Home

Hypnosis

Hypnosis
Database cache-based attack detection utility (All SQL Server 2005 & 2008 editions)

Description                                                                                                                                                           

Overview

SQL Server maintains several database caches that record previously executed statements.  These caches can contain evidence of successfully executed database attacks including those launched from SQL injection attack tools, worms or even by interactively logged on users.
 
Hypnosis is the first cache-based incident response utility that interrogates the “always-on” caching feature of SQL Server to help confirm or discount a successful database attack.

Usage

Hypnosis uses a RegEX based rule file named “CacheRules.txt” which can be populated with attack signatures for use during cache interrogation.  The default CacheRules file contains attack signatures for Pangolin a widely used SQL injection tool within the industry. 

The CacheRules file can be extended to include signatures from any other tools or generic attacks for use during interrogation.  The file extension format is captured in the header of the CacheRules file. 
Hypnosis can also be sued to add ad-hoc signatures that match generated IDS\IPS\WAF devices for verification if an attack was successfully tunnelled to and executed by the database server.

Dependency

.Net Framework 3.5: Due to C#'’s reliance on the .Net framework Hypnosis must be run from a computer containing .Net Framework 3.5 files.  If responding to an incident involving a target database server that is not running a supported version of  .Net, Hypnosis can be run from a remote machine containing .Net 3.5. This remote machine must have sufficient network access to the target database server which must be configured to support remote SQL Server communication protocols including (TCP\IP or Named Pipes).

Download                                                                                                                                                             

  • Hypnosis | Cache-based database attack detection utility
  • CacheGrab.sql | SQL script that can be scheduled to execute Hypnosis-like cache interrogation at pre-determined intervals 

 

References                                                                                                                                                           

Presentation:    SQL Server Forensics 2 | AppSec Asia | November 2009 - Kevvie Fowler,

Presentation:    To Cache a Thief -- Using database caches to detect SQL Injection Attacks | SecTor | October 
                       2009 - Kevvie Fowler, 

»