isakmp
  • 636 // LDAP over SSL
  • 1025 // Network blackjack
  • 1433 // SQL Server listens on TCP port 1433
  • 1434 // SQL Server uses UDP port 1434 for client-server negotiation
  • 1723 // PPTP
  • 1801 // MSMQ
  • 2393 //MS OLAP 1
  • 2394 // MS OLAP 2
  • 2725 // MS OLAP PTP2
  • 3268 // MS Global Catalog
  • 3269 // MS Global Catalog with LDAP/SSL
  • 3389 // RDP uses the TCP 3389 port
  • 3693 // IIS Administration Web Siteā€“port; often blocked, I guess

I'll update the lists.

Wednesday, May 18, 2005


I took a very very brief look at the book Pro .Net Directory Services Programming. I knew that .NET Directory Services is on top of ADSI before. About one month ago, I was trying to access the properties of a virtual directory programmingly and found that I was able to do that using System.DirectoryServices. That's why I bought this book and tried to see what System.DirectoryServices does cover.

I like the sample code (downloadable from It covers all the mmc snap-ins related to Active Directory and provides even more.

BTW, I learned that a group is leaf object in AD.

Sunday, May 15, 2005

Find Other Procedures Using the Same DLL

First get the dll.

select,c.text from dbo.syscomments c, dbo.sysobjects o where = and = 'xp_cmdshell'

Second, find the other extended stored procs using that same dll.

select,c.text from dbo.syscomments c, dbo.sysobjects o where = and c.text = 'xplog70.dll'

This is from SQL Server Security Checklist.

Wednesday, May 11, 2005

The Main Threats To A Database Server

The main threats to a database server are:
  • SQL injection
  • Network eavesdropping
  • Unauthorized server access
  • Password cracking

See Securing Your Database Server in more detail. I didn't pay attention to network eavesdropping before. To counter network eavesdropping:

  • Use Windows authentication to connect to the database server to avoid sending credentials over the network.
  • Install a server certificate on the database server. This results in the automatic encryption of SQL credentials over the network.
  • Use an SSL connection between the Web server and database server to protect sensitive application data. This requires a database server certificate.
  • Use an IPSec encrypted channel between Web and database server.

I need to dig more on the last three countermeasures.

Tuesday, May 10, 2005

Some Common SQL Injection Commands

The following are some common SQL injection commands:
  • ' Or 1=1 --
  • ' UNION SELECT id, name, '', 0 FROM sysobjects WHERE xtype ='U' --
  • ' UNION SELECT 0, UserName, Password, 0 FROM Users --
  • '; UPDATE Products SET UnitPrice = 0.01 WHERE ProductId = 1--
  • xp_cmdshell "net localgroup administrators"

The same technique might be used to execute a DROP TABLE statement or to execute a system stored procedure that created a new user account and added that user to the sysadmin role.

SQL injection attacks are possible because the SQL language contains a number of features that make it quite powerful and flexible, namely:

  • The ability to embed comments in a SQL statement using a pair of hyphens
  • The ability to string multiple SQL statements together and to execute them in a batch
  • The ability to use SQL to query metadata from a standard set of system tables

The most of the post is adopted from Stop SQL Injection Attacks Before They Stop You.

Monday, May 09, 2005

Preventing SQL Injection Attacks

The following principles and implementations are adopted from Paul Litwin's article Stop SQL Injection Attacks Before They Stop You.

  • Never trust user input
  • Never use dynamic SQL
  • Never connect to a database using an admin-level account
  • Don't store secrets in plain text
  • Exceptions should divulge minimal information

The corresponding implementations are:

  • Validate all textbox entries using validation controls, regular expressions, code, and so on
  • Use parameterized SQL or stored procedures
  • Use a limited access account to connect to the database
  • Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings
  • Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false