DB outside of the main ToE

Hi Collegues

I have the following doubt. In project that I’m asigned, I have database outside the main server. So I come across with a service enumeration on that database server with nmap.Does that count for a finding ?. I think that service enum count as a finding, since it can affect the integrity if someone enter that server. So the whole system is going to be compromised, if the intrusion happens

I have some questions for you:

  1. Did you really enumerate the database server with nmap? Or only was the default port?
  2. Did you check the port to view if banner grabbing is possible?
  3. How do you compromise a server by knowing only the port that is open?
  4. How can you affect the integrity knowing the port?

I did the scan, and these are the service that are currently running.
Nmap scan report for xxx.xxx.xxx.xxx.xxx
Host is up (0.025s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE
443/tcp open https
1433/tcp open ms-sql-s
1434/tcp open ms-sql-m
3306/tcp open mysql
5002/tcp open rfe
5432/tcp open postgresql
7443/tcp open oracleas-https
16000/tcp open fmsas
16001/tcp open fmsascon
16012/tcp open unknown
16016/tcp open unknown
16018/tcp open unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: printer|game console|webcam|broadband router|print server|switch|WAP|specialized
Running (JUST GUESSING): HP embedded (92%), Microsoft embedded (91%), Denver Electronics embedded (90%), Nintendo embedde
d (89%), SMC embedded (89%), Netgear embedded (88%), NCR embedded (87%), Epson embedded (86%)
OS CPE: cpe:/h:hp:laserjet_4250 cpe:/h:denver_electronics:ac-5000w cpe:/h:nintendo:wii cpe:/h:smc:smc8014wg cpe:/h:hp:jet
direct_170x cpe:/h:hp:procurve_switch_2524 cpe:/h:netgear:wgr614v7 cpe:/h:epson:stylus_pro_400
Aggressive OS guesses: HP LaserJet 4250 printer (92%), Microsoft Xbox game console (modified, running XboxMediaCenter) (9
1%), Denver Electronics AC-5000W MK2 camera (90%), Nintendo Wii game console (89%), SMC SMC8014WG WAP (89%), HP 170X prin
t server or Inkjet 3000 printer (89%), HP PSC 2400-series Photosmart printer (88%), HP ProCurve 2524 switch or 9100c Digi
tal Sender printer (88%), Netgear WGR614v7 wireless broadband router (88%), NCR 5676 or 5688 automated teller machine (87
%)
No exact OS matches for host (test conditions non-ideal).

I mean that the server can be compromised under ideal conditions,if the database can acept any remote ip.That’s under those conditions. But it shows the service that are currently running

That’s why I’ve asked…

Nmap only shows if the port is open or not, the thing that says that mysql 3306 is open on nmap it doesn’t mean that mysql is running on that port (It could be). Classifying nmap as an service enumerator is not a correct thing, it’s only a network/port scanner, those services that appear open is because those ports are the default ports for those services. Nmap actually does banner grabbing using scripts but as for this output you didn’t use them, and port/service enumeration i’ts not a finding.

You need to check if those services are truly running on there, check if you can make a connection like:

nc ip.ip.ip.ip port

Test for banner grabbing, search the code for credentials or try the default ones.

If you can access to those DB ports and make a connection you surely can report FIN.S.0024. Improper network access control.

1 Like

thank for your advise and help. it worked. I actually did that netcat command -v and I achieve the connection succesful