Oracle Security Tools



Similar documents
Oracle Security Auditing

Oracle Security Auditing

Oracle Security on Windows

Oracle 11g Security. Summary of new features (1) Agenda. Summary of new features (3) Summary of new features (2) Introduction - commercial slide.

Detecting and Stopping Cyber Attacks Against Oracle Databases June 25, 2015

Oracle Database Security Myths

How To Secure The Org Database

Detecting and Stopping Cyber Attacks against Oracle Databases

Pentesting / Hacking Oracle databases with

Different ways to guess Oracle database SID

Top Ten Fraud Risks in the Oracle E Business Suite

Oracle Database Security

Real Life Database Security Mistakes. Stephen Kost Integrigy Corporation Session #715

Need for Database Security. Whitepaper

Fixing Common Problems in Data Storage - A Review

Sentrigo Hedgehog Enterprise Review

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

How to Audit the Top Ten E-Business Suite Security Risks

Best Practices for Oracle Databases Hardening Oracle /

D50323GC20 Oracle Database 11g: Security Release 2

Oracle Database 11g: Security. What you will learn:

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Security and Control Issues within Relational Databases

FREQUENTLY ASKED QUESTIONS

Oracle Database 11g: Security Release 2

Pen Testing Databases

Advanced SQL Injection in Oracle databases. Esteban Martínez Fayó

Open Source Tools for Oracle DBAs

mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer

Oracle Database 11g: Security

Configuring an Alternative Database for SAS Web Infrastructure Platform Services

Tivoli Security Compliance Manager. Version rel. 2 July, Collector and Message Reference Windows Oracle Addendum

linux20 (R12 Server) R Single Node SID - TEST linux1 (10gAS Server) Oracle 10gAS ( ) with OID SID - asinf server name

McAfee Database Security. Dan Sarel, VP Database Security Products

AUTOMATIC DETECTION OF VULNERABILITY IN WRAPPED PACKAGES IN ORACLE

PAYMENTVAULT TM LONG TERM DATA STORAGE

Achieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems

Database security tutorial. Part I

INFORMATION SECURITY TESTING

Oracle Database. 2 Day + Security Guide 11g Release 1 (11.1) B

AN OVERVIEW OF VULNERABILITY SCANNERS

What s New with Oracle Database 12c on Windows On-Premises and in the Cloud

Database Penetration Testing Atlanta OWASP Chapter Meeting 4/21/2011 Michael Raggo, CISSP, NSA-IAM, CCSI, SCSA, ACE, CSI

Oracle Database Vault: Design Failures

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Ethical Hacking Course Layout

Safeguard Sensitive Data in EBS: A Look at Oracle Database Vault, Transparent Data Encryption, and Data Masking. Lucy Feng

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Application Security Testing

Top 10 Database. Misconfigurations.

Deciphering The Prominent Security Tools Ofkali Linux

Hacking and Protecting Oracle DB. Slavik Markovich CTO, Sentrigo

Installing and Configuring Nessus by Nitesh Dhanjani

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Centralized Oracle Database Authentication and Authorization in a Directory

Internal Penetration Test

To integrate Oracle Application Server with Active Directory follow these steps.

Paul M. Wright Last updated Sunday 25 th February For

Using Nessus In Web Application Vulnerability Assessments

Application Notes for configuring NICE IEX Workforce Management R4.6 with Avaya Proactive Contact R5.0.1 Issue 1.0

PeopleSoft DDL & DDL Management

Oracle Database 11g: Security

Penetration Testing: Advanced Oracle Exploitation Page 1

Security Analysis. Spoofing Oracle Session Information

Secret Server Qualys Integration Guide

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Security Considerations White Paper for Cisco Smart Storage 1

Nessus Agents. October 2015

SQL DATABASE TRAINING PDF

NEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK

State of Wisconsin Database Hosting Services Roles and Responsibilities

Oracle security done right. Secure database access on the (unix and linux) operating system level.

