Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Safe are Oracle Passwords?

Published byJovany Dobkin Modified over 9 years ago

Similar presentations

Presentation on theme: "How Safe are Oracle Passwords?"— Presentation transcript:

1 How Safe are Oracle Passwords?
Quick Tip Session UGF9198 Troy Ligon

2 Who is Troy? Over 35 years experience in the IT field
Focused on Oracle systems since 1983 (version 3) IBM – Developer Robot Communications and Complier Design Ligon Solutions – President and CEO CitiBank – VP Global Database Systems PriceWaterhouseCoopers – Senior Principal DBA Nielsen – Principal Architect President of the SOUG in Tampa, Florida IOUG Collaborate Track Manager for High Availability track

3 How do I gain access to an Oracle database?

4 Authentication Methods
Password: Stored in the database Externally: O/S Authentication (OPS$) as ‘PKI_Cert_Distinguished_Name’ (from ssl wallet) as ‘Kerberos_Principal_Name’ (from Kerberos server) Globally (LDAP): Shared Global Schema in Enterprise Directory Schema in Enterprise Directory Distinguished Name

5 Classic Password Attacks
Guess Social Engineering Watching the keyboard (shoulder surfing, camera) Keylogger (software, USB, built into the keyboard) Network sniffer (wireshark) Dictionary attack (checkpwd – Red Database Security) Brute force attack (woraauthbf – László Tóth) Rainbow Table attack (ophcrack – Objectif Sécurité) Dictionary / Rainbow Table Hybrid attack

6 With a simple PROFILE setting,
What’s the Big Deal? With a simple PROFILE setting, wouldn’t the account get locked due to too many failed login attempts?

7 What if I have access to USER$?
ORA10g: sys.dba_users.password = pre-11g version, case-insensitive hash ORA11g: sys.user$.password = pre-11g version, case-insensitive hash sys.user$.spare4 = SHA1(pwd concat with salt) concat with salt select password hash10g, substr(spare4, 3, 40) hash11g, substr(spare4,43,10) salt from sys.user$ where name=&USERNAME;

8 SHA1 – Secure Hash Algorithm
Well known algorithm, developed by the NSA, published in 1995, based on Message Digest MD4 and MD5, 160-bit / 20-byte / 40 char HEX hash

9 Of Course it’s Easy if I’m SYS! What if I don’t have access
to the database?

10 Stealth Password Cracking Vulnerability
Esteban Martinez Fayo – AppSecInc.com Q & A

11

12 https://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012

13 https://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012

14 What does this Look Like?
After the client sends its username, the server responds with the AUTH_SESSKEY and AUTH_VFR_DATA:

15 So How Would This Work? Get the SALT (available through AUTH_VRF_DATA field) Get the encrypted server session key (available through AUTH_SESSKEY field) Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash Once you have the SALT and the SHA-1 hash value, brute force the password.

16 Flaw Leaks Unencrypted version of this Key
So How Would This Work? Get the SALT (available through AUTH_VRF_DATA field) Get the encrypted server session key (available through AUTH_SESSKEY field) Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash Once you have the SALT and the SHA-1 hash value, brute force the password. Flaw Leaks Unencrypted version of this Key

17 So How Would This Work? Get the SALT (available through AUTH_VRF_DATA field) Get the encrypted server session key (available through AUTH_SESSKEY field) Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash Once you have the SALT and the SHA-1 hash value, brute force the password. With the SALT, you can loop thru possible passwords, generating SHA-1 hashes and comparing them to captured hash. A brute force crack of this type can discover an 8-character password in about 5 hours.

18 So How Would This Work? Get the SALT (available through AUTH_VRF_DATA field) Get the encrypted server session key (available through AUTH_SESSKEY field) Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash Once you have the SALT and the SHA-1 hash value, brute force the password. Now 4. is moot, as it is the password from the brute force loop that generated a matching hash.

19 5 Hours? Really? A 3-GHz Pentium 4 brute forces the
26-character ASCII namespace in: LENGTH TIME 5-character-combinations 10 seconds 6-character-combinations 5 minutes 7-character-combinations 2 hours 8-character-combinations 2.1 days 9-character-combinations 57 days 10-character-combinations 4 years

20 One AMD Radeon HD7970 GPU can average 8.2 billion password trys/sec
5 Hours? Really? One AMD Radeon HD7970 GPU can average 8.2 billion password trys/sec oclHashcat-plus can utilize multiple GPUs for exponential performance improvement Rainbow tables can utilize pre- calculated values to cut even more time

21 5 Hours? Really? Here’s an 8-Radeon card computer for about $12k that can brute force the entire 8-character namespace (upper/lower/digit/symbol) in 12 hours!!!

22 Why is this so Insidious?
Wouldn’t the account get locked due to too many failed login attempts?

23 Why is this so Insideous?
Wouldn’t the account get locked due to too many failed login attempts? No! You don’t get locked because once you grab the AUTH_VRY_DATA and AUTH_SESSKEY, the rest is offline activity.

24 How to Protect Against This?

25 How to Protect Against This?
Note that this is a flaw in O5LOGON protocol O5LOGON came out with Oracle 11.1 (client and server)

26 Go back to O3LOGON protocol
How to Protect Against This? Upgrade to Oracle 12c - or – Go back to O3LOGON protocol

27 How to Go Back to O3LOGON? alter system set sec_case_sensitive_logon=FALSE scope=BOTH; orapwd file=pwdSID.ora ignorecase=y grant sysdba to USER1; grant sysoper to USER2;

28 So Now I’m Safe…Right?

29 So Now I’m Safe…Right? WRONG!!!

30

31 Standing on the Shoulders of Giants
Alex Kornbust Pete Finnigen David Litchfield Paul Wright Zsombor Kovács Ettienne Vorster László Tóth Ferenc Spala

32 Troy Ligon tligon@soug.org
If you don't know neither the enemy nor yourself, you will succumb in every battle. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. But if you know the enemy and know yourself, you need not fear the result of a hundred battles. - Sun Tzu, The Art of War Session UGF9198 Troy Ligon

Download ppt "How Safe are Oracle Passwords?"

Similar presentations

1 Password-based authenticated key exchange Ravi Sandhu.

1 Password-based authenticated key exchange Ravi Sandhu.
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales.

Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales.
Client Principal in the wild

Client Principal in the wild
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Oracle Database Security

Oracle Database Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Similar presentations

Ads by Google