Finding Targets
The first step to attacking Sybase servers is locating them in the network. This section describes a number of techniques for locating Sybase servers.
Scanning for Sybase
As previously noted, Sybase normally listens on a number of well-known TCP ports — 5000 5004, 8181, and 8182. It is very easy to configure Sybase to listen on different ports, but these well-known ports can be a big help. Port scanning tools such as Fyodor's nMap (http://www.insecure.org/nmap/) are the best way to locate hosts with specific known open ports.
If you have remote registry access to Windows boxes in a network, it can be useful to check for ODBC data sources. Simply search
HKEY_LOCAL_MACHINE\Software\ODBC
for “SybaseServerName” and “NetworkAddress” and you will see the hostnames IP addresses and TCP ports for any Sybase data sources that are configured on the host in question.
LDAP queries can also help, if the organization has an LDAP infrastructure.
Sybase Version Numbers
Sybase responds to failed authentications with a packet that contains the major and minor version number of the server, so sniffing a failed authentication response packet will normally give you the version number. The packet looks something like this:
Ethernet Header ... IP Header ... TCP Header Source port: 5000 Dest port: 1964 Flags: 0x18 (ACK PSH ) ... Raw Data 04 01 00 4e 00 00 00 00 ad 14 00 06 05 00 00 00 ( N ) 0a 73 71 6c 20 73 65 72 76 65 72 0c 05 00 00 e5 ( sql server ) 23 00 a2 0f 00 00 01 0e 05 5a ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
