secmon Basic Oracle Security Monitoring Basic Oracle Security - PowerPoint PPT Presentation

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring

motivation & start motivation & start • internet security • evaluate password cracker to check security of passwords passwords

problems problems • default passwords (Oracle) – Scott/Tiger / g • username = password – (slight permutations) ( li h i ) • hidden users (rootkits) ( )

oracle passwords[1] oracle passwords[1] • username prepended as salt – oracl:epwdsame as oracle:pwd • only uppercase • only uppercase • fast hashing

Results of Evaluation[2] Results of Evaluation[2] program version source binaries multi- test1 test2 test3 threaded threaded orabf 0.7.6 closed win no 0.1s 1.8s 473.3s checkpwd p 1.23 closed win, , claimed 1.1s 8.9s 1197.7s linux, mac woraauthbf woraauthbf 0 21R2 0.21R2 open open win win yes yes 0.2s 0 2s 1.3s 1 3s 358 8s 358.8s Further performance test of woraauthbf were performed on different hardware[3]

the winner: woraauthbf the winner: woraauthbf • reasonably fast • multi-threaded l i h d d • open source p • no Linux version

customizing woraauthbf customizing woraauthbf • my port of woraauthbfto linux – C/C++ C/C++ – replacing Windows functions – version 0.21 and 0.22 – changes probably in 0.23 changes probably in 0. 3

woraauthbf: the bugs woraauthbf: the bugs • in permutation generation • one misplaced pointer • race condition • race condition – My mistake

woraauthbf: the enhancements woraauthbf: the enhancements • removed all warnings • icc i • multithreading of permutation checking & g p g generating

woraauthbf: enhancement results[3] ~150 user names; ~1.5 Mio. Dictionary entries

good dictionaries are needed good dictionaries are needed • but are hard to find • combine high quality ones with ‘edited’ low quality ones quality ones

dictionaries: the sources dictionaries: the sources • Wordlist project on sourceforge[4] – http://wordlist sourceforge net/ – http://wordlist.sourceforge.net/ • ftp://ftp.cerias.purdue.edu/pub/dict/ • ftp://ftp.ox.ac.uk/pub/wordlists • Internet Dictionary Project • Internet Dictionary Project – http://www.ilovelanguages.com/IDP/ • French, German, Italian, Portuguese, Spanish, Dutch, Polish… utch, Polish…

dictionaries: the ‘editing’ dictionaries: the editing glance through • cat German.txt | sed -r 's/[[:blank:]]+/\n/g' | sed -r 's/~//g' | sed -r • 's/=//g' | sed -r 's/\[Article\]//g' | sed -r 's/\[Pronoun\]//g' | sed -r s/=//g | sed -r s/\[Article\]//g | sed -r s/\[Pronoun\]//g | sed -r 's/\//\n/g' | sed -r 's/\.//g' | sed -r 's/,/\n/g' | sed -r 's/~//g'| sed -r 's/\[Adverb\]//g' | sed -r 's/\[Noun\]//g' | sed -r 's/://g' | sed -r 's/\[Verb\]//g' | sed -r 's/\[Adjective\]//g' | sed -r 's/;//g' | sed -r 's/^(.+)\((.+)\)/\1\n\1\2/g' | sed -r 's/^\((.+)\)$/\1/g' | sed -r 's/\(f\)//g' | sed -r 's/\(e\)//g' | sed -r 's/\^//g' | sed -r 's/\\//g' | s/\(f\)//g | sed r s/\(e\)//g | sed r s/\ //g | sed r s/\\//g | sed -r 's/\[Preposition\]//g' | sed -r 's/\[Conjunction\]//g' | sed -r 's/\"//g' | sed -r 's/_//g' | sed -r 's/\(//g' | sed -r 's/\)//g' | sed -r 's/`//g' | sed -r 's/[0-9]//g' | sed -r 's/\[\]//g' | sed -r 's/\[f\]//g' | ' /`// ' | d ' /[ ]// ' | d ' /\[\]// ' | d ' /\[f\]// ' | sed -r 's/\[int\]//g' | sed -r 's/\[//g' | sed -r 's/\+//g' | sed -r 's/- //g' | sed -r 's/&//g' | tr '[:lower:]' '[:upper:]' | sort - //g | / //g | [ ] [ pp ] | u>germanWordlist

secmon: the architecture secmon: the architecture

secmon: quick facts secmon: quick facts • python • shell scripts • shell scripts – (grep, awk, sed) • multithreaded – each remote component controlled by own thread each remote component controlled by own thread

secmon: the remote component secmon: the remote component • ‘run’ executable – gets arguments – gets arguments – returns result on stdout (stderr) • easy to add new component

secmon: the remote components secmon: the remote components • targetDBComponent – gets username and hashes – gets username and hashes • crunchComponent – does the actual pw checking • hiddenUserComponent hiddenUserComponent – more later

secmon: virtual demo secmon: virtual demo

secmon: virtual demo secmon: virtual demo

secmon: virtual demo secmon: virtual demo

secmon: virtual demo secmon: virtual demo

secmon: hiding users[4] secmon: hiding users[4]

secmon: hiding users secmon: hiding users

secmon: hiding users secmon: hiding users

Future Future • migration to pdb_backup • production rollout • production rollout • project report & documentation • release linuxversion of woraauthbf • check privileges of users h k i il f – other checks (rootkits…)

questions? questions? • Thanks to: – Maria – Luca Canali – Dawid Dawid – Miguel – Jacek – and the rest of the IT-DM team

references references [1] W i ht J [1] Wright, Joshua; Cid, Carlos. An Assessment of h Cid C l A A t f the Oracle Password Hashing Algorithmhttp://www sans org/reading room/sp Algorithmhttp://www.sans.org/reading_room/sp ecial/index.php?id=oracle_pass&ref=911 • [2]Donnerer Michael A Comparision of Offline [2]Donnerer, Michael. A Comparision of Offline Password Cracking Tools for Oracle 10g Databases • [3] Donnerer, Michael. Some permformance [3] Donnerer, Michael. Some permformance measurements of woraauthbf • [4] Kornbrust, Alexander. Are Oracle Rootkits Easy [ ] , y To Find? http://blog.red-database- security.com/2007/12/24/are-oracle-rootkits- easy-to-find/ t fi d/