6. DOAG Konferenz 2016
Fox
The red fox jumps
over the blue dog
The red fox jumps
oevr the blue dog
The red fox jumps
ouer the blue dog
The red fox jumps
oer the blue dog
DFCD 3454 BBEA 788A 751A
696C 24D9 7009 CA99 2D17
0086 46BB FB7D CBE2 823C
ACC7 6CD1 90B1 EE6E 3ABC
8FD8 7558 7851 4F32 D1C6
76B1 79A9 0DA4 AEFE 4819
FCD3 7FDB 5AF2 C6FF 915F
D401 C0A9 7DA9 46AF FB45
8ACA D682 D588 4C75 4BF4
1799 7D88 BCF8 92B9 6A6C
cryptographic
hash function
Input Digest
11. DOAG Konferenz 2016
Secure External Password Store (Wallets)
$ mkstore -wrl /home/jans/oracle/wallet -create
$ mkstore -wrl /home/jans/oracle/wallet -createCredential ORCL
SYSTEM secret
$ sqlplus /@ORCL
SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50
2016
Copyright (c) 1982, 2014, Oracle. All rights reserved.
SQL>
12. DOAG Konferenz 2016
0x00 - 0x4C Header:
0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?)
0x03 Type = SSO: 36; LSSO: 38
0x04 - 0x06 00 00 00
0x07 Version (10g: 05; 11g: 06)
0x08 - 0x0A 00 00 00
0x0B - 0x0C 11g: always the same (41 35)
0x0D - 0x1C DES key
0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12
password
0x4D - EOF PKCS#12 data (ASN.1 block)
________________________________________________________________________________________
$ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso
sso key: c29XXXXXXXXXX96
sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b
p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c
Secure External Password Store Hacking
http://blogs.loopback.org/2015/11/oracle-wallets-hacken/
13. DOAG Konferenz 2016
Create new wallet
$ echo 1e482XXXXXXXXXX1f1f0b296f6178021c | xxd -p -r > cwallet.key
$ ls -lhrt
total 18K
-rwxr--r-- 1 akira friends 6,5K Nov 24 15:16 ewallet.p12
-rw------- 1 akira friends 6,5K Nov 24 15:16 cwallet.sso
-rw-r--r-- 1 akira friends 16 Nov 24 18:28 cwallet.key
$ dd if=cwallet.sso of=NewP12wallet.p12 bs=1 skip=77
6560+0 records in
6560+0 records out
6560 bytes (6,6 kB) copied, 0,0240742 s, 272 kB/s
Verify validity
$ openssl pkcs12 -in NewP12wallet.p12 -nodes -passin file:cwallet.key
MAC verified OK
Bag Attributes
friendlyName: orakey
localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01
(...)
Set new password
$ orapki wallet change_pwd -wallet NewP12wallet.p12 -oldpwd `cat cwallet.key` -newpwd test1234 Oracle
PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Use new wallet
$ orapki wallet display -wallet NewP12wallet.p12
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password:
Requested Certificates:
User Certificates:
Subject: CN=ORCL11G
Trusted Certificates:
Subject: CN=PX.CORP-PROC01,O=px.corp,ST=Hamburg,C=DE
Subject: CN=PX.CORP-ROOT01,O=px.corp,ST=Hamburg,C=DE
14. DOAG Konferenz 2016
Oracle Internet Directory (OID) / LDAP
(1) Connect
Leonard.
Nimoy/
BIGDB
Verifies hash,
assignes roles and
schema to user
(2) Request
Leonard.Nimoy
(3) Returned
Leonard.Nimoy
LDAP
Server
(OID)
Repository for user,
rolle & EUS
configuration
SQL> alter user ... identified externally;
16. DOAG Konferenz 2016
Kerberos-AD-
Connection
Verify user data
(2)
AD
Domain Controller
Key Distribution Center (KDC)
Authentication Service (AS)
Ticket Granting Service (TGS)
Authentification(1)
User-Ticket TGT (3)
Client-PC
Ticket-Cache
Check ST for application
server
with TGT (6)
Request Service Ticket ST with TGT (5)
Domain Login
User
Password
TGT (4)
ST (7)
DB Server
ST verification (9)
Shared key exchange
17. DOAG Konferenz 2016
Kerberos User Login
SQL> create user USER01 identified externally as
'USER01@TESTED.LCL';
User created.
SQL> grant connect to user01;
[oracle@ioaotow01 ~]$ okinit user01
Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production
Copyright (c) 1996, 2014 Oracle. All rights reserved.
Password for user01@TESTED.LCL:
_______________________________________________________________________________________________
[oracle@ioaotow01 ~]$ oklist
Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43
Copyright (c) 1996, 2014 Oracle. All rights reserved.