PLOUG Oracle Security. Alexander Kornbrust, Jacek Sapiński 16-Oct-2008 OPITZ CONSULTING. Red-Database-Security GmbH

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Hack Your SQL Server Database Before the Hackers Do

Database Extension 1.5 ez Publish Extension Manual

Manage Your Shop with Policy Based Management & Central Management Server

Improved Penetration Testing of Web Apps and Databases with MatriXay

Implementing Database Security and Auditing

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

CYBERTRON NETWORK SOLUTIONS

Oracle 11g Database Administration

BLIND SQL INJECTION (UBC)

Introduction to Nessus by Harry Anderson last updated October 28, 2003

Securing Your Oracle Database to Protect your Data

MatriXay Database Vulnerability Scanner V3.0

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Oracle. Brief Course Content This course can be done in modular form as per the detail below. ORA-1 Oracle Database 10g: SQL 4 Weeks 4000/-

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

Transcription:

Introduction - Commercial Slide. UKOUG Conference, December 7 th 2007 Oracle Security Tools By Pete Finnigan Written Friday, 19 th October 2007 Founded February 2003 CEO Pete Finnigan Clients UK, States, Europe Specialists in researching and securing Oracle databases http://www.petefinnigan.com Consultancy and training available Author of Oracle security step-by-step Published many papers, regular speaker (UK, USA) 1 2 Agenda Where To Find Oracle Security Tools Where to find Oracle security tools Look at the types of tools (categorize) Consider free and commercial tools Protecting against Oracle Security tools A quick look at what Oracle provides Demo and summarise some of the key tools that can be used http://www.petefinnigan.com/tools.htm 3 4 Oracle Security Tool Categories Discovery tools User enumeration OAK toolkit Sid guessing RDS, Cqure, THC Connect brute force bfora.pl SYSDBA brute force Paul Wright Listener enumerators nmap, metacortex, tnsprobe, WinSID Testing tools Password crackers orabf, woraauthbf, checkpwd Listener enumeration integrigy, DokFleed, tnscmd Default passwords PeteFinnigan.com Inguma Joxean Koret Backtrack CD Oracle Security Tool Categories (2) Scanners Listener scanners Integrigy, DokFleed CIS Benchmark old but the best free scanner Scuba - Imperva RoraScanner Rory McCune Audit scripts (who_has_priv) Pete Finnigan Commercial AppDetective, Squirrel, AuditPro Fuzzers Joxean Koret script + inguma Hardening scripts (similar to SQLsecurity.com for SQL Server) none that I know of 5 6 1

Oracle Security Tool Categories (3) Audit Trail software many e.g. SQL Guard from Guardium No free solutions in same space Many built in solutions Database IDS / IPS Many e.g Hedgehog from Sentrigo No free solutions in same space In-line Patching BlueLane patchpoint and virtualshield Encryption small number of players including Application Security Inc Some free software but no GUI solutions Area Discovery Testing Scanner Fuzzing Hardening Audit Trail IDS / IPS / Patching Encryption Free And Commercial Free Commercial This is not scientific but a simple look at the spread of tools between commercial and free - a trend is visible 7 8 Does Oracle Provide Anything? None of the tools listed above are supplied by Oracle as complete tools BUT Oracle supplies a default password tool 11gR1 has a default password check built in There are no Oracle scanners (at least not public) Oracle does provide various audit scripts (quite old) on Metalink Oracle includes many built in audit solutions and audit vault Oracle also provides many encryption solutions Support And Maintenance All Commercial products can include support and upgrade Free tools depends on developers and Is this an issue? We have source code in lots of cases A lot of tools can be extended A problem of research? A problem of wasted (duplicate) efforts Commercial / free requires careful considerations 9 10 Supporting Role Tools Security Issues With Tools Whilst we are talking about Oracle security tools we should not ignore the platform and network This should include database discovery using network security tools such as nmap, amap, nessus This should also include platform checks. The CIS benchmark tools are very good as a start in this area Protect against tools run on your own databases Just as you can use for audit / testing etc these tools can also be used against you Beware some *rare* tools have virus code included to allow the author to take over your machine One legitimate tool is recognised as a virus / worm Choose extendable tools with source, then from trusted sources. Protection methods? many and varied 11 12 2

