Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password...
-
Upload
shavonne-lyons -
Category
Documents
-
view
228 -
download
0
Transcript of Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password...
secmon
Basic Oracle Security Monitoring
motivation & start
• internet security• evaluate password cracker to check security of
passwords
problems
• default passwords (Oracle)– Scott/Tiger
• username = password– (slight permutations)
• hidden users (rootkits)
oracle passwords[1]
• username prepended as salt– oracl:epwd same as oracle:pwd
• only uppercase• fast hashing
Results of Evaluation[2]
program version source binaries multi-threaded
test1 test2 test3
orabf 0.7.6 closed win no 0.1s 1.8s 473.3s
checkpwd 1.23 closed win, linux, mac
claimed 1.1s 8.9s 1197.7s
woraauthbf 0.21R2 open win yes 0.2s 1.3s 358.8s
Further performance test of woraauthbf were performed on different hardware[3]
the winner: woraauthbf
• reasonably fast• multi-threaded• open source• no Linux version
customizing woraauthbf
• my port of woraauthbf to linux– C/C++– replacing Windows functions– version 0.21 and 0.22– changes probably in 0.23
woraauthbf: the bugs
• in permutation generation• one misplaced pointer• race condition– My mistake
woraauthbf: the enhancements
• removed all warnings• icc• multithreading of permutation checking &
generating
woraauthbf: enhancement results[3]
~150 user names; ~1.5 Mio. Dictionary entries
good dictionaries are needed
• but are hard to find• combine high quality ones with ‘edited’ low
quality ones
dictionaries: the sources
• Wordlist project on sourceforge[4]– http://wordlist.sourceforge.net/
• ftp://ftp.cerias.purdue.edu/pub/dict/• ftp://ftp.ox.ac.uk/pub/wordlists• Internet Dictionary Project– http://www.ilovelanguages.com/IDP/
• French, German, Italian, Portuguese, Spanish, Dutch, Polish…
dictionaries: the ‘editing’• glance through• cat German.txt | sed -r 's/[[:blank:]]+/\n/g' | sed -r 's/~//g' | sed -r
's/=//g' | sed -r 's/\[Article\]//g' | sed -r 's/\[Pronoun\]//g' | sed -r 's/\//\n/g' | sed -r 's/\.//g' | sed -r 's/,/\n/g' | sed -r 's/~//g'| sed -r 's/\[Adverb\]//g' | sed -r 's/\[Noun\]//g' | sed -r 's/://g' | sed -r 's/\[Verb\]//g' | sed -r 's/\[Adjective\]//g' | sed -r 's/;//g' | sed -r 's/^(.+)\((.+)\)/\1\n\1\2/g' | sed -r 's/^\((.+)\)$/\1/g' | sed -r 's/\(f\)//g' | sed -r 's/\(e\)//g' | sed -r 's/\^//g' | sed -r 's/\\//g' | sed -r 's/\[Preposition\]//g' | sed -r 's/\[Conjunction\]//g' | sed -r 's/\"//g' | sed -r 's/_//g' | sed -r 's/\(//g' | sed -r 's/\)//g' | sed -r 's/`//g' | sed -r 's/[0-9]//g' | sed -r 's/\[\]//g' | sed -r 's/\[f\]//g' | sed -r 's/\[int\]//g' | sed -r 's/\[//g' | sed -r 's/\+//g' | sed -r 's/-//g' | sed -r 's/&//g' | tr '[:lower:]' '[:upper:]' | sort -u > germanWordlist
secmon: the architecture
secmon: quick facts
• python• shell scripts– (grep, awk, sed)
• multithreaded– each remote component controlled by own thread
secmon: the remote component
• ‘run’ executable– gets arguments– returns result on stdout (stderr)
• easy to add new component
secmon: the remote components
• targetDBComponent– gets username and hashes
• crunchComponent– does the actual pw checking
• hiddenUserComponent– more later
secmon: virtual demo
secmon: virtual demo
secmon: virtual demo
secmon: virtual demo
secmon: hiding users[4]
secmon: hiding users
secmon: hiding users
Future
• migration to pdb_backup• production rollout• project report & documentation• release linux version of woraauthbf• check privileges of users – other checks (rootkits…)
questions?
• Thanks to:– Maria– Luca Canali– Dawid– Miguel– Jacek– and the rest of the IT-DM team
references
[1] Wright, Joshua; Cid, Carlos. An Assessment of the Oracle Password Hashing Algorithm http://www.sans.org/reading_room/special/index.php?id=oracle_pass&ref=911
• [2] Donnerer, Michael. A Comparision of Offline Password Cracking Tools for Oracle 10g Databases
• [3] Donnerer, Michael. Some permformance measurements of woraauthbf
• [4] Kornbrust, Alexander. Are Oracle Rootkits Easy To Find? http://blog.red-database-security.com/2007/12/24/are-oracle-rootkits-easy-to-find/