how safe are oracle passwords? quick tip session ugf9198 troy ligon
TRANSCRIPT
![Page 1: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/1.jpg)
How Safe are
Oracle Passwords?
Quick TipSession UGF9198
Troy Ligon
![Page 2: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/2.jpg)
Who is Troy?
•Over 35 years experience in the IT field
•Focused on Oracle systems since 1983 (version 3)
•IBM – Developer Robot Communications and Complier Design
•Ligon Solutions – President and CEO
•CitiBank – VP Global Database Systems
•PriceWaterhouseCoopers – Senior Principal DBA
•Nielsen – Principal Architect
•President of the SOUG in Tampa, Florida
•IOUG Collaborate Track Manager for High Availability track
![Page 3: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/3.jpg)
How do I gain access to an
Oracle database?
![Page 4: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/4.jpg)
Authentication Methods
Password:• Stored in the database
Externally:• O/S Authentication (OPS$)• as ‘PKI_Cert_Distinguished_Name’ (from ssl wallet)• as ‘Kerberos_Principal_Name’ (from Kerberos server)
Globally (LDAP):• Shared Global Schema in Enterprise Directory• Schema in Enterprise Directory Distinguished Name
![Page 5: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/5.jpg)
Classic Password Attacks
•Guess
•Social Engineering
•Watching the keyboard (shoulder surfing, camera)
•Keylogger (software, USB, built into the keyboard)
•Network sniffer (wireshark)
•Dictionary attack (checkpwd – Red Database Security)
•Brute force attack (woraauthbf – László Tóth)
•Rainbow Table attack (ophcrack – Objectif Sécurité)
•Dictionary / Rainbow Table Hybrid attack
![Page 6: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/6.jpg)
What’s the Big Deal?
With a simple PROFILE setting,wouldn’t the account get locked due to
too many failed login attempts?
![Page 7: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/7.jpg)
What if I have access to USER$?
ORA10g:sys.dba_users.password = pre-11g version, case-insensitive hash
ORA11g:sys.user$.password = pre-11g version, case-insensitive hashsys.user$.spare4 = SHA1(pwd concat with salt) concat with salt
select password hash10g, substr(spare4, 3, 40) hash11g, substr(spare4,43,10) saltfrom sys.user$where name=&USERNAME;
![Page 8: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/8.jpg)
SHA1 – Secure Hash Algorithm
![Page 9: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/9.jpg)
Of Course it’s Easy if I’m SYS!
What if I don’t have access to the database?
![Page 10: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/10.jpg)
Stealth Password Cracking Vulnerability
Esteban Martinez Fayo – AppSecInc.com
![Page 11: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/11.jpg)
http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/
![Page 12: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/12.jpg)
https://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012
![Page 13: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/13.jpg)
https://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012
![Page 14: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/14.jpg)
What does this Look Like?
After the client sends its username, the server responds with the AUTH_SESSKEY and AUTH_VFR_DATA:
![Page 15: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/15.jpg)
So How Would This Work?
1. Get the SALT (available through AUTH_VRF_DATA field)
2. Get the encrypted server session key (available through AUTH_SESSKEY field)
3. Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash
4. Once you have the SALT and the SHA-1 hash value, brute force the password.
![Page 16: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/16.jpg)
So How Would This Work?
1. Get the SALT (available through AUTH_VRF_DATA field)
2. Get the encrypted server session key (available through AUTH_SESSKEY field)
3. Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash
4. Once you have the SALT and the SHA-1 hash value, brute force the password.
Flaw Leaks Unencrypted version of
this Key
![Page 17: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/17.jpg)
So How Would This Work?
1. Get the SALT (available through AUTH_VRF_DATA field)
2. Get the encrypted server session key (available through AUTH_SESSKEY field)
3. Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash
4. Once you have the SALT and the SHA-1 hash value, brute force the password.
With the SALT, you can loop thru possible passwords, generating SHA-1 hashes and comparing them to captured hash. A brute force crack of this type can discover an 8-character password
in about 5 hours.
![Page 18: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/18.jpg)
So How Would This Work?
1. Get the SALT (available through AUTH_VRF_DATA field)
2. Get the encrypted server session key (available through AUTH_SESSKEY field)
3. Brute force the AES 192-bit encrypted AUTH_SESSKEY to determine the SHA-1 password hash
4. Once you have the SALT and the SHA-1 hash value, brute force the password.
Now 4. is moot, as it is the password from the brute force loop that generated a matching hash.
![Page 19: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/19.jpg)
5 Hours? Really?
A 3-GHz Pentium 4 brute forces the 26-character ASCII namespace in:
LENGTH TIME
5-character-combinations 10 seconds
6-character-combinations 5 minutes
7-character-combinations 2 hours
8-character-combinations 2.1 days
9-character-combinations 57 days
10-character-combinations 4 years
![Page 20: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/20.jpg)
5 Hours? Really?
One AMD Radeon HD7970 GPU can average 8.2 billion password trys/sec
oclHashcat-plus can utilize multiple GPUs for exponential performance improvement
Rainbow tables can utilize pre-calculated values to cut even more time
![Page 21: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/21.jpg)
5 Hours? Really?
Here’s an 8-Radeon card computer for about $12k that can brute force the entire 8-character namespace
(upper/lower/digit/symbol) in 12 hours!!!
![Page 22: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/22.jpg)
Why is this so Insidious?
Wouldn’t the account get locked due to too many failed login attempts?
![Page 23: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/23.jpg)
Why is this so Insideous?
Wouldn’t the account get locked due to too many failed login attempts?
No!You don’t get locked because once you
grab the AUTH_VRY_DATA and AUTH_SESSKEY, the rest is offline
activity.
![Page 24: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/24.jpg)
How to Protect Against This?
![Page 25: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/25.jpg)
How to Protect Against This?
Note that this is a flaw in O5LOGON protocol
O5LOGON came out with Oracle 11.1 (client and server)
![Page 26: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/26.jpg)
How to Protect Against This?
Upgrade to Oracle 12c
- or –
Go back to O3LOGON protocol
![Page 27: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/27.jpg)
How to Go Back to O3LOGON?
alter system set sec_case_sensitive_logon=FALSE scope=BOTH;
orapwd file=pwdSID.ora ignorecase=y
grant sysdba to USER1;
grant sysoper to USER2;
![Page 28: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/28.jpg)
So Now I’m Safe…Right?
![Page 29: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/29.jpg)
So Now I’m Safe…Right?
WRONG!!!
![Page 30: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/30.jpg)
![Page 31: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/31.jpg)
Standing on the Shoulders of Giants
Alex KornbustPete Finnigen
David Litchfield Paul Wright
Zsombor KovácsEttienne Vorster
László TóthFerenc Spala
![Page 32: How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649c735503460f94925e3a/html5/thumbnails/32.jpg)
If you don't know neither the enemy nor yourself, you will succumb in every battle.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
But if you know the enemy and know yourself,you need not fear the result of a hundred battles.
- Sun Tzu, The Art of War
Troy Ligon [email protected]