Archive for November, 2009

IGHASHGPU – Cracking Oracle Passwords with 790 Million Passwords/second

Sonntag, November 29th, 2009

This time I want to present a new super-fast password cracker.Ivan Golubev released a new version of his password cracker IGhashGPU.  I know the tool for a while but in older versions of IGHASHGPU Oracle SHA1 passwords were not supported.

The new version 0.62 supports now also Oracle 11g hashes (SHA1 + salt). The remarkable thing is the speed of cracking passwords. Ivan’s cracker is using the GPU for cracking the passwords. Without a GPU (NVidia or ATI) or within  a virtual machine the tool is not working.

On a dual ATI 5970 configuration (forum entry) the tool can crack approx. 790 (!!!) Million hashes per second. A single ATI 4850 can achieve more than 300 Mill. hashes per second. This means that the new 11g password algorithm can be cracked approx 130 times faster than the old DES algorithm. I am not sure if it was a good idea from Oracle to use such a standard algorithm like SHA1 because this is together with MD5 one of the most optimized algorithms.

Here is a short comparison between cracking old Oracle DES based passwords and new Oracle 11g SHA1 based passwords. I used the fasted software BF password cracker for Oracle DES (Repscan  from Red-Database-Security or woraauthbf, both with approx. 6 Mill hashes on a Core i7) and compared it with the configuration of running IGHASHGPU on a dual 5970 configuration (790 Mill hashes per second).

Here are some benchmark numbers. I know that 11g supports case sensitive passwords but from my experience most people use normally lowercase passwords with the first character converted to uppercase.In such a case it is not necessary to crack the entire key space.

26 characters, length 6:   DES: 53 seconds,  SHA1: 0.4 seconds

26 characters, length 7:   DES: 23 min,  SHA1: 10 seconds

26 characters, length 8:   DES: 10 h,  SHA1: 4.6 minutes

26 characters, length 9:   DES: 11 days,  SHA1: 2 hours

26 characters, length 10:   DES: 283 days,  SHA1: 2 days

If you are interested to download the tool you can get it from here.

How Oracle controls access to security vulnerabilities

Mittwoch, November 25th, 2009

Shaomin Wang from Oracle has posted an interesting blog entry „How Oracle controls access to security vulnerabilities„. There are 3 different access types: Default Access, Global Access and Hierarchical Access.

Depending from the role inside of Oracle (e.g. Global Product Security staff, normal employees or their managers) people have the right to view an individual security bug or all security bugs.

This is a big improvement comparing to the time when I was an Oracle employee several years ago. At that time everybody inside of Oracle had access to security bug information.

The only problem nowadays are security bugs which are not marked as security bugs because Oracle support employees are not aware of the security impact of a normal bug. These bugs are often accessible via MyOracleSupport even for Oracle customers.

Metasploit 3.3 is out

Dienstag, November 17th, 2009

Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:

Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws.

Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features

  • Support for the Oracle InstantClient Ruby driver as an exploit mixin
  • Extensive support for exploitation and post-exploitation tasks against Oracle databases

Have fun using Metasploit.

Security Workshop „Database Activity Monitoring Systems“ in London

Dienstag, November 17th, 2009

In 3 weeks Paul Wright will give an 1 day workshop for SANS (Sat. 5. Dec. in London) about Database Activity Monitoring Systems (DAMS).  Paul will use the free Hedgehog Standard Edition in the class to demonstrate solutions for common problems like user monitoring, defending against public zero days, …

Here is the table of content:

1. Defend against public and zero day attacks via free custom written IDS rules
2. Gain  Compliance
3. User activity monitoring
4. Application monitoring
5. Sensitive data access monitoring
6. Diagnostics prior to changes such as CPU installation.

A case study about using DAMS from Paul Wright is available in the UKOUG Scene magazine (Issue 39).

You should not miss the chance to join this workshop because it can help your company/organization to secure their databases …

New russian Oracle exploit tool „Oracle Security Tools“ (updated)

Freitag, November 13th, 2009

During my research on Russian websites I found a new security tool called „Oracle Security Tools„. This tool offers different methods to exploit Oracle databases.

Oracle Security Tools

Here is a list of features

  • The privileges escalation of the Oracle users;
  • The verification of system accounts concerning the existence of a default password;
  • Account compliance test of login=password
  • The execution of the PL/SQL code;
  • The privileges escalation in the OS Windows 2000/XP/2003 (add a local user as root and holder of remote connection powers);
  • The infiltration into the OS and the execution of DOS-commands, holding the administrative rights.
  • Viewing the users‘ connections to the database and their activity;
  • Analyse the external TNS listener.log;

After checking the executable on virustotal I run the program on one of my test VMwares. After switching the russian interface to the english interface I not able to run the tool. I always got the error message:

It seems to be a problem with my vmware system and the mulitple Oracle Homes. After switching to another computer the program was working without problems.