My new blog

I will start blogging about my new career as data engineer on a new place:

http://marcel-jan.eu/datablog/2017/02/21/welcome-to-my-new-blog/

On this blog I intend to take you with me on a journey through Big Data. That’s why the blog is called “Expedition Data”.

A couple of Enterprise Manager 12 repository scripts

For almost 2 years I’ve been product responsible/product owner for Oracle Enterprise Manager at Rabobank. I haven’t done a lot of technical stuff, but I did have access to the repository. This allowed me to create some queries, create some reports and get a feel for the growth of the use of EM.

As a last thing I leave to the Oracle community, I’ve placed these scripts in a Git repository.

https://github.com/Marcel-Jan/oracle_em12 Continue reading →

Why I ♥ Python

I had a few encounters with Python before I followed the Introduction to Interactive Python programming courses of Rice University via Coursera. I remember the struggles when I tried to program Twitter feed analysis code with Python on the Introduction to Data Science course I did two years ago. I eventually had to give up. And on the Hadoop Platform and Application Framework course I couldn’t solve one of the problems with Python and eventually, with the deadline looming, used Excel to find the right answer. That’s right: I solved a Big Data problem with Excel (because there wasn’t a lot of data).

But ever since I’ve followed Rice University’s first Python course, I was hooked. Python is a pretty easy language, once you know the basics. But that’s not the only reason I love it. You can use it almost everywhere. Examples? Continue reading →

A Big (Data) Change

So it has been rather quiet on this blog and there’s a good reason for that. I like to blog mostly about interesting (technical) stuff I found out. At work I haven’t done many technical things. I talked about technical things, I had meetings about technical things, I read documents about technical things and even wrote documents about technical things. But I didn’t find out much technical stuff. I didn’t have time for technical things at work.

And I noticed that when I played with Oracle 12c in my spare time, and lateron Hadoop and Python, I missed the satisfaction of finding things out and getting things to work. You know, Linux, Oracle, Hadoop and Python work without the need of several meetings to convince it. Or sometimes it doesn’t of course. Continue reading →

Making better team decisions

In the first months in my new role as product responsible I had more or less weekly meetings with the team responsible for Enterprise Manager and in those meetings we made decisions sometimes. But what happened was that a few months down the road we (including myself) could not remember what exactly we had decided or why. And worse, new discussions then started about what to do. Often motivation to do so was because people from other teams had dropped earlier in the week telling we did things all wrong in their opinion.

And at one point I had enough of forgetting decisions and to keep coming back on decisions. I thought “Dammit, I’ve read Decisive (by Dan and Chip Heath). I should know better than this.” Continue reading →

The Department of Hacking Other Departments

We operations people often are rather charmed by Netflix’ idea of Chaos Monkey. This is a tool that identifies a group of systems and randomly terminates one system in that group. If you’ve never heard of Chaos Monkey, you might ask why you would do such a thing. In production even.

 

Chaos Monkey

Chaos Monkey runs during business hours and the idea is that if anything is wrong with the high availability configuration in that group, you’ll discover it during business hours when lot’s of people are available to solve the problem. But also, and this is the part we operations people like, it makes all people responsible for the application very aware that if they don’t do the right things to make their applications high available, their applications will fail soon. So it raises awareness. Lately Netflix even has a tool called Chaos Kong, which disables whole AWS (Amazon Web Services) regions. Continue reading →

NMap 7 is out

Yesterday I read that there is a totally new release of nmap, the network mapping tool. I’ve blogged about Nmap before. Version 7 has attacks against Heartbleed, it has mature IPv6 support, faster scans on Windows and BSD systems. And it has 171 new scripts and 20 libraries (new since Nmap 6 though).

The release notes make mention of a script called oracle-brute-stealth script, which can exploit the CVE-2012-3137 vulnerability, a weakness in Oracle’s O5LOGIN authentication scheme in a lot of 11g versions (except when protocol 12 is required). This vulnerability has been fixed in the Critical Patch Update of October 2012.

I got all excited. But then I realized that oracle-brute-force actually exists in this form since 2012. I’m going to test this out anyway, because it’s an interesting way to gain access to unpatched Oracle 11g databases.

My new role as “product responsible”

For nearly 6 months now I do something different than just technical work. I am currently – what they call at Rabobank – “Product Verantwoordelijke”. In English it sounds a bit weird: “product responsible”, or “responsible for the product”. And the product in question is Enterprise Manager and other tools or applications we use for administration.

“Product responsible” is a job where I’m basically deciding and advising on the technical stuff. So that doesn’t sound too big a job, especially because it’s just for Enterprise Manager, right? Sitting with two feet on my desk all the time?

Well, not quite apparently. It would be the case if a small DBA team of 4 people would use it, but in this case our team of 60+ DBAs and Fusion Middleware specialists use it. Also, it’s not supposed to stay like that. We’re working towards a Enterprise Manager as a Service model where a lot more people will get access to their specific targets via Enterprise Manager. Continue reading →

Exploiting an Oracle database with Metasploit (Part 2)

Continuing from Exploiting an Oracle database with Metasploit (Part 1). Here’s the next set of Metasploit exploits and scanners I’ve tried and tested.

auxiliary/scanner/oracle/tnspoison_checker

This one just checks if your database is vulnerable to TNS poisoning:

msf auxiliary(tnspoison_checker) > info

Name: Oracle TNS Listener Checker
Module: auxiliary/scanner/oracle/tnspoison_checker
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2012-04-18

Provided by:
ir0njaw (Nikita Kelesis) <nikita.elkey@gmail.com>

Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOSTS   192.168.56.163   yes       The target address range or CIDR identifier
RPORT    1521             yes       The target port
THREADS  1                yes       The number of concurrent threads

Description:
This module checks the server for vulnerabilities like TNS Poison.
Module sends a server a packet with command to register new TNS
Listener and checks for a response indicating an error. If the
registration is errored, the target is not vulnearble. Otherwise,
the target is vulnerable to malicious registrations.

Continue reading →

Exploiting an Oracle database with Metasploit (Part 1)

Now that I have a Metasploit and Oracle demo environment, it is time to see what I can use to exploit an Oracle 11g Release 2 database. I have to tell you, most of the exploits are actually rather old. I was a bit disappointing.

When you do “search oracle” in Metasploit, you get a promising, long list of scans and exploits. But as you’ll quickly note, a lot is Java related. Because that’s also Oracle. It helps to do a smarter search, for example by looking up oracle in the name: “search name:oracle”. But this also gives you MySQL exploits. And exploits of every old Oracle version. I’m not looking for that now either. And I’ve tried grepping, but that is not interpreted as grepping and gives you really weird results.

So in the end I’m just giving you my list of Oracle database scans and exploits that do not have old version numbers in the description. All non-database products are removed from the list. And for good measure, I’ve also removed exploits with very old disclosure dates, because I assumed they were targeted at versions much older than Oracle 11g. Continue reading →