Making better team decisions

In the first months in my new role as product responsible I had more or less weekly meetings with the team responsible for Enterprise Manager and in those meetings we made decisions sometimes. But what happened was that a few months down the road we (including myself) could not remember what exactly we had decided or why. And worse, new discussions then started about what to do. Often motivation to do so was because people from other teams had dropped earlier in the week telling we did things all wrong in their opinion.

And at one point I had enough of forgetting decisions and to keep coming back on decisions. I thought “Dammit, I’ve read Decisive (by Dan and Chip Heath). I should know better than this.” Continue reading

Posted in I'm not a manager | Tagged , , , , | Leave a comment

The Department of Hacking Other Departments

We operations people often are rather charmed by Netflix’ idea of Chaos Monkey. This is a tool that identifies a group of systems and randomly terminates one system in that group. If you’ve never heard of Chaos Monkey, you might ask why you would do such a thing. In production even.

 

Chaos Monkey

Chaos Monkey runs during business hours and the idea is that if anything is wrong with the high availability configuration in that group, you’ll discover it during business hours when lot’s of people are available to solve the problem. But also, and this is the part we operations people like, it makes all people responsible for the application very aware that if they don’t do the right things to make their applications high available, their applications will fail soon. So it raises awareness. Lately Netflix even has a tool called Chaos Kong, which disables whole AWS (Amazon Web Services) regions. Continue reading

Posted in Hacking for better security awareness, Security | Tagged , , , , | Leave a comment

NMap 7 is out

Yesterday I read that there is a totally new release of nmap, the network mapping tool. I’ve blogged about Nmap before. Version 7 has attacks against Heartbleed, it has mature IPv6 support, faster scans on Windows and BSD systems. And it has 171 new scripts and 20 libraries (new since Nmap 6 though).

The release notes make mention of a script called oracle-brute-stealth script, which can exploit the CVE-2012-3137 vulnerability, a weakness in Oracle’s O5LOGIN authentication scheme in a lot of 11g versions (except when protocol 12 is required). This vulnerability has been fixed in the Critical Patch Update of October 2012.

I got all excited. But then I realized that oracle-brute-force actually exists in this form since 2012. I’m going to test this out anyway, because it’s an interesting way to gain access to unpatched Oracle 11g databases.

Posted in Oracle security | Tagged , , , , , | 1 Comment

My new role as “product responsible”

For nearly 6 months now I do something different than just technical work. I am currently – what they call at Rabobank – “Product Verantwoordelijke”. In English it sounds a bit weird: “product responsible”, or “responsible for the product”. And the product in question is Enterprise Manager and other tools or applications we use for administration.

“Product responsible” is a job where I’m basically deciding and advising on the technical stuff. So that doesn’t sound too big a job, especially because it’s just for Enterprise Manager, right? Sitting with two feet on my desk all the time?

Well, not quite apparently. It would be the case if a small DBA team of 4 people would use it, but in this case our team of 60+ DBAs and Fusion Middleware specialists use it. Also, it’s not supposed to stay like that. We’re working towards a Enterprise Manager as a Service model where a lot more people will get access to their specific targets via Enterprise Manager. Continue reading

Posted in I'm not a manager | Tagged , , , , , , , , | Leave a comment

Exploiting an Oracle database with Metasploit (Part 2)

Continuing from Exploiting an Oracle database with Metasploit (Part 1). Here’s the next set of Metasploit exploits and scanners I’ve tried and tested.

auxiliary/scanner/oracle/tnspoison_checker

This one just checks if your database is vulnerable to TNS poisoning:

msf auxiliary(tnspoison_checker) > info

Name: Oracle TNS Listener Checker
Module: auxiliary/scanner/oracle/tnspoison_checker
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2012-04-18

Provided by:
ir0njaw (Nikita Kelesis) <nikita.elkey@gmail.com>

Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOSTS   192.168.56.163   yes       The target address range or CIDR identifier
RPORT    1521             yes       The target port
THREADS  1                yes       The number of concurrent threads

Description:
This module checks the server for vulnerabilities like TNS Poison.
Module sends a server a packet with command to register new TNS
Listener and checks for a response indicating an error. If the
registration is errored, the target is not vulnearble. Otherwise,
the target is vulnerable to malicious registrations.

Continue reading

Posted in Hacking for better security awareness, Oracle security | Tagged , , , | Leave a comment

Exploiting an Oracle database with Metasploit (Part 1)

Now that I have a Metasploit and Oracle demo environment, it is time to see what I can use to exploit an Oracle 11g Release 2 database. I have to tell you, most of the exploits are actually rather old. I was a bit disappointing.

When you do “search oracle” in Metasploit, you get a promising, long list of scans and exploits. But as you’ll quickly note, a lot is Java related. Because that’s also Oracle. It helps to do a smarter search, for example by looking up oracle in the name: “search name:oracle”. But this also gives you MySQL exploits. And exploits of every old Oracle version. I’m not looking for that now either. And I’ve tried grepping, but that is not interpreted as grepping and gives you really weird results.

So in the end I’m just giving you my list of Oracle database scans and exploits that do not have old version numbers in the description. All non-database products are removed from the list. And for good measure, I’ve also removed exploits with very old disclosure dates, because I assumed they were targeted at versions much older than Oracle 11g. Continue reading

Posted in Hacking for better security awareness, Oracle security | Tagged , , , , | 1 Comment

Five steps to have your own Metasploit and Oracle demo environment

Bingo! I’ve done it! I’ve got Metaspoit working against an Oracle database. And in this blogpost I’ll explain how you can do it too.

 

Step 0. Your soon to be powned Oracle database

Let’s assume you already have a virtual machine with an Oracle database for demoing purposes. I have an 11.2.0.1 database on a host on VirtualBox. Make sure you have a hostname, listener port number and instance name ready for later testing purposes.

 

Step 1. Install Kali Linux 2

This step is the easiest. Really. You can download a Prebuilt Kali Linux 2 installation on VirtualBox or VMWare. In this example I’ve used VirtualBox. Continue reading

Posted in Hacking for better security awareness, Oracle security | Tagged , , , , , , | Leave a comment