Today I did my third out of four database hacking sessions at work and I have to say it again was a lot of fun. It sure did raise security awareness. My training of four hours consists of the following workshop exercises:
For this exercise I have a very little Java application, written by an old collegue of mine. With it you have to log on with a user and password, but both input fields have SQL injection leaks. After doing the SQL injection excercise, people usually ask “you are going to tell how this works, don’t you?”. And I of course do.
Port scanning with Nmap.
In this excercise they use the oracle-sid-brute Nmap script to find Oracle instances and oracle-enum-users to find existing users in the Oracle 188.8.131.52 database.
Network sniffing with Wireshark.
“I was quite surprised that with alter user .. identified by statements, the password goes over the network unencrypted”, was one reaction to the exercise. In it I let the students change the password of SCOTT with “alter user .. identified by ..” and with the password command (it exists!) and see what goes encrypted over the network and what not.
Password cracking with woraauthbf.
I was actually amazed how incredibly fast dictionary attacks with this tool are, when I wrote and tested the exercise. With a dictionary of 2 Mb it finds dictionary passwords in 0 seconds!
Access to the OS
Here we have a database user with “just” CREATE LIBRARY privileges. And we create a library object with /lib/libc-2.x.so. And now we can run shell commands on the database server. Adding some lines with “grant dba to hacker;” to $ORACLE_HOME/sqlplus/admin/glogin.sql usually does makes the students smile. Just wait until the DBA logs in with SQL*Plus.
There’s that Java exploit that David Litchfield once showed at Blackhat 2010.
Now I’ve been at the RAC Attack at UKOUG 2011. It’s a free curriculum and platform to learn to set up a RAC database cluster. So I’ve been thinking: how about a Hack Attack platform? A platform where you can learn skills like the above. It’ll be hard for students to get around a genuine 184.108.40.206 Oracle database, but otherwise there are lots of things to do with a 11.2 database. I’d like to know what you think about this, so please leave a response.