Penetration Tools and Database Security

This chapter explores tools and techniques used in penetration testing to identify vulnerabilities
in network and database systems, alongside methods to secure databases against unauthorized
access, data breaches, and inference attacks. Penetration tools simulate real-world attacks to
uncover weaknesses, while database security measures protect sensitive data through access
controls, inference prevention, and hierarchical security models. The subtopics cover both
offensive (penetration testing) and defensive (security controls) perspectives, critical for
understanding how to assess and safeguard systems.

1. Trace Routes

Overview:

 Purpose: Traceroute is a network diagnostic tool that maps the path data packets take
from a source to a destination across a network, identifying each router (hop) along the
way.
 Operation: Sends packets (typically ICMP Echo Requests or UDP/TCP probes) with
incrementally increasing Time-to-Live (TTL) values. Each router decrements the TTL,
responds when TTL reaches zero, or forwards the packet until it reaches the destination.
 Use Case: Used in penetration testing for network reconnaissance to understand
topology, identify routers, and detect potential entry points.

Role in Penetration Testing:

 Traceroute helps pentesters map a target’s network infrastructure, revealing IP

addresses, autonomous systems (AS), and geographic locations of routers.
 Identifies bottlenecks, misconfigured devices, or firewalls that might be exploited.
 Example: A pentester uses traceroute to discover an organization’s DMZ or publicly
exposed servers.

Vulnerabilities Exposed:

 Information Disclosure: Reveals network topology, router IPs, and ISP details, aiding
attackers in planning targeted attacks.
 Firewall Misconfigurations: Some routers respond to ICMP despite policies against it,
exposing their presence.
  DoS Potential: Flooding traceroute packets can stress routers, though this is rare.

Tools and Techniques:

 Traceroute (Linux/Mac): Command traceroute example.com lists hops with latency.

 Tracert (Windows): Command tracert example.com performs the same function.
 MTR: Combines traceroute and ping for continuous monitoring.
 Attack Scenario: A pentester runs traceroute -I 10.0.0.1 (ICMP mode) to map a
corporate network, identifying a vulnerable router at hop 5.

Mitigations:

 Block ICMP Responses: Configure firewalls to drop ICMP Type 11 (Time Exceeded) and
Type 8 (Echo Request) unless necessary.
 Network Segmentation: Hide internal topology by using NAT or VLANs.
 Rate Limiting: Limit traceroute-related traffic to prevent abuse.
 Obfuscate Router Info: Disable router banners or use private IPs for internal hops.

Relevance to Database Security:

 Traceroute identifies network paths to database servers, helping pentesters locate

exposed systems (e.g., a MySQL server on a public IP).
 Defenders use it to audit network exposure, ensuring databases are behind firewalls or
in private subnets.

Exam Tip:

 Memorize the difference: Traceroute (Unix) vs. Tracert (Windows).

 Understand ICMP’s role (Type 11 for hops, Type 8/0 for ping).
 Practice explaining how topology disclosure aids attackers and how to block ICMP.

2. NeoTrace

Overview:

 Purpose: NeoTrace (discontinued, but historically significant) was a graphical traceroute

tool that visualized network paths with a user-friendly interface, integrating geolocation
and WHOIS data.
  Operation: Combined traceroute functionality with DNS lookups, mapping IPs to
physical locations and organizations on a world map.
 Use Case: Used by pentesters and network admins in the 1990s–2000s for
reconnaissance and troubleshooting.

Role in Penetration Testing:

 NeoTrace enhanced traceroute by providing visual insights into network paths, making it
easier to identify key routers or servers.
 Its geolocation feature helped pentesters correlate IPs with physical locations, useful for
social engineering or targeted attacks.
 Example: A pentester uses NeoTrace to trace a path to a bank’s server, noting a router
in a third-party ISP as a potential weak link.

Vulnerabilities Exposed:

 Topology Leakage: Like traceroute, it revealed network structure, IPs, and ASNs.
 Geolocation Risks: Exposed server locations, aiding physical or regional attacks.
 Outdated Software: NeoTrace’s old versions had unpatched flaws, potentially
compromising the pentester’s system.

Tools and Techniques:

 NeoTrace Pro: The commercial version offered advanced features like packet capture
and exportable reports.
 Modern Alternatives: Tools like VisualRoute, Open Visual Traceroute, or SolarWinds
Traceroute NG replicate NeoTrace’s functionality.
 Attack Scenario: A pentester maps a path to a database server, using NeoTrace’s WHOIS
data to identify an admin’s email for phishing.

