Archive for September, 2010

Marcell published „Writing your own password cracker“ presentation

Mittwoch, September 22nd, 2010

Marcell Major has published his really good presentation „Writing your own password cracker“ from the Hacktivity 2010 security conference in Budapest.

Marcell describes different ways to achieve this goal, e.g. source code analyze, debugging or reverse engineering.

With good examples Marcell showed the password analysis of Apache Derby, Sybase ASE old and new hashing algorithm. The new Sybase ASE (15.0.2+) uses SHA256 and the old SYS-PROB (<15.0.2) is based on an already broken FEAL algorithm. Especially the FEAL algorithm is quit complicated but a good example hat debugging/reversing could do.

  • The password cracker for Sybase ASE – SHA256 is called sybcrack and already released.
  • The password cracker for Sybase ASE – SYB-PROP (FEAL) will be released soon.

Laszlo’s presentation „Oracle Post Exploitation Techniques“ and Marcel’s Sybase ASE Password Cracker

Dienstag, September 21st, 2010

Last weekend I gave a presentation „Security comparison of different databases“ (Oracle, MySQL, MSSQL, DB2 LUW, PostgreSQL and Sybase ASE) at the Hacktivity 2010 conference in Budapest. A blog entry dedicated to this will be released soon.

I saw Laszlo’s presentation „Oracle post exploitation techniques“ and got even a private sneak preview of his presentation in English 1 day before.

Laszlo talked about very very interesting things (at least for me) and I personally think that this is one of the best Oracle security research papers I know. Also some paranoid customers have to rethink their security architecture because this research affects DB Vault and Oracle TDE as well (every OS user can see every cleartext password during the logon process).

  • Decrypt the Enterprise Manager/Grid Control passwords in newer version.
    The simple way using sysman.decrypt() no longer works in newer version of Oracle. But his approach is reading the key from the file emkey.ora and using sysman.mgmt_time_sync to set the key. This works in new versions as well.
  • DLL injection:
    A malicious OS user (e.g. DBA or Unix root) on the database server can intercept the cleartext password on the database server during logon. He showed working examples running on Windows and Linux (!!!)
  • Decrypt TDE encrypted data and extract the TDE masterkey from the Oracle wallet
  • Analysis of the Oracle 11g Remote Job Scheduling.

The second really good presentation was from Marcell Major about reversing password algorithms. He showed different ways how to perform this and showed how he did this for Sybase ASE database passwords. Especially the old SYS-PROP based on a FEAL algorithm was really impressive. But this presentation is currently not online.

Marcell already released the password cracker for new Sybase ASE SHA256 algorithm.

Our new Repscan 4.0 supports now Sybase ASE, PostgreSQL and Microsoft SQL Azure and can crack all these passwords .

Update of „Project Lockdown“ released

Freitag, September 10th, 2010

Arup Nanda has released an update for „Project Lockdown“. This new version covers Oracle 11g (R1/R2) as well.

I found a few minor things which are not 100% correct but in general it  is a good introduction.

But there is something I never liked. It’s the recommendation how to check the Oracle database for weak passwords (according to my experience) this is the biggest problem in nearly every organization.

Just using dba_users_with_defpwd or comparing password hashes is not sufficient and misleading (password=username not found). Oracle 11g is using salted hashes and this concept does not work with the view dba_users_with_defpwd.

Why not using a real password checker like woraauthbf, ops_sse or Repscan? They check all the passwords independent from the database version.

My recommendation for the action plan:
Use a real password checker instead of only comparing password hashes