O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

2019 indit blackhat_honeypot your database server

slides from the Indit Blackhat conference

  • Entre para ver os comentários

  • Seja a primeira pessoa a gostar disto

2019 indit blackhat_honeypot your database server

  1. 1. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Honeypot Your Database Georgi “Joro” Kodinov Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
  2. 2. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2
  3. 3. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Georgi “Joro” Kodinov, MySQL @ Oracle  Server General Team Lead  Works on MySQL since 2006  Specializes in:  Security  Client/server protocol  Performance monitoring  Component infrastructure  Loves history, diverse world cultures, technology  A devoted Formula 1 fan (Go, Leclerc !)
  4. 4. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. – Wikipedia 4
  5. 5. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Honeypot Variant 1: Detect 5
  6. 6. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Honeypot Variant 2: Deflect 6
  7. 7. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Honeypot Variant 3: Counteract 7
  8. 8. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Let’s Do Detect ! Confidential – Oracle Internal/Restricted/Highly Restricted 8
  9. 9. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 9 Practicalities
  10. 10. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | But First: Some Terminology ! Confidential – Oracle Internal/Restricted/Highly Restricted 10
  11. 11. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | The MySQL Server Architecture Confidential – Oracle Internal/Restricted/Highly Restricted 11 Query Processor Storage Engine1 Storage Engine2 Plugins Plugin API Plugin Services Storage Engine API Network
  12. 12. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Popular Plugin Types Type Purpose Storage Engine API Implements a database table Audit API Fires at various server events (e.g. a new login, a query start, a query end, etc) User Defined Functions Implements SQL callable function in native language Authentication External authentication for MySQL Daemon Just init and deinit: no further calls Confidential – Oracle Internal/Restricted/Highly Restricted 12
  13. 13. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Introducing github.com/gkodinov/audit_tripwire • An audit log plugin • Listens on table access events • If a non-DBA accesses a pre-defined “attractive” table – Logs a special message for the DBA into the server error log – Rejects all further commands until the DBA resets it • Couple of lines of code • Easily customizable 13
  14. 14. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | A Taste of Code static int audit_tripwire_notify(MYSQL_THD thd, mysql_event_class_t event_class, const void *event) { /* if we're in panic mode stop all commands from non-supers */ if (panic_mode_value && !is_super(thd)) return TRUE; /* Check if the table (if specified) is accessed */ if (event_class == MYSQL_AUDIT_TABLE_ACCESS_CLASS && (audit_tripwire_table_value || audit_tripwire_db_value)) { const struct mysql_event_table_access *table_access= (const struct mysql_event_table_access *)event; if (!is_super(thd)) { /* check for a matching table name */ if (audit_tripwire_table_value && strncmp(table_access->table_name.str, audit_tripwire_table_value, table_access->table_name.length)) return FALSE; /* check for a matching database name */ if (audit_tripwire_db_value && strncmp(table_access->table_database.str, audit_tripwire_db_value, table_access->table_database.length)) return FALSE; /* table is accessed. Time to panic ! */ my_plugin_log_message(&plugin, MY_WARNING_LEVEL, "Tripwire table `%s`.`%s` accessed from " "connection id %d. Switching to panic mode",…) ); panic_mode_value= TRUE; return TRUE; } } return FALSE; } 14
  15. 15. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Compile • Put the files in plugin/audit_tripwire of a source distro or a git tree • Compile the source distro • http://dev.mysql.com/doc/refman/5.7/en/compiling-plugin-libraries.html for more details 15
  16. 16. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Set audit_tripwire Up • CREATE DATABASE hr; • CREATE TABLE hr.salaries(person varchar(100), salary integer); • GRANT ALL PRIVILEGES on hr.* to ''@'localhost'; • INSTALL PLUGIN audit_tripwire SONAME 'audit_tripwire.dll'; • SET GLOBAL audit_tripwire_table='salaries'; • SET GLOBAL audit_tripwire_db='hr'; 16
  17. 17. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | The Lateral Movement (as haxor@localhost) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | hr | +--------------------+ 2 rows in set (0.00 sec) 17
  18. 18. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | The Lateral Movement (as haxor@localhost) mysql> use hr; Database changed mysql> show tables; +--------------+ | Tables_in_hr | +--------------+ | salaries | +--------------+ 1 row in set (0.00 sec) 18
  19. 19. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | The Lateral Movement (as haxor@localhost) mysql> show create table salariesG *************************** 1. row *************************** Table: salaries Create Table: CREATE TABLE `salaries` ( `person` varchar(100) DEFAULT NULL, `salary` int(11) DEFAULT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1 1 row in set (0.00 sec) 19
  20. 20. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 20 Mmmmmmm !?!
  21. 21. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | The Trespassing (as haxor@localhost) mysql> select * from salaries limit 10; ERROR 3164 (HY000): Aborted by Audit API ('MYSQL_AUDIT_TABLE_ACCESS_READ';1). mysql> select 1; ERROR 3164 (HY000): Aborted by Audit API ('MYSQL_AUDIT_COMMAND_START';1). 21 2019-09-20T15:30:31.285577Z 14 [Warning] Plugin audit_tripwire reported: 'Tripwire table `hr`.`salaries` accessed from connection id 14. Switching to panic mode' Server’s console/error log
  22. 22. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 22 Buuuuzzzzzz !
  23. 23. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Defusing (as root@localhost) mysql> set global audit_tripwire_panic_mode=0; Query OK, 0 rows affected (0.00 sec) 23
  24. 24. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Questions ? 24

×