Mitigations:

 Hide Network Details: Use private IPs and disable ICMP responses.
 Firewall Rules: Block traceroute probes (ICMP, UDP, or TCP SYN).
 Geolocation Privacy: Avoid exposing server locations in DNS or WHOIS.
 Use Modern Tools: Replace NeoTrace with updated, secure alternatives.

Relevance to Database Security:

  NeoTrace’s ability to pinpoint database server locations helped pentesters assess
physical and network exposure.
 Defenders used it to verify that database servers were not directly reachable from the
internet.

Exam Tip:

 Note NeoTrace’s obsolescence; focus on its historical role in visualization.

 Compare to traceroute: NeoTrace added GUI and geolocation.
 Be ready to discuss why visual tools are useful in reconnaissance.

3. WhatWeb

Overview:

 Purpose: WhatWeb is an open-source web scanner that identifies technologies used by

websites, including web servers, CMS, frameworks, and plugins.
 Operation: Sends HTTP requests, analyzes responses (headers, HTML, cookies), and
matches signatures against a database of known technologies.
 Use Case: Used in penetration testing to fingerprint web applications and identify
vulnerabilities in their components.

Role in Penetration Testing:

 WhatWeb helps pentesters enumerate a web server’s stack (e.g., Apache, WordPress,
jQuery) to find outdated or vulnerable software.
 Useful for scoping attacks against web interfaces of database systems (e.g.,
phpMyAdmin).
 Example: A pentester runs WhatWeb to discover a site using Drupal 7, known for SQL
injection flaws.

Vulnerabilities Exposed:

 Version Disclosure: Reveals software versions (e.g., Apache 2.4.29), enabling targeted
exploits.
 Misconfigured Web Apps: Identifies exposed admin panels or default configs.
 Plugin Vulnerabilities: Detects outdated plugins (e.g., WordPress Yoast SEO <1.7) with
known CVEs.
  Database Exposure: Finds web-based database tools (e.g., MySQL Admin) with weak
security.

Tools and Techniques:

 WhatWeb Command: whatweb example.com -v for verbose output, listing technologies

and versions.
 Plugins: Supports aggressive mode (--aggression 3) to probe deeper, increasing
detection accuracy.
 Attack Scenario: A pentester uses whatweb --log-json target.com to identify a
vulnerable Joomla version, then exploits it to access a linked MySQL database.
 Alternatives: Wappalyzer (browser-based), Nikto, or Burp Suite’s scanner.

Mitigations:

 Hide Server Banners: Configure servers to suppress version info (e.g., Apache’s
ServerTokens Prod).
 Patch Management: Update CMS, frameworks, and plugins regularly.
 Web Application Firewall (WAF): Blocks fingerprinting attempts (e.g., Cloudflare,
ModSecurity).
 Disable Admin Interfaces: Restrict database management tools to internal networks.

Relevance to Database Security:

 Many databases are managed via web interfaces (e.g., phpMyAdmin, MongoDB
Express). WhatWeb identifies these, exposing potential attack vectors.
 Defenders use it to audit their web stack, ensuring no vulnerable components link to
databases.

Exam Tip:

 Memorize WhatWeb’s purpose: fingerprinting web technologies.

 Focus on version disclosure and WAF mitigation.
 Practice explaining how it leads to database attacks via web apps.

4. Access Control in Database Systems

Overview:
  Purpose: Access control restricts who can view or modify database resources, ensuring
only authorized users access sensitive data.
 Operation: Implemented via authentication (verifying identity) and authorization
(defining privileges), enforced by the DBMS.
 Use Case: Protects customer records, financial data, or intellectual property in systems
like MySQL, Oracle, or PostgreSQL.

Mechanisms and Models:

 Authentication: Verifies users via passwords, biometrics, or multi-factor authentication

(MFA).
 Authorization Models:
o Discretionary Access Control (DAC): Data owners set permissions (e.g., GRANT
SELECT ON table TO user).
o Mandatory Access Control (MAC): Enforces system-wide policies based on
security labels (e.g., classified, unclassified).
o Role-Based Access Control (RBAC): Assigns permissions to roles (e.g., admin,
user), not individuals.
 Granularity: Controls at database, table, row, or column level (e.g., SELECT privilege on
specific columns).

