Beruflich Dokumente
Kultur Dokumente
Alexander Kornbrust
22-Nov-2007
Red-Database-Security GmbH
Friday, November 23, 2007 1
Agenda
Red-Database-Security GmbH
Founded Spring 2004
CEO Alexander Kornbrust
Specialized in Oracle Security
One of the leading company for Oracle Security
More than 350 Oracle vulnerabilities reported
Customers worldwide (Banking, Insurance, Pharma, Industry,
Government ...)
Worldwide activities
Periodical trainings in USA, Singapore, U.A.E.
Presentations on the leading security conferences
(Blackhat, Deepsec, Defcon, HITB, Bluehat, Syscan, IT
Underground, ...)
Red-Database-Security GmbH
Friday, November 23, 2007 2
Agenda
Introduction
Passwords
Find passwords tables/columns
Creditcards
Find Creditcards
Get Creditcard information without leaving traces
Get cleartext passwords from the database
Q&A
Red-Database-Security GmbH
Friday, November 23, 2007 3
Words
lozinka Geslo
senha MDP
wagword Password drowssap
sandi fjalikalim
Red-Database-Security GmbH
Friday, November 23, 2007 4
How passwords are stored in the database
...
Red-Database-Security GmbH
Friday, November 23, 2007 5
Sensitive Information in databases are normally stored in tables with
speaking names (like password)
Even if English rules the world, many developers are using their
native language
Abbreviations are often used (e.g. MDP for Mot De Passe)
Red-Database-Security GmbH
Friday, November 23, 2007 6
Samples
haslo = polish parola = russian
mot de passe = french ...
clave = spanish
senha = portugese
lozinka = croatian
wachtwoord = dutch
wagword = africaans
lösen = swedish
fjalÎkalim = albanian
parool = estonian
drowssap = hebrew
sandi = indonesian
parole = latvian
geslo = slovene
Red-Database-Security GmbH
Friday, November 23, 2007 7
Reality check I
Red-Database-Security GmbH
Friday, November 23, 2007 8
Reality check II
Red-Database-Security GmbH
Friday, November 23, 2007 9
How to find foreign words?
Red-Database-Security GmbH
Friday, November 23, 2007 10
Passwords
Red-Database-Security GmbH
Friday, November 23, 2007 11
Password finder
declare
samelength integer;
isMD5 integer;
isSHA1 integer;
isSHA2 integer;
isBASE64 integer;
ishex integer;
hasSALT integer;
numpasswords integer;
vc1 varchar2(256);
vc2 varchar2(256);
Red-Database-Security GmbH
Friday, November 23, 2007 12
Password finder - anapw.sql
cursor custpasswords is
select owner,table_name,column_name,data_type, data_length
from dba_tab_columns
where
( upper(column_name) like 'PWD'
or upper(column_name) like 'PASS'
or upper(column_name) like 'MDP'
or upper(column_name) like 'MOTSDEPASSE'
or upper(column_name) like 'HASLO'
or upper(column_name) like 'CLAVE'
or upper(column_name) like 'SENHA'
or upper(column_name) like 'JELZO'
or upper(column_name) like 'LOZINKA'
or upper(column_name) like 'HASLO'
...
or upper(column_name) like 'KENNWORT'
or upper(column_name) like 'PASSWD'
or upper(column_name) like 'PASSWORD'
or upper(column_name) like 'PWORD'
or upper(column_name) like 'PSW'
or upper(column_name) like 'USERPASSWORD'
or upper(column_name) like 'USER_PASSWORD'
or upper(column_name) like 'PASSWORDS'
or upper(column_name) like 'ZPASSWORD'
or upper(column_name) like 'PROXYPASSWORD'
...
Red-Database-Security GmbH
Friday, November 23, 2007 13
Password finder - anapw.sql
begin
...
