secmon

Basic Oracle Security Monitoring

motivation & start

• internet security• evaluate password cracker to check security of

passwords

problems

• default passwords (Oracle)– Scott/Tiger

• username = password– (slight permutations)

• hidden users (rootkits)

oracle passwords[1]

• username prepended as salt– oracl:epwd same as oracle:pwd

• only uppercase• fast hashing

Results of Evaluation[2]

program version source binaries multi-threaded

test1 test2 test3

orabf 0.7.6 closed win no 0.1s 1.8s 473.3s

checkpwd 1.23 closed win, linux, mac

claimed 1.1s 8.9s 1197.7s

woraauthbf 0.21R2 open win yes 0.2s 1.3s 358.8s

Further performance test of woraauthbf were performed on different hardware[3]

the winner: woraauthbf

• reasonably fast• multi-threaded• open source• no Linux version

customizing woraauthbf

• my port of woraauthbf to linux– C/C++– replacing Windows functions– version 0.21 and 0.22– changes probably in 0.23

woraauthbf: the bugs

• in permutation generation• one misplaced pointer• race condition– My mistake

woraauthbf: the enhancements

• removed all warnings• icc• multithreading of permutation checking &

generating

woraauthbf: enhancement results[3]

~150 user names; ~1.5 Mio. Dictionary entries

good dictionaries are needed

• but are hard to find• combine high quality ones with ‘edited’ low

quality ones

dictionaries: the sources

• Wordlist project on sourceforge[4]– http://wordlist.sourceforge.net/

• ftp://ftp.cerias.purdue.edu/pub/dict/• ftp://ftp.ox.ac.uk/pub/wordlists• Internet Dictionary Project– http://www.ilovelanguages.com/IDP/

• French, German, Italian, Portuguese, Spanish, Dutch, Polish…

dictionaries: the ‘editing’• glance through• cat German.txt | sed -r 's/[[:blank:]]+/\n/g' | sed -r 's/~//g' | sed -r

's/=//g' | sed -r 's/\[Article\]//g' | sed -r 's/\[Pronoun\]//g' | sed -r 's/\//\n/g' | sed -r 's/\.//g' | sed -r 's/,/\n/g' | sed -r 's/~//g'| sed -r 's/\[Adverb\]//g' | sed -r 's/\[Noun\]//g' | sed -r 's/://g' | sed -r 's/\[Verb\]//g' | sed -r 's/\[Adjective\]//g' | sed -r 's/;//g' | sed -r 's/^(.+)\((.+)\)/\1\n\1\2/g' | sed -r 's/^\((.+)\)$/\1/g' | sed -r 's/\(f\)//g' | sed -r 's/\(e\)//g' | sed -r 's/\^//g' | sed -r 's/\\//g' | sed -r 's/\[Preposition\]//g' | sed -r 's/\[Conjunction\]//g' | sed -r 's/\"//g' | sed -r 's/_//g' | sed -r 's/\(//g' | sed -r 's/\)//g' | sed -r 's/`//g' | sed -r 's/[0-9]//g' | sed -r 's/\[\]//g' | sed -r 's/\[f\]//g' | sed -r 's/\[int\]//g' | sed -r 's/\[//g' | sed -r 's/\+//g' | sed -r 's/-//g' | sed -r 's/&//g' | tr '[:lower:]' '[:upper:]' | sort -u > germanWordlist

secmon: the architecture

secmon: quick facts

• python• shell scripts– (grep, awk, sed)

• multithreaded– each remote component controlled by own thread

secmon: the remote component

• ‘run’ executable– gets arguments– returns result on stdout (stderr)

• easy to add new component

secmon: the remote components

• targetDBComponent– gets username and hashes

• crunchComponent– does the actual pw checking

• hiddenUserComponent– more later

secmon: virtual demo

secmon: virtual demo

secmon: virtual demo

secmon: virtual demo

secmon: hiding users[4]

secmon: hiding users

secmon: hiding users

Future

• migration to pdb_backup• production rollout• project report & documentation• release linux version of woraauthbf• check privileges of users – other checks (rootkits…)

questions?

• Thanks to:– Maria– Luca Canali– Dawid– Miguel– Jacek– and the rest of the IT-DM team

references

[1] Wright, Joshua; Cid, Carlos. An Assessment of the Oracle Password Hashing Algorithm http://www.sans.org/reading_room/special/index.php?id=oracle_pass&ref=911

• [2] Donnerer, Michael. A Comparision of Offline Password Cracking Tools for Oracle 10g Databases

• [3] Donnerer, Michael. Some permformance measurements of woraauthbf

• [4] Kornbrust, Alexander. Are Oracle Rootkits Easy To Find? http://blog.red-database-security.com/2007/12/24/are-oracle-rootkits-easy-to-find/