Archive for the ‘Tools’ Category

New russian Oracle exploit tool „Oracle Security Tools“ (updated)

Freitag, November 13th, 2009

During my research on Russian websites I found a new security tool called „Oracle Security Tools„. This tool offers different methods to exploit Oracle databases.

Oracle Security Tools

Here is a list of features

  • The privileges escalation of the Oracle users;
  • The verification of system accounts concerning the existence of a default password;
  • Account compliance test of login=password
  • The execution of the PL/SQL code;
  • The privileges escalation in the OS Windows 2000/XP/2003 (add a local user as root and holder of remote connection powers);
  • The infiltration into the OS and the execution of DOS-commands, holding the administrative rights.
  • Viewing the users‘ connections to the database and their activity;
  • Analyse the external TNS listener.log;

After checking the executable on virustotal I run the program on one of my test VMwares. After switching the russian interface to the english interface I not able to run the tool. I always got the error message:

It seems to be a problem with my vmware system and the mulitple Oracle Homes. After switching to another computer the program was working without problems.

Oracle Openworld 2009 – SQL Injection Presentation

Dienstag, Oktober 13th, 2009

Just back from a short trip to the Oracle Openworld where I gave a presentation „SQL Injection Crash Course for Developers„. This was the first time I talked at the Openworld in San Francisco. The feedback from the attendees was quite good.

In the SQL Injection presentation I showed some screenshots of the brand new web application scanner Netsparker (previously known as Dilemma) from Mavituna Security.

Netsparker is one of the most advanced web application scanner. Really professional GUI, easy to use. Well done Ferruh
Netsparker GUI

Supports the execution of SQL statements and OS commands on the DB server.

Netsparker Command Window

I also met the APEX team from Oracle and had a long interesting chat with them. Joel Kallmann gave me a few tips how to harden my APEX 3.2.1 installation using mod_plsql.

What else happened in the Oracle security scene?

Slavik posted today an interesting blog entry about SQL Injection too.

Today Pete Finnigan published an entry about spoofing users and programs in Oracle. In his blog entry he mentions also the bug DB18 from January 2006, found by Imperva. AFAIK I was the first came up with the idea patching the oraclient9.dll  using a hex editor and then I sent an email with a description to Pete.

Nowadays this trick is no longer necessary for exploiting this after David Litchfield released a small tool (part of OAK – Oracle Assessment Kit) called ora-auth-alter-session.exe. But for many other applications the client patching technique can be really useful.

Oracle Password Benchmarks

Dienstag, Oktober 6th, 2009

Yesterday, Dennis Yurichev has published details about his FPGA based Oracle (DES) password cracker. His cracker can check up to 60 Mill. passwords per seconds (for short usernames) in brute force mode.

This is a good opportunity to show the current status of Oracle Password Cracking.
The benchmark numbers on our website are a little bit outdated and I will refresh them soon.

Here a quick summary of the fastest programs in every class (AFAIK, please correct me if you know
faster tools). All tests were performed on my old Core2Quad 2.4 GHz.
New Intel i7 would perform much faster (30-50%) comparing to Core2Quad.

If you look for pure numbers, dictionary based rainbow tables for DES are the fastest solution with approx. 250 Mill password hashes, followed by FPA with 60 Mill pw/sec, followed by brute force with 4 Mill pw/sec.

The SHA1 algorithm is a bad choice from the password cracking perspective because it can be cracked much faster (30 Mill pw/s instead of 4 Mill pw/s) on the same computer.

1. Dictionary Based (* Core2Quad 2.4 GHz)
DES: approx. 3 Mill pw/sec    (Repscan 3.0 and woraauthbf)
SHA1: approx. 19 Mill pw/sec  (Repscan 3.0)

2. Brute Force (* Core2Quad 2.4 GHz)
DES: up to 4 Mill pw/sec       (Repscan 3.0 and woraauthbf)
SHA1: approx. 30 Mill pw/sec   (Repscan 3.0)

3. Rainbow Table (* Core2Quad 2.4 GHz)
DES: n/a                       (Cain)
SHA1: hash salted, not useful

4. Dictionary based Rainbow Tables (* Core2Quad 2.4 GHz)
DES: up to 250 Mill pw/sec     (ophcrack)
SHA1: hash salted, not useful

DES: up to 60 Mill pw/sec      (Dennis Yurichev)
SHA1: not available

DES:  n/a
SHA1: n/a (estimated 175 Mill pw/sec)

Oracle Hacking with Metasploit Videos

Sonntag, August 2nd, 2009

Chris Gates has uploaded some of the videos how to hack Oracle with Metasploit:

  • Metasploit Oracle TNSCMD SMBRelay Demo
  • Metasploit Oracle Extproc Backdoor Demo
  • Metasploit Oracle Login Brute and Privilege Check Demo
  • Metasploit Oracle CGI Scanner and SID enumeration

Oracle & Metasploit Presentation from Blackhat USA are already online

Mittwoch, Juli 29th, 2009

The Oracle & Metasploit material (PDF, Slides) from the Blackhat 2009 conference from Chris Gates is already online. A short review will be done tomorrow.