DBTrap

Database search illustration. Database sign and magnifying glass
The tables in your SQL database(s) contain sensitive information that needs to be protected from cyber-criminals. Inserting decoy rows into a database gives you a simple way to monitor your database for unauthorized access attempts and other malicious acts. The DBTrap makes this process very simple by providing the code you need to make it all happen.

Once someone queries the database you will get an alert like this:


One of your HackTraps was triggered.
Channel: DNS
Time : 2016-04-14 15:00:51.230870
Memo : MSSQL view
Source IP: 72.50.220.87
User-agent: Corp\Administrator

Below is an example of the DBTrap code that is generated for you:

Don’t forget to change the view name and the function name…


–create a table-view function to query the canary hostname
CREATE function innocuous_name(@RAND FLOAT) returns @output table (col1 varchar(max))
AS
BEGIN
declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3);
–setup the variables
set @tokendomain = ‘fiuywq2gpgwxsaxbedq1fvcu3.watchpointdata.com’;
set @size = 128;
set @done = 0;
set @random = cast(round(@RAND*100,0) as varchar(2));
set @random = concat(@random, ‘.’);
set @username = SUSER_SNAME();
–loop runs until the UNC path is 128 chars or less
while @done <= 0
begin
–convert username into base64
select @base64 = (SELECT
CAST(N” AS XML).value(
‘xs:base64Binary(xs:hexBinary(sql:column(“bin”)))’
, ‘VARCHAR(MAX)’
) Base64Encoding
FROM (
SELECT CAST(@username AS VARBINARY(MAX)) AS bin
) AS bin_sql_server_temp);

–replace base64 padding as dns will choke on =
select @base64 = replace(@base64,’=’,’0′)

–construct the UNC path
select @unc = concat(‘\\’,@base64,’.’,@random,@tokendomain,’\a’)

— if too big, trim the username and try again
if len(@unc) <= @size
set @done = 1
else
–trim from the front, to keep the username and lose domain details
select @username = substring(@username, 2, len(@username)-1)
end
exec master.dbo.xp_dirtree @unc– WITH RESULT SETS (([result] varchar(max)));
return
END
–create a view that calls the function
alter view view1 as select * from master.dbo.innocuous_name(rand());
–change permissions on innocuous_name to SELECT for [public]
–change permissions on lucrative_name to SELECT for [public]
–don’t allow [public] to view the definitions


For additional recommended reading, please visit our Need to Know page.