secmon basic oracle security monitoring. motivation & start internet security evaluate password...
TRANSCRIPT
![Page 1: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/1.jpg)
secmon
Basic Oracle Security Monitoring
![Page 2: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/2.jpg)
motivation & start
• internet security• evaluate password cracker to check security of
passwords
![Page 3: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/3.jpg)
problems
• default passwords (Oracle)– Scott/Tiger
• username = password– (slight permutations)
• hidden users (rootkits)
![Page 4: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/4.jpg)
oracle passwords[1]
• username prepended as salt– oracl:epwd same as oracle:pwd
• only uppercase• fast hashing
![Page 5: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/5.jpg)
Results of Evaluation[2]
program version source binaries multi-threaded
test1 test2 test3
orabf 0.7.6 closed win no 0.1s 1.8s 473.3s
checkpwd 1.23 closed win, linux, mac
claimed 1.1s 8.9s 1197.7s
woraauthbf 0.21R2 open win yes 0.2s 1.3s 358.8s
Further performance test of woraauthbf were performed on different hardware[3]
![Page 6: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/6.jpg)
the winner: woraauthbf
• reasonably fast• multi-threaded• open source• no Linux version
![Page 7: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/7.jpg)
customizing woraauthbf
• my port of woraauthbf to linux– C/C++– replacing Windows functions– version 0.21 and 0.22– changes probably in 0.23
![Page 8: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/8.jpg)
woraauthbf: the bugs
• in permutation generation• one misplaced pointer• race condition– My mistake
![Page 9: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/9.jpg)
woraauthbf: the enhancements
• removed all warnings• icc• multithreading of permutation checking &
generating
![Page 10: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/10.jpg)
woraauthbf: enhancement results[3]
~150 user names; ~1.5 Mio. Dictionary entries
![Page 11: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/11.jpg)
good dictionaries are needed
• but are hard to find• combine high quality ones with ‘edited’ low
quality ones
![Page 12: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/12.jpg)
dictionaries: the sources
• Wordlist project on sourceforge[4]– http://wordlist.sourceforge.net/
• ftp://ftp.cerias.purdue.edu/pub/dict/• ftp://ftp.ox.ac.uk/pub/wordlists• Internet Dictionary Project– http://www.ilovelanguages.com/IDP/
• French, German, Italian, Portuguese, Spanish, Dutch, Polish…
![Page 13: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/13.jpg)
dictionaries: the ‘editing’• glance through• cat German.txt | sed -r 's/[[:blank:]]+/\n/g' | sed -r 's/~//g' | sed -r
's/=//g' | sed -r 's/\[Article\]//g' | sed -r 's/\[Pronoun\]//g' | sed -r 's/\//\n/g' | sed -r 's/\.//g' | sed -r 's/,/\n/g' | sed -r 's/~//g'| sed -r 's/\[Adverb\]//g' | sed -r 's/\[Noun\]//g' | sed -r 's/://g' | sed -r 's/\[Verb\]//g' | sed -r 's/\[Adjective\]//g' | sed -r 's/;//g' | sed -r 's/^(.+)\((.+)\)/\1\n\1\2/g' | sed -r 's/^\((.+)\)$/\1/g' | sed -r 's/\(f\)//g' | sed -r 's/\(e\)//g' | sed -r 's/\^//g' | sed -r 's/\\//g' | sed -r 's/\[Preposition\]//g' | sed -r 's/\[Conjunction\]//g' | sed -r 's/\"//g' | sed -r 's/_//g' | sed -r 's/\(//g' | sed -r 's/\)//g' | sed -r 's/`//g' | sed -r 's/[0-9]//g' | sed -r 's/\[\]//g' | sed -r 's/\[f\]//g' | sed -r 's/\[int\]//g' | sed -r 's/\[//g' | sed -r 's/\+//g' | sed -r 's/-//g' | sed -r 's/&//g' | tr '[:lower:]' '[:upper:]' | sort -u > germanWordlist
![Page 14: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/14.jpg)
secmon: the architecture
![Page 15: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/15.jpg)
secmon: quick facts
• python• shell scripts– (grep, awk, sed)
• multithreaded– each remote component controlled by own thread
![Page 16: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/16.jpg)
secmon: the remote component
• ‘run’ executable– gets arguments– returns result on stdout (stderr)
• easy to add new component
![Page 17: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/17.jpg)
secmon: the remote components
• targetDBComponent– gets username and hashes
• crunchComponent– does the actual pw checking
• hiddenUserComponent– more later
![Page 18: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/18.jpg)
secmon: virtual demo
![Page 19: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/19.jpg)
secmon: virtual demo
![Page 20: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/20.jpg)
secmon: virtual demo
![Page 21: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/21.jpg)
secmon: virtual demo
![Page 22: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/22.jpg)
secmon: hiding users[4]
![Page 23: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/23.jpg)
secmon: hiding users
![Page 24: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/24.jpg)
secmon: hiding users
![Page 25: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/25.jpg)
Future
• migration to pdb_backup• production rollout• project report & documentation• release linux version of woraauthbf• check privileges of users – other checks (rootkits…)
![Page 26: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/26.jpg)
questions?
• Thanks to:– Maria– Luca Canali– Dawid– Miguel– Jacek– and the rest of the IT-DM team
![Page 27: Secmon Basic Oracle Security Monitoring. motivation & start internet security evaluate password cracker to check security of passwords](https://reader035.vdocuments.site/reader035/viewer/2022062408/56649f305503460f94c4b77a/html5/thumbnails/27.jpg)
references
[1] Wright, Joshua; Cid, Carlos. An Assessment of the Oracle Password Hashing Algorithm http://www.sans.org/reading_room/special/index.php?id=oracle_pass&ref=911
• [2] Donnerer, Michael. A Comparision of Offline Password Cracking Tools for Oracle 10g Databases
• [3] Donnerer, Michael. Some permformance measurements of woraauthbf
• [4] Kornbrust, Alexander. Are Oracle Rootkits Easy To Find? http://blog.red-database-security.com/2007/12/24/are-oracle-rootkits-easy-to-find/