Having a ball with the hacking training

Today I did my third out of four database hacking sessions at work and I have to say it again was a lot of fun. It sure did raise security awareness. My training of four hours consists of the following workshop exercises:

SQL injection
For this exercise I have a very little Java application, written by an old collegue of mine. With it you have to log on with a user and password, but both input fields have SQL injection leaks. After doing the SQL injection excercise, people usually ask “you are going to tell how this works, don’t you?”. And I of course do.

Port scanning with Nmap.
In this excercise they use the oracle-sid-brute Nmap script to find Oracle instances and oracle-enum-users to find existing users in the Oracle 11.1.0.6 database.

Network sniffing with Wireshark.
“I was quite surprised that with alter user .. identified by statements, the password goes over the network unencrypted”, was one reaction to the exercise. In it I let the students change the password of SCOTT with “alter user .. identified by ..” and with the password command (it exists!) and see what goes encrypted over the network and what not.

Password cracking with woraauthbf.
I was actually amazed how incredibly fast dictionary attacks with this tool are, when I wrote and tested the exercise. With a dictionary of 2 Mb it finds dictionary passwords in 0 seconds!

Access to the OS
Here we have a database user with “just” CREATE LIBRARY privileges. And we create a library object with /lib/libc-2.x.so. And now we can run shell commands on the database server. Adding some lines with “grant dba to hacker;” to $ORACLE_HOME/sqlplus/admin/glogin.sql usually does makes the students smile. Just wait until the DBA logs in with SQL*Plus.

Exploits
There’s that Java exploit that David Litchfield once showed at Blackhat 2010.

 

Now I’ve been at the RAC Attack at UKOUG 2011. It’s a free curriculum and platform to learn to set up a RAC database cluster. So I’ve been thinking: how about a Hack Attack platform? A platform where you can learn skills like the above. It’ll be hard for students to get around a genuine 11.1.0.6 Oracle database, but otherwise there are lots of things to do with a 11.2 database. I’d like to know what you think about this, so please leave a response.

 

Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Oracle security and tagged , , , , , , . Bookmark the permalink.

One Response to Having a ball with the hacking training

  1. Pingback: My new role as “product responsible” | Marcel-Jan's Oracle Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s