Vulnerabilities:

 Weak Authentication: Default credentials (e.g., root/root in MySQL) or reused

passwords enable unauthorized access.
 Excessive Privileges: Users with unnecessary rights (e.g., DROP TABLE) can cause
damage.
 Privilege Escalation: Exploiting flaws to gain admin access (e.g., via SQL injection).
 Shared Accounts: Lack of individual accountability increases insider threat risks.
 Misconfigured RBAC: Overlapping roles lead to unintended access.

Penetration Testing Context:

 Pentesters test access controls by attempting to bypass authentication (e.g., brute

force) or escalate privileges (e.g., exploiting GRANT misconfigs).
 Tools: SQLMap (for injection), Hydra (for brute force), or custom scripts to enumerate
user privileges.
 Example: A pentester finds a MySQL server with admin/admin, granting full access to all
tables.
Mitigations:

 Strong Authentication: Enforce complex passwords, MFA, and biometrics.

 Least Privilege Principle: Grant minimal permissions (e.g., SELECT only, not ALTER).
 RBAC Implementation: Use roles to simplify management (e.g., CREATE ROLE analyst; in
PostgreSQL).
 Regular Audits: Review user accounts and privileges (e.g., SELECT * FROM dba_users in
Oracle).
 Account Lockout: Limit login attempts to prevent brute force.
 Encryption: Secure credentials in transit (e.g., TLS for database connections).

Real-World Example:

 In 2019, a Capital One breach exposed 100M records due to misconfigured access
controls on an AWS-hosted database, allowing an attacker to extract data via a web app
firewall flaw.

Exam Tip:

 Compare DAC, MAC, RBAC with examples (e.g., DAC: user grants; MAC: labels; RBAC:
roles).
 Focus on least privilege and audit importance.
 Practice explaining privilege escalation via SQL injection.

5. Inference Control

Overview:

 Purpose: Prevents unauthorized users from deducing sensitive data by analyzing non-
sensitive or aggregate data.
 Operation: Controls query results to block inference channels, where patterns or
correlations reveal restricted information.
 Use Case: Protects statistical databases (e.g., census data) or employee records where
averages or counts could expose individual details.

Mechanisms:
  Query Restriction: Limits queries returning small datasets (e.g., <5 records) to prevent
pinpointing individuals.
 Data Perturbation: Adds noise to results (e.g., rounding averages) to obscure exact
values.
 Suppression: Hides sensitive fields or rows entirely.
 Anonymization: Removes identifiable data (e.g., replacing names with IDs).

Vulnerabilities:

 Inference Attacks: Attackers combine authorized queries to deduce restricted data.

o Example: Querying average salaries by department and knowing one employee’s
details reveals another’s.
 Statistical Disclosure: Aggregate queries (e.g., SUM, COUNT) expose trends leading to
individual data.
 Correlated Data: Visible fields (e.g., years of service) correlate with hidden ones (e.g.,
salary).
 External Knowledge: Attackers use public data (e.g., LinkedIn) to enhance inference.

Penetration Testing Context:

 Pentesters simulate inference attacks by issuing multiple queries to deduce hidden data.
 Example: Query SELECT AVG(salary) FROM employees WHERE dept='HR' before and
after a known hire to infer the new salary.
 Tools: Custom SQL scripts or statistical analysis tools (e.g., R, Python).

Mitigations:

 Query Set Size Control: Reject queries returning too few or too many records.

 Noise Addition: Randomize outputs (e.g., differential privacy techniques).

 De-Identification: Remove or generalize identifiers (e.g., change “25 years old” to “20–
30”).
 Audit Queries: Log and analyze user queries for inference patterns.
 Access Restrictions: Limit statistical queries to trusted roles.

Real-World Example:

 In 2006, AOL’s release of “anonymized” search data allowed researchers to infer user
identities by correlating queries, highlighting inference risks.
Exam Tip:

 Define inference: deducing sensitive data from non-sensitive queries.

 Memorize types: identity disclosure (who) vs. attribute disclosure (what).
 Practice explaining perturbation vs. suppression with examples.

6. Multi-Level Database Security

Overview:

 Purpose: Enforces security policies across data with different sensitivity levels (e.g.,
public, confidential, top secret) in a single database.
 Operation: Uses Mandatory Access Control (MAC) with security labels to segregate data
and enforce access based on clearance levels.
 Use Case: Common in government, military, or healthcare systems where data
classification is critical.

