0

DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points. 

COMPLETE, SELF-PACED, PRERECORDED

This course about database pentesting shows several ways to compromise a database in order to steal and modify data, or even put it out of order or destroy it. Hence, this course is going to cover several aspects of the most popular database systems such as Microsoft SQL server, Oracle Database, MySQL, PostgreSQL as a relational database and MongoDB as a NoSQL database.

You will learn about these database systems, their architecture, most common administration tasks, existing tools to use for every step in the pentest process and how to build your own tools.

Who is this course for? 

This course is intended for security staff and database administrators. It is also recommended for people who want to learn about database security and pentesting

Why take it NOW? 

Every day attackers target things that could affect your everyday life and work, from nuclear power plants to a simple washing machine in your house. As a security pro, these are the problems you are facing right now, and it will only get more serious from now on. You must protect the data managed by your IT infrastructure in order to maintain running your business processes and accomplish regulatory compliance.

Why this course? 

Databases are usually the core of every organization's IT infrastructure. Databases hold enterprise data and, therefore, in your security strategy, it’s key to maintain the security of databases.

Since in databases you can usually find the core data of most organizations, it is a must to know how to protect it from every kind of possible threat in order to maintain your business processes running and to guarantee its confidentiality. On the other hand, most of the data managed by databases concerns third party persons or companies so that we must ensure it is managed in such a way to be in compliance with regulatory rules defined for every kind of data.

Course benefits:

What skills will you gain? 

  • Basic database admin skills
  • Testing for databases
  • Pentesting a wide range of database solutions
  • Using a wide range of security tools
  • Database security
  • Creating your own security tools

What will you learn about? 

In this course, you will learn about databases, security concepts, how to hack a database and how to protect databases against security incidents.

Which tools will you use? 

  • Kali 
  • Sqlmap
  • Python and Scapy
  • Nmap
  • OWASP ZAP
  • Wireshark
  • Metasploit
  • Sqlplus (Oracle client)
  • JohnTheRipper
  • Sqlninja
  • Odat
  • Razorsql
  • Psql
  • Ncrack

Course general information: 

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

What will you need? 

  • A desktop/laptop with a minimum of 8 GB RAM (16 GB recommended)
  • Virtualbox/VMware 
  • Kali Linux ISO
  • Ubuntu ISO
  • Oracle development OVA
  • MS SQL
  • Working internet connection

What should you know before you join? 

  • Basic knowledge about Kali and tools included, like Metasploit, nmap …
  • Basic knowledge of Python programing

Your instructor: Félix Castán

Working as a systems engineer since 1995, specialized in the implementation and management of high-end Unix systems (IBM, Sun / Oracle), storage systems, backup solutions and databases. For the last 10 years, my activity has been oriented to the design and implementation of disaster recovery solutions.

Studied computer engineering at the Polytechnic University of Madrid (1988-1994) and master in cybersecurity from the Camilo José Cela University.

Exim ethical hacking certified, IBM AIX certified and EMC storage implementation certified.

 

COURSE SYLLABUS

Module 1

Module 1: Building the course LAB

This module explains step by step how to prepare the LAB needed to follow this course.

  • LAB overview
  • Install VirtualBox in Linux
  • Install Kali Linux in Vbox 
  • Install Oracle in Vbox
  • Install and configure Oracle client in Kali
  • Install Windows system with MS SQL
  • Install Ubuntu server
  • Install mySQL, PostgreSQL and mongoDB in the Ubuntu system

Module exercises: 

  • Questions about lab installation activities

Module 1 workload: 3 hours

Module 2

Introduction to databases

In this section, we are going to talk about general concepts of databases, such as the physical and logical architecture, management tasks and how to access data in a database.

  • Databases in IT infrastructure
  • SQL basics
  • Python basics
  • General guide to database pentesting
  • Advanced SQL injection attacks

Module exercises: 

  • Questions about concepts explained in the course
  • Questions to verify knowledge of SQL 

Module 2 workload: 1 hour

Module 3

MS SQL Pentesting

This module is about how to pentest MS SQL databases. It begins with a short description of architecture and basic admin tasks followed by the description of several tools and procedures in order to discover MS SQL databases in a specific data center and exploit them. Finally, we describe tools and techniques to secure the MS SQL databases.

  • Architecture overview
    • Database Architecture
    • Networking protocol
    • Network packet overview
  • MS SQL basic admin
  • MS SQL reconnaissance
  • Attack MS SQL databases
    • Using Metasploit to hack MS SQL Server databases
    • Brute force attacks
    • Using SQL Server to Initiate SMB Authentication
  • Protecting your database

Module exercises: 

  • Questions about MS SQL architecture and communications
  • Using nmap to find and get data about MS SQL databases
  • Questions about brute force attacks 
  • Questions about exploiting MS SQL using Metasploit
  • Build a tool with Python to pentest MS SQL
  • Questions about hardening MS SQL server

Module 3 workload: 2 hours

Module 4

 MySQL Pentesting

This module is about how to pentest MySQL databases. It begins with a short description of MySQL architecture and basic admin tasks followed by the description of several tools and procedures in order to discover MySQL databases in a specific data center and exploit them. Finally, we describe tools and techniques to secure the MySQL databases.

