How Safe are Oracle Passwords?

Slides:



Advertisements
Similar presentations
1 Password-based authenticated key exchange Ravi Sandhu.
Advertisements

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Managing User, Computer and Group Accounts
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales.
Client Principal in the wild
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Oracle Database Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Chapter 3 Passwords Principals Authenticate to systems.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
SSH Secure Login Connections over the Internet
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.
Authentication Key HMAC(MK, “auth”) Server Encryption Key HMAC(MK, “server_enc”) User Password Master Key (MK) Client Encryption Key HMAC(MK, “client_enc”)
Passwords Everywhere GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP:
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Brute Force Password Cracking and its Role in Penetration Testing Andrew Keener and Uche Iheadindu.
Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst
How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Every computer along the path of your data can see what you send and receive. USERNAMES and PASSWORDS  Username can be assigned to you eg. Student ID.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
KERBEROS SYSTEM Kumar Madugula.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
C Copyright © 2007, Oracle. All rights reserved. Security New Features.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Security Operations Chapter 11 Part 3 Pages 1279 to 1309.
Over 18 yrs experience with SQL Server
By Collin Donaldson Man in the Middle Attack: Password Sniffing and Cracking.
Understanding Security Policies Lesson 3. Objectives.
Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.
Understanding Security Policies
Authentication Schemes for Session Passwords using Color and Images
I have edited and added material.
Passwords Everywhere Ing. Ondřej Ševeček | GOPAS a.s. |
CS 465 PasswordS Last Updated: Nov 7, 2017.
Kiran Subramanyam Password Cracking 1.
Exercise: Hashing, Password security, And File Integrity
COEN 351 Authentication.
Network Penetration Testing & Defense
Presentation transcript:

How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon

Who is Troy? Over 35 years experience in the IT field Focused on Oracle systems since 1983 (version 3) IBM – Developer Robot Communications and Complier Design Ligon Solutions – President and CEO CitiBank – VP Global Database Systems PriceWaterhouseCoopers – Senior Principal DBA Nielsen – Principal Architect President of the SOUG in Tampa, Florida IOUG Collaborate Track Manager for High Availability track

How do I gain access to an Oracle database?

Authentication Methods Password: Stored in the database Externally: O/S Authentication (OPS$) as ‘PKI_Cert_Distinguished_Name’ (from ssl wallet) as ‘Kerberos_Principal_Name’ (from Kerberos server) Globally (LDAP): Shared Global Schema in Enterprise Directory Schema in Enterprise Directory Distinguished Name

Classic Password Attacks Guess Social Engineering Watching the keyboard (shoulder surfing, camera) Keylogger (software, USB, built into the keyboard) Network sniffer (wireshark) Dictionary attack (checkpwd – Red Database Security) Brute force attack (woraauthbf – László Tóth) Rainbow Table attack (ophcrack – Objectif Sécurité) Dictionary / Rainbow Table Hybrid attack

With a simple PROFILE setting, What’s the Big Deal? With a simple PROFILE setting, wouldn’t the account get locked due to too many failed login attempts?

What if I have access to USER$? ORA10g: sys.dba_users.password = pre-11g version, case-insensitive hash ORA11g: sys.user$.password = pre-11g version, case-insensitive hash sys.user$.spare4 = SHA1(pwd concat with salt) concat with salt select password hash10g, substr(spare4, 3, 40) hash11g, substr(spare4,43,10) salt from sys.user$ where name=&USERNAME;

SHA1 – Secure Hash Algorithm Well known algorithm, developed by the NSA, published in 1995, based on Message Digest MD4 and MD5, 160-bit / 20-byte / 40 char HEX hash

Of Course it’s Easy if I’m SYS! What if I don’t have access to the database?

Stealth Password Cracking Vulnerability Esteban Martinez Fayo – AppSecInc.com Q & A

http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/

https://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012

https://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012

What does this Look Like? After the client sends its username, the server responds with the AUTH_SESSKEY and AUTH_VFR_DATA:

So How Would This Work? Get the SALT (available through AUTH_VRF_DATA field) Get the encrypted server session key (available through AUTH_SESSKEY field) Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash Once you have the SALT and the SHA-1 hash value, brute force the password.

Flaw Leaks Unencrypted version of this Key So How Would This Work? Get the SALT (available through AUTH_VRF_DATA field) Get the encrypted server session key (available through AUTH_SESSKEY field) Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash Once you have the SALT and the SHA-1 hash value, brute force the password. Flaw Leaks Unencrypted version of this Key

So How Would This Work? Get the SALT (available through AUTH_VRF_DATA field) Get the encrypted server session key (available through AUTH_SESSKEY field) Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash Once you have the SALT and the SHA-1 hash value, brute force the password. With the SALT, you can loop thru possible passwords, generating SHA-1 hashes and comparing them to captured hash. A brute force crack of this type can discover an 8-character password in about 5 hours.

So How Would This Work? Get the SALT (available through AUTH_VRF_DATA field) Get the encrypted server session key (available through AUTH_SESSKEY field) Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash Once you have the SALT and the SHA-1 hash value, brute force the password. Now 4. is moot, as it is the password from the brute force loop that generated a matching hash.

5 Hours? Really? A 3-GHz Pentium 4 brute forces the 26-character ASCII namespace in: LENGTH TIME 5-character-combinations 10 seconds 6-character-combinations 5 minutes 7-character-combinations 2 hours 8-character-combinations 2.1 days 9-character-combinations 57 days 10-character-combinations 4 years

One AMD Radeon HD7970 GPU can average 8.2 billion password trys/sec 5 Hours? Really? One AMD Radeon HD7970 GPU can average 8.2 billion password trys/sec oclHashcat-plus can utilize multiple GPUs for exponential performance improvement Rainbow tables can utilize pre- calculated values to cut even more time

5 Hours? Really? Here’s an 8-Radeon card computer for about $12k that can brute force the entire 8-character namespace (upper/lower/digit/symbol) in 12 hours!!!

Why is this so Insidious? Wouldn’t the account get locked due to too many failed login attempts?

Why is this so Insideous? Wouldn’t the account get locked due to too many failed login attempts? No! You don’t get locked because once you grab the AUTH_VRY_DATA and AUTH_SESSKEY, the rest is offline activity.

How to Protect Against This?

How to Protect Against This? Note that this is a flaw in O5LOGON protocol O5LOGON came out with Oracle 11.1 (client and server)

Go back to O3LOGON protocol How to Protect Against This? Upgrade to Oracle 12c - or – Go back to O3LOGON protocol

How to Go Back to O3LOGON? alter system set sec_case_sensitive_logon=FALSE scope=BOTH; orapwd file=pwdSID.ora ignorecase=y grant sysdba to USER1; grant sysoper to USER2;

So Now I’m Safe…Right?

So Now I’m Safe…Right? WRONG!!!

Standing on the Shoulders of Giants Alex Kornbust Pete Finnigen David Litchfield Paul Wright Zsombor Kovács Ettienne Vorster László Tóth Ferenc Spala

Troy Ligon tligon@soug.org If you don't know neither the enemy nor yourself, you will succumb in every battle. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. But if you know the enemy and know yourself, you need not fear the result of a hundred battles. - Sun Tzu, The Art of War Session UGF9198 Troy Ligon tligon@soug.org

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.