SLIDE 1
motivation & start motivation & start
- internet security
- evaluate password cracker to check security of
secmon Basic Oracle Security Monitoring Basic Oracle Security - - PowerPoint PPT Presentation
secmon Basic Oracle Security Monitoring Basic Oracle Security - - PowerPoint PPT Presentation
secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start motivation & start internet security evaluate password cracker to check security of passwords passwords problems problems default
SLIDE 2
SLIDE 3
problems problems
- default passwords (Oracle)
– Scott/Tiger / g
- username = password
( li h i ) – (slight permutations)
- hidden users (rootkits)
( )
SLIDE 4
- racle passwords[1]
- racle passwords[1]
- username prepended as salt
– oracl:epwdsame as oracle:pwd
- only uppercase
- only uppercase
- fast hashing
SLIDE 5
Results of Evaluation[2] Results of Evaluation[2]
program version source binaries multi- threaded test1 test2 test3 threaded
- rabf
0.7.6 closed win no 0.1s 1.8s 473.3s checkpwd 1.23 closed win, claimed 1.1s 8.9s 1197.7s p , linux, mac woraauthbf 0 21R2
- pen
win yes 0 2s 1 3s 358 8s woraauthbf 0.21R2
- pen
win yes 0.2s 1.3s 358.8s Further performance test of woraauthbf were performed on different hardware[3]
SLIDE 6
the winner: woraauthbf the winner: woraauthbf
- reasonably fast
l i h d d
- multi-threaded
- open source
p
- no Linux version
SLIDE 7
customizing woraauthbf customizing woraauthbf
- my port of woraauthbfto linux
C/C++ – C/C++ – replacing Windows functions – version 0.21 and 0.22 – changes probably in 0.23 changes probably in 0. 3
SLIDE 8
woraauthbf: the bugs woraauthbf: the bugs
- in permutation generation
- one misplaced pointer
- race condition
- race condition
– My mistake
SLIDE 9
woraauthbf: the enhancements woraauthbf: the enhancements
- removed all warnings
i
- icc
- multithreading of permutation checking &
g p g generating
SLIDE 10
woraauthbf: enhancement results[3]
~150 user names; ~1.5 Mio. Dictionary entries
SLIDE 11
good dictionaries are needed good dictionaries are needed
- but are hard to find
- combine high quality ones with ‘edited’ low
quality ones quality ones
SLIDE 12
dictionaries: the sources dictionaries: the sources
- Wordlist project on sourceforge[4]
– http://wordlist sourceforge net/ – http://wordlist.sourceforge.net/
- ftp://ftp.cerias.purdue.edu/pub/dict/
- ftp://ftp.ox.ac.uk/pub/wordlists
- Internet Dictionary Project
- Internet Dictionary Project
– http://www.ilovelanguages.com/IDP/
- French, German, Italian, Portuguese, Spanish,
Dutch, Polish… utch, Polish…
SLIDE 13
dictionaries: the ‘editing’ dictionaries: the editing
- glance through
- cat German.txt | sed -r 's/[[:blank:]]+/\n/g' | sed -r 's/~//g' | sed -r
's/=//g' | sed -r 's/\[Article\]//g' | sed -r 's/\[Pronoun\]//g' | sed -r s/=//g | sed -r s/\[Article\]//g | sed -r s/\[Pronoun\]//g | sed -r 's/\//\n/g' | sed -r 's/\.//g' | sed -r 's/,/\n/g' | sed -r 's/~//g'| sed -r 's/\[Adverb\]//g' | sed -r 's/\[Noun\]//g' | sed -r 's/://g' | sed -r 's/\[Verb\]//g' | sed -r 's/\[Adjective\]//g' | sed -r 's/;//g' | sed -r 's/^(.+)\((.+)\)/\1\n\1\2/g' | sed -r 's/^\((.+)\)$/\1/g' | sed -r 's/\(f\)//g' | sed -r 's/\(e\)//g' | sed -r 's/\^//g' | sed -r 's/\\//g' | s/\(f\)//g | sed r s/\(e\)//g | sed r s/\ //g | sed r s/\\//g | sed -r 's/\[Preposition\]//g' | sed -r 's/\[Conjunction\]//g' | sed -r 's/\"//g' | sed -r 's/_//g' | sed -r 's/\(//g' | sed -r 's/\)//g' | sed -r ' /`// ' | d ' /[ ]// ' | d ' /\[\]// ' | d ' /\[f\]// ' | 's/`//g' | sed -r 's/[0-9]//g' | sed -r 's/\[\]//g' | sed -r 's/\[f\]//g' | sed -r 's/\[int\]//g' | sed -r 's/\[//g' | sed -r 's/\+//g' | sed -r 's/- //g' | sed -r 's/&//g' | tr '[:lower:]' '[:upper:]' | sort - //g | / //g | [ ] [ pp ] | u>germanWordlist
SLIDE 14
secmon: the architecture secmon: the architecture
SLIDE 15
secmon: quick facts secmon: quick facts
- python
- shell scripts
- shell scripts
– (grep, awk, sed)
- multithreaded
– each remote component controlled by own thread each remote component controlled by own thread
SLIDE 16
secmon: the remote component secmon: the remote component
- ‘run’ executable
– gets arguments – gets arguments – returns result on stdout (stderr)
- easy to add new component
SLIDE 17
secmon: the remote components secmon: the remote components
- targetDBComponent
– gets username and hashes – gets username and hashes
- crunchComponent
– does the actual pw checking
- hiddenUserComponent
hiddenUserComponent
– more later
SLIDE 18
secmon: virtual demo secmon: virtual demo
SLIDE 19
secmon: virtual demo secmon: virtual demo
SLIDE 20
secmon: virtual demo secmon: virtual demo
SLIDE 21
secmon: virtual demo secmon: virtual demo
SLIDE 22
secmon: hiding users[4] secmon: hiding users[4]
SLIDE 23
secmon: hiding users secmon: hiding users
SLIDE 24
secmon: hiding users secmon: hiding users
SLIDE 25
Future Future
- migration to pdb_backup
- production rollout
- production rollout
- project report & documentation
- release linuxversion of woraauthbf
h k i il f
- check privileges of users
– other checks (rootkits…)
SLIDE 26
questions? questions?
- Thanks to:
– Maria – Luca Canali Dawid – Dawid – Miguel – Jacek – and the rest of the IT-DM team
SLIDE 27
references references
[1] W i ht J h Cid C l A A t f [1] Wright, Joshua; Cid, Carlos. An Assessment of the Oracle Password Hashing Algorithmhttp://www sans org/reading room/sp Algorithmhttp://www.sans.org/reading_room/sp ecial/index.php?id=oracle_pass&ref=911
- [2]Donnerer Michael A Comparision of Offline
[2]Donnerer, Michael. A Comparision of Offline Password Cracking Tools for Oracle 10g Databases
- [3] Donnerer, Michael. Some permformance
[3] Donnerer, Michael. Some permformance measurements of woraauthbf
- [4] Kornbrust, Alexander. Are Oracle Rootkits Easy