Ticket cache: /oracle/diag/krb/cc/krb5cc_99
Default principal: user01@TESTED.LCL
Valid Starting Expires Principal
08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/TESTED.LCL@TESTED.LCL
08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/ioaotow01@TESTED.LCL
08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/ioaotow01.tested.lcl@TESTED.LCL
_______________________________________________________________________________________________
[oracle@ioaotow01 ~]$ sqlplus /@TESTDB
SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00
Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With
the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
SQL> show user;
USER is "USER01@TESTED.LCL
18. DOAG Konferenz 2016
AD-Integration with Oracle
Unified Directory (OUD) & Kerberos
DB FARM
OUD
Database
Client
SqlPlus,
Java, etc
(EUS)
Map Users,
Schema,Roles
Groups
OracleContext
OUD Proxy Setup:
• AD-User w/ read privilege
• Read privilege on DB-user
data in AD
• Oracle Context on LDAP
server
• Software: OUD,
WebLogic, ADF
• Works with EUS also[linux7 Oracle_OUD1]$ ./oud-proxy-setup
[linux6]$ okinit testuser
[linux7]$ oklist
Kerberos Ticket
https://wiki.loopback.org/confluence/x/FQCl
19. DOAG Konferenz 2016
Kerberos & Database 12c
• New Software Stack
• RC4-HMAC-NT / W2012 Server
• ORA-12638: Credential retrieval failed
– SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5)
Bugs...
Reading List:
Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this is to use AES encryption in the keytab"
Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING
Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section.
Doc ID 185897.1: Kerberos Troubleshooting Guide
Master Note For Kerberos Authentication (Doc ID 1375853.1)
WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value was given without specifying fully
qualified domain"
How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database sqlplus connection fails with ORA-1017 and this
is caused by Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN."
Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1)
Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs
Laurent Schneider: The long long route to Kerberos
Microsoft Technet: FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2
domain controller joins the domain
WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1)
Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor)
https://wiki.loopback.org/confluence/x/CwCl
21. DOAG Konferenz 2016
Kerberos Golden Ticket
• The entire Kerberos security relies on
symmetric keys under “krbtgt” account
• – 128 bits for RC4/AES128
• – 256 bits for AES256
• And once generated, these keys aren’t
changed in years
– only during domain functional
upgrade from NT5 -> NT6
– 2000/2003 to 2008/2012
– 2008 -> 2012 doesn’t change the value
– the previous one (n-1) still valid…
Quelle: Benjamin Delpy
23. DOAG Konferenz 2016
PKI: Certificates and Wallets
Database Server
1. Create empty wallet
2. Create Key and Certificate Request
3. Sign Request by CA (e.g. CN=db12c)
4. Inport CA Certificate (CN=myCA)
5. Import signed server certificate
Database Client
1. Create empty wallet
2. Create Key and Certificate Request
3. Sign request by CA (e.g. CN=jans)
4. Import CA certificate (CN=myCA)
5. Import signed user certificate
24. DOAG Konferenz 2016
Display Wallet
[oracle@linux11 ~]$ orapki wallet display -wallet
/u01/app/oracle/product/11.2.0/dbhome_1/network/pki
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
_________________________________________________________________________________________
Requested Certificates:
User Certificates:
Subject: CN=LOOPDS
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: CN=LBO Root Certificate II,OU=LoopCA,O=Loopback.ORG
GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DE
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE
Corporation,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
25. DOAG Konferenz 2016
PKI: Login using certificate
SQL> create user JANS identified externally as 'CN=jans';
SQL> grant create session to JANS;
$ sqlplus /@DB12C
Connected.
SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
---------------------------------------------------
tcps
SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual;
SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')
-----------------------------------------------------
SSL
28. DOAG Konferenz 2016
Benefit Analysis
Feature Passwords Pwd Wallets Kerberos SSL-PKI EUS
Password theft protection ✔ ✔ ./.
Reduced administrative
overhead per user account
✔ ✔ ✔
Audit proof ✔ ✔ ./.
Central user and password
administration
✔ ✔
Central role administration ✔
Serves technical users ✔ ✓ ✔ ✔
Serves human users ✔ ✔ ✔
Minimal rollout difficulty ✔
No additional license costs ✔ ✔ ✔ ✔
No directory dependence ✔ ✔
29. DOAG Konferenz 2016
Jan Schreiber, Loopback.ORG GmbH, Hamburg
database intelligence | operations excellence | bi solutions
jans@loopback.org
blogs.loopback.org
Thank you very much for your attention!
Notas do Editor
Datenbank-Security-Projekte seit über 15 Jahren
Risiko: Standardpasswörter ohne Benutzer-Bezug
Risiko: Mehrfachverwendung von Benutzer-Kennungen und Passwörtern auch bei individuellen Kennungen.