  • Architecture overview
    • Database architecture
    • Networking protocol
    • Network packet overview
  • MySQL basic admin
  • MySQL reconnaissance
    • Looking for MySQL artifacts
    • Nmap to discover MySQL databases
    • Intercept MySQL network packets
  • Pentest MySQL databases
    • Using Python to hack MySQL Databases
    • Brute force attacks
    • Password cracking
    • Metasploit modules to attack MySQL
    • Hacking phpMyAdmin 
    • Tools to attack MySQL
  • Hardening MySQL Databases

Module exercises: 

  • Questions about MySQL architecture and communications
  • Using nmap to find and get data about MySQL databases
  • Questions about force brute attacks 
  • Questions about use of Metasploit
  • Questions about hardening MySQL

Module 4 workload: 2 hours

Module 5

 Oracle Database Pentesting

This module is about how to pentest Oracle databases. It begins with a short description of Oracle architecture and basic admin tasks followed by the description of several tools and procedures in order to discover Oracle databases in a specific data center and exploit them. Finally, we describe tools and techniques to secure Oracle databases.

  • Architecture overview
    • Database architecture
    • Net services
    • Oracle network packet overview
  • Oracle basic admin
  • Oracle reconnaissance
    • Looking for Oracle artifacts
    • Nmap to discover Oracle databases
    • Intercept Oracle network packets 
    • Injecting commands in TNS packets
  • Pentest Oracle databases
    • Using Python to hack Oracle databases
    • Brute force attacks
    • Password cracking
    • Metasploit modules to attack Oracle
    • Using ODATA to pentest an Oracle database
  • Hardening your database
    • General security concepts in Oracle
    • Configure users
    • Use of encryption
    • Auditing database activity

Module exercises: 

  • Questions about SQL commands to admin Oracle
  • Using nmap to find Oracle databases
  • Read content of a pcap file with Python program and extract data
  • Use Metasploit to pentest Oracle DB
  • Use of ODAT utilities
  • Questions about hardening Oracle databases

Module 5 workload: 3 hours

Module 6

PostgreSQL Pentesting

This module is about how to pentest PostgreSQL databases. It begins with a short description of PostgreSQL architecture and basic admin tasks followed by the description of several tools and procedures in order to discover PostgreSQL databases in a specific data center and exploit them. Finally, we describe tools and techniques to secure the PostgreSQL databases.

  • Architecture overview
    • Database architecture
    • Networking protocol
    • Network packet overview
  • PostgreSQL basic admin
  • PostgreSQL reconnaissance
    • Looking for PostgreSQL artifacts
    • Nmap to discover PostgreSQL databases
    • Intercept PostgreSQL network packets
  • Pentest Oracle databases
    • Using Python to hack PostgreSQL databases
    • Brute force attacks
    • Password cracking
    • Metasploit modules to attack PostgreSQL
    • Tools to attack PostgreSQL database
  • Hardening your database
    • General security concepts in PostgreSQL
    • Configure users
    • Use of encryption
    • Auditing database activity

Module exercises: 

  • Questions about PostgreSQL architecture and communications
  • Using nmap to find and get data about PostgreSQL databases
  • Questions about force brute attacks 
  • Questions about use of Metasploit
  • Questions about hardening PostgreSQL

Module 6 workload: 2 hours

Module 7

NoSQL Database Pentesting (MongoDB)

This module is about how to pentest NoSQL databases. It begins with a short description of NoSQL  architecture and basic admin tasks followed by the description of several tools and procedures in order to discover NoSQL databases in a specific data center and exploit them. Finally, we describe tools and techniques to secure the NoSQL databases.

  • Architecture overview
    • Database architecture
    • Networking protocol
    • Network packet overview
  • MongoDB basic admin
  • MongoDB reconnaissance
    • Discover MongoDB artifacts
    • Using nmap to discover MongoDB databases
    • Intercept MongoDB packets in network 
  • Pentest NoSQL databases
    • Using Python to pentest MongoDB databases
    • Using NoSQLmap
    • Using Metasploit to hack MongoDB
  • Hardening your database

Module exercises: 

  • Questions about NoSQL architecture and communications
  • Using nmap to find and get data about MongoDB databases
  • Questions about force brute attacks 
  • Creating tools with Python to pentest MongoDB
  • Questions about hardening MongoDB

Module 7 workload: 2 hours

Final exam

Final exam - MCQ test 

QUESTIONS? 

If you have any questions, please contact our eLearning Manager at [email protected].

Course Reviews

N.A

ratings
  • 5 stars0
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0

No Reviews found for this course.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
Please review your information and consent to the processing of your personal data.(Required)
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?
Please review your information and consent to the processing of your personal data.(Required)

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.