Mechanisms:

 Security Labels: Assigns levels (e.g., unclassified, secret) to subjects (users) and objects
(tables, rows).
 Bell-LaPadula Model: Governs read/write access:
o No read-up: Users can’t read data above their clearance.
o No write-down: Users can’t write to lower levels to prevent leaks.
 Polyinstantiation: Allows multiple versions of data at different levels (e.g., a “public” vs.
“secret” employee record).
 Trusted DBMS: Systems like Oracle Label Security or IBM DB2 MAC enforce these
policies.

Vulnerabilities:

 Label Misassignment: Incorrect classification exposes sensitive data.

 Covert Channels: Indirect data leaks via system resources (e.g., CPU usage patterns).
 Complexity Errors: Misconfigured policies allow unauthorized access.
 Inference Risks: Lower-level queries deduce higher-level data (ties to inference control).

Penetration Testing Context:

  Pentesters attempt to bypass MAC by exploiting mislabeled data or escalating
clearance.
 Example: A pentester with “confidential” access tries to read “secret” rows via a
misconfigured view.
 Tools: SQL queries to test label enforcement, or fuzzing to find covert channels.

Mitigations:

 Correct Labeling: Audit and validate security labels regularly.

 Polyinstantiation: Use to hide sensitive data from lower levels.
 Trusted Platforms: Deploy DBMS with certified MAC (e.g., SE-Linux integration).
 Monitor Covert Channels: Analyze system behavior for leaks.
 Training: Ensure admins understand multi-level policies.

Real-World Example:

 Military databases use multi-level security to store intelligence data, ensuring analysts
with “secret” clearance can’t access “top secret” reports.

Exam Tip:

 Memorize Bell-LaPadula: no read-up, no write-down.

 Compare MAC vs. DAC: MAC is system-enforced, DAC is user-controlled.
 Practice explaining polyinstantiation with a scenario (e.g., two employee records).

Comprehensive Exam Preparation Strategy

1. Key Concepts:
a. Trace Routes: Maps network paths, reveals topology; mitigated by ICMP
filtering.
b. NeoTrace: Visual traceroute, aids reconnaissance; obsolete but historically
relevant.
c. WhatWeb: Fingerprints web technologies; mitigated by banner hiding, WAFs.
d. Access Control: Restricts database access via DAC/MAC/RBAC; focuses on least
privilege.
e. Inference Control: Prevents data deduction; uses perturbation, suppression.
f. Multi-Level Security: Enforces MAC with labels; prevents leaks via Bell-LaPadula.
2. Study Aids:
 a. Flashcards:
i. Traceroute: ICMP Type 11, hop-by-hop.
ii. WhatWeb: --aggression levels, CMS detection.
iii. Inference: Query size limits, noise addition.
b. Diagrams:
i. Traceroute: Source → Hop1 → Hop2 → Destination.
ii. MAC: User (Secret) → Table (Secret) vs. Table (Top Secret).
c. Comparison Table:
Subtopic Purpose Key Risk Mitigation
Trace Routes Map network paths Topology disclosure Block ICMP
Geolocation
NeoTrace Visualize paths Use private IPs
exposure
Fingerprint web Version
WhatWeb Hide banners, WAF
stack vulnerabilities
Restrict database
Access Control Privilege escalation RBAC, MFA
access
Prevent data Statistical Perturbation,
Inference Control
deduction disclosure anonymization
Multi-Level Segregate sensitive Label
Bell-LaPadula, audits
Security data misassignment
3. Practice Questions:
a. How does traceroute aid penetration testing, and what firewall rules block it?
b. Why was NeoTrace effective for reconnaissance compared to traceroute?
c. Explain how WhatWeb identifies a vulnerable phpMyAdmin instance.
d. Compare DAC and RBAC in database access control with examples.
e. Describe an inference attack scenario and two mitigations.
f. How does polyinstantiation prevent data leaks in multi-level security?
4. Mnemonics:
a. Traceroute: Tracks Routes Across Connected Endpoints.
b. Access Control: Authenticate, Control, Confine, Enforce, Secure.
c. Inference: Inferring Non-sensitive Fields Exposes Restricted Content.
5. Hands-On:
a. Run traceroute google.com and analyze hops (use Wireshark to capture ICMP).
b. Use WhatWeb (whatweb -v wordpress.com) to identify technologies.
c. Simulate access control in MySQL: GRANT SELECT ON db.table TO
'user'@'localhost';.
d. Test inference in a lab: Query averages in a sample DB to deduce values.