Risiken auch bei der Speicherung der Hashes in der Datenbank selbst: Wie die Oracle Datenbank Hashes ablegt. Erklärung der verwendeten Hash-Algorithmen:
DES: Used from Oracle 6 through 10gR2, still enabled in 11gR1 – 12.1.0.2
Concatenate user|password => Unicode the string => encrypt with DES using key 0x0123456789abcdef => encrypt first block => xor next block with result => take the last IV as a new KEY and repeat
No practicable attack vector but short key
SHA1: Used in 11gR1 through 11.2.0.4
Actually still available in 12.1.0.2
Added case sensitive passwords to the database for first time
As a result longer key space by default
Password only is hashed, not username and password (in DES the username is the salt)
Salt is generated by the database on password create/change
Salt is passed by SQLNet to the client
Salt is stored in SYS.USER$.SPARE4
Fast algorithm
SHA1 is broken - https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
SHA2: Only added since 12.1.0.2 – SHA2 also added to DBMS_CRYPTO
Combination of SHA2 – (SHA512) and PBKDF2 algorithms
PBKDF2 is done in the client, SHA2 is completed in the server
As with SHA1 the password hash and salt are stored in SYS.USER $.SPARE4
Much slower to crack then SHA1 and DES due to PBKDF2
MD5Digest: Added in 12.1.0.1 to all database accounts
MD5 is a predecessor to SHA and SHA1 and must faster to execute than SHA2
Same hash always generated for same password
Kollisionsfreiheit einer kryptographischen Hash Funktion.
Hardware-Kosten geschätzt zum Durchlaufen über verschiedene Algorithmen.
Hashes können auch über das Netz gestohlen werden, da der Session Key übertragen wird und das Salt enthält, wenn die Verbindung nicht SSL-verschlüsselt wird.
Weiteres Risiko: Hart-kodierte Passwörter in Skripten oder Code.
Alternative: Speichern von Passwörtern in Oracle Passwort Wallets. Hashes im Dictionary bleiben.
Hacken von Passwort Wallets (1). Die Passwörter stehen binär kodiert in der Wallet Datei, beiu AutoLogin-Wallets mit Standard-Passwort verschlüsselt.
Hacken von Passwort Wallets(2):
- Erzeugen der Key-Datei mit dem vorher ausgelesenen Passwort aus der SSO-Datei
Kopieren der SSO-Date in eine p12-Datei ohne Header
Mit OpenSSL prüfen
Mit orapki neues Passwort setzen
Wallet benutzen
Alternative: Keine Hashes in der Datenbank, sondern im LDAP-Directory.
Arbeiten mit Extern authentifizierten Benutzern.
Die Hashes stehen dann im LDAP Verzeichnis oder beim OID in der Datenbank. Im Klartext.
Kerberos-Anbindung: Wie es aussieht (External, ohne Verzeichnis)
Kerberos-Anbindung mit EUS im OUD. Funktionsweise und Link zur Anleitung.
Kerberos-Anbindung in DB 12c: Lots of bugs. Link zum Wiki.
Risikoen in Kerberos: Mimikatz. Passwörter und NTLM-Hashes können im RAM von Windows Workstations ausgelesen werden. Mit Admin Zugang auch Domänenadministratoren-Passwörter. Pathces für Windows 7. Aber: Security zentral und in der Verantwortung der IT.
Kerberos Risiko: Golden Tickets. Die Passwörter für den Kerberos-Master-Account werden errechnet und eine Fake-TGT-Unterschrift erstellt.
Where Pass-the-Hash attaches the NTLM hash LSASS has of a valid user to an existing session, Pass-the-Ticket, or the ‘Golden Ticket’ attack convinces the target system that an invalid session is in fact, valid (Truncer, n.d., Mimikatz, Kiwi, and Golden Ticket generation).
In Windows’ implementation of Kerberos, systems trust a Kerberos ticket signed by the hash of a ticket-granting ticket.
If an attacker manages to collect the NTLM hash of krbtgt account, this may be used by Mimikatz to generate a ‘Golden Ticket’ that may be used to elevate the privileges of any session from any system.
The four pieces of information required to generate a Golden Ticket are:
An administrator username, though any name will work
The fully qualified domain name
The domain SID
The NTLM hash of the krbtgt account
The account name can be any string, but mimicking an existing account will help to disguise the ticket’s use.
The fully qualified domain name may be obtained by running ipconfig /all:
Alternative: SSL-PKI. Eine CA muss erstellt werden oder vorhanden sein.
Nötige Schritte, um die DB an die SSL PKI anzubinden.
PKI-Wallet anzeigen. Wallet der Datenbank. CN=LOOPDS. LBO Trusted Certificate ist verankert.
Erstellen eines Externen Benutzers und Anmelden an der DB. Wir kommen über TCPS verschlüsselt und sind per SSL authentifiziert.