Red-Database-Security GmbH
Friday, November 23, 2007 14
Password finder - anapw.sql
dbms_output.put_line('hash='||vc1);
if length(vc1)=32 then dbms_output.put_line('possible MD2/MD4 or MD5'); END IF;
if length(vc1)=40 then dbms_output.put_line('possible SHA-1'); END IF;
if length(vc1)=64 then dbms_output.put_line('possible SHA-2 (256)'); END IF;
if length(vc1)=96 then dbms_output.put_line('possible SHA-2 (384)'); END IF;
if length(vc1)=128 then dbms_output.put_line('possible SHA-2 (512)'); END IF;
if length(vc1)=1024 then dbms_output.put_line('possible RSA Key'); END IF;
if length(vc1)=2048 then dbms_output.put_line('possible RSA Key'); END IF;
Red-Database-Security GmbH
Friday, November 23, 2007 15
Password finder - Usage
SQL> @anapw1.sql
Red-Database-Security GmbH
Friday, November 23, 2007 16
Possible Enhancements for password finder
Red-Database-Security GmbH
Friday, November 23, 2007 17
Creditcard
numbers
Red-Database-Security GmbH
Friday, November 23, 2007 18
Creditcard numbers
Sample:
create table creditcard “cc varchar2(20), cvv varchar2(4), expired
varchar2(8)
Red-Database-Security GmbH
Friday, November 23, 2007 19
Creditcard numbers
Red-Database-Security GmbH
Friday, November 23, 2007 20
Credicard numbers & TDE
unsecure
---------------------------------------------------------------------------
Red-Database-Security GmbH
Friday, November 23, 2007 21
CreditCard
http://regexlib.com/REDetails.aspx?regexp_id=340
Red-Database-Security GmbH
Friday, November 23, 2007 22
CreditCard
http://regexlib.com
Red-Database-Security GmbH
Friday, November 23, 2007 23
Dual Use of CreditCard numbers
Red-Database-Security GmbH
Friday, November 23, 2007 24
Miles and More Insecurities
Miles and More is one of the biggest frequent flyer programs in the
world (more than 13 Mio members)
Many M&M frequent flyer (FTL, SEN, HON) are using the Lufthansa
Credit Card
For convenience reasons Lufthansa combines the frequent flyer card
with the credit card.
All M&M frequent flyer statuses are 2 years valid until February of the
next / overnext year
The expiration date is always 02/08 or 02/09
The CVV/CVV2-code can be guessed via
webshops (e.g. bahn.de). On average
only 500 tries are necessary for Visa.
Red-Database-Security GmbH
Friday, November 23, 2007 25
Miles and More Insecurities
Red-Database-Security GmbH
Friday, November 23, 2007 26
Get Information (CC-
numbers) without leaving
traces
Red-Database-Security GmbH
Friday, November 23, 2007 27
Collecting sensitive information without traces
Red-Database-Security GmbH
Friday, November 23, 2007 28
Sample
Table created.
1 row created.
1 row created.
1 row created.
SQL> commit;
Red-Database-Security GmbH
Friday, November 23, 2007 29
Sample
SQL_TEXT
-----------------------------------------------------------
Red-Database-Security GmbH
Friday, November 23, 2007 30
Sample
SQL_TEXT
-----------------------------------------------------------
begin authorize('370561465621707','432','1110',’Kornbrust
Alexander’) end; /
begin authorize('375873785511053','0012','0208',’Zanero
Stefano’) end; /
...
Red-Database-Security GmbH
Friday, November 23, 2007 31
Collect CC numbers
Even if the CVV numbers are NOT stored in the database, they are available via
the view v$sql
SQL_TEXT
-----------------------------------------------------------
begin authorize('370561465621707','432','1110',’Kornbrust
Alexander’) end; /
begin authorize('375873785511053','0012','0208',’Zanero
Stefano’) end; /
...
Red-Database-Security GmbH
Friday, November 23, 2007 32
Bind-Variables as protection?
VALUE_STRING
-----------------------------------------------------------
370561465621707
375873785511053
...
Red-Database-Security GmbH
Friday, November 23, 2007 33
v$sql & passwords
Red-Database-Security GmbH
Friday, November 23, 2007 34
Cleartext passwords in other tables
Red-Database-Security GmbH
Friday, November 23, 2007 35
Summary
Red-Database-Security GmbH
Friday, November 23, 2007 36
Questions?
Q&A
Red-Database-Security GmbH
Friday, November 23, 2007 37
Contact
Alexander Kornbrust
Red-Database-Security GmbH
Bliesstrasse 16
D-66538 Neunkirchen
Germany
Red-Database-Security GmbH 38
Friday, November 23, 2007 38