Some Demonstrations SIDGuesser Sidguess Patrik Karlsson User Enumeration OAK David Litchfield Default passwords 11g plus Pete Finnigan list Password cracker woraauthbf SYSDBA brute force Paul Wright Listener checks - Integrigy Scanners Scuba - imperva CIS benchmark OScanner Privilege checks PeteFinnigan.com scripts From http://www.cqure.net/tools/sidguesser_win32_1_0_5.zip 13 14 User Enumeration Default Password Check SQL> select * from dba_users_with_defpwd; From http://www.databasesecurity.com/dbsec/oak.zip USERNAME Alternative is to use woraauthbf with a default ------------------------------ file DIP MDSYS See WK_TEST http://www.petefinnigan.com/default/default_p CTSYS assword_list.htm OUTLN EFSYS 11g Uses the old 10gR2 hash MDDATA No passwords available ORDPLUGINS ORDSYS 690 records in the table DB SI_INFORMTN_SCHEMA Remember if found you would still need to WMSYS resolve the case sensitive password in 11g if its not all one case 12 rows selected. Can implement your own version of the same 15 16 Password Cracker (1) Password Cracker (2) Run in SQL*Plus http://soonerorlater.hu/download/woraauthbf_src_0.2.zip http://soonerorlater.hu/download/woraauthbf_0.2.zip Select u.name ':' u.password ':' substr(u.spare4,3,63) ':' d.name ': sys_context('userenv','server_host') ':' from sys.user$ u, sys.v_$database d where u.type#=1; Create a text file with the results mine is called 11g_test.txt SCOTT:9B5981663723A979:71C46D7FD2AB8A607A93489E899C0 8FFDA75B147030761978E640EF57C35:ORA11G:vostok: Then run the cracker As you can see the password is found running at over 1million hashes per second Woraauthbf can also be used to crack from authentication sessions Woraauthbf can be used in dictionary or brute force mode 17 18 3

SYSDBA Brute Force Listener Check C:\tools\brute_wright>orabrute 127.0.0.1 152 2 ora10gr2 100 Orabrute v 1.2 by Paul M. Wright and David J. Morgan: orabrute <hostip> <port> <sid> <millitimewait>sqlplus.exe -S -L "SYS/AASH@127.0.0.1:1522/ora10gr2" as sysdba @selectpassword.sql NAME PASSWORD ------------------------------ ------------------------------ SYS B024681DBF11A33E PUBLIC CONNECT RESOURCE DBA SYSTEM D4DF7931AB130E37 SELECT_CATALOG_ROLE EECUTE_CATALOG_ROLE DELETE_CATALOG_ROLE http://www.ngssoftware.com/research/papers/ EP_FULL_DATABASE oraclepasswords.zip IMP_FULL_DATABASE Works with 10gR2 Can enumerate SIDS using TNS commands From: http://www.integrigy.com/downloads/lsnrcheck.exe 19 20 Sample Audit Checks Using SCUBA Sample Audit Checks Using SCUBA http://www.imperva.com/application_defense_center/scuba/ 21 22 Sample Audit Checks Using SCUBA CIS Benchmark 23 24 4

CIS Benchmark OScanner http://www.cqure.net/wp/?page _id=3 http://www.cisecurity.org/bench_oracle.html 25 26 PL/SQL Scripts PL/SQL Scripts (2) 27 28 Conclusions Looked at where to find Oracle security tools Look at the types of tools and categorized them Considered free and commercial tools Looked at protecting against Oracle Security tools A quick look at what Oracle provides Demonstrated some of the key tools that can be used The free tools tend to occupy the enumerate, test and scan areas Any Questions? 29 30 5

Contact - Pete Finnigan 9 Beech Grove, Acomb York, YO26 5LD Phone: +44 (0) 1904 791188 Mobile: +44 (0) 7742 114223 Email: pete@petefinnigan.com 31 6