FREE
VOL. 1 NO. 1
ORACLE FORENSICS
Detection of Attacks Through Default Accounts and Passwords in Oracle
• ADVANCED STEGANOGRAPHY: ADD SILENCE TO SOUND • LIVE CAPTURE PROCEDURES • MOBILE PHONE FORENSICS: HUGE CHALLENGE OF THE FUTURE • ISSUES IN MOBILE DEVICE FORENSICS • INVESTIGATING FRAUD IN WINDOWS-BASED DRIVING EXAMINATION THEORY SYSTEMS AND SOFTWARE • DRIVE AND PARTITION CARVING PROCEDURES Issue 1/2012 (1) July www.eForensicsMag.com
1
Improve your Firewall Auditing switches, routers and other infrastructure devices As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing sys- this could mean manually reviewing the configuration files saved from a wide variety of devices. tems installed and maintained by experienced people, often protective of their own methods and technologies. On Device Auditing Scanners Nipper Studio any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identiPassword Encryption Settings fied within those technologies will then have to be explained in a way that both management and system Physical Port Audit maintainers can understand. The network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls,
enquiries@titania.com T: +44 (0)845 652 0621 2
Network Address Translation Network Protocols Time Synchronization Warning Messages (Banners)
*
Network Administration Services
*
Network Service Analysis
*
Password Strength Assessment
*
Software Vulnerability Analysis
*
Network Filtering (ACL) Audit
*
Wireless Networking
* *
* Limitations and constraints will prevent a detailed audit
infrastructure devices, you can speed up the audit process without compromising the detail. You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.
Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other
Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.
www.titania.com www.eForensicsMag.com
3
Dear Readers! Logo eForensics Magazine napis Free TEAM Editor: Aleksandra Bielska aleksandra.bielska@software.com.pl Associate Editors: Sudhanshu Chauhan (sudhanshu.chauhan@software.com.pl), Praveen Parihar (praveen.parihar@software.com.pl), Hussein Rajabali (hussein.rajabali@software.com.pl) Betatesters/Proofreaders: Nicolas Villatte, Jeff Weaver, Danilo Massa, Cor Massar, Jason Lange, Himanshu anand, Dan Hill, Raymond Morsman, Alessandro Fiorenzi, Nima Majidi, Dave Mikesch, Brett Shavers, Cristian Bertoldi, Jacopo Lazzari, Juan Bidini, Olivier Caleff, Johan Snyman Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Mateusz Jagielski mateuszjagielski@gmail.com DTP: Mateusz Jagielski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing Director: Ewa Dudzic Publisher: Software Media Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.eforensicsmag.com
DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
Digital forensics is a very young field of science but nowadays it’s becoming more and more popular. Although it was originally designed for investigating crimes, soon it has become a big part of computer systems engineering and contributed to the development of mobile devices. To meet your professional interests we have created a new publication devoted to digital forensic issues. I present to you our first eForensics offspring - eForensics Free Magazine. It’s a monthly compilation of the best articles from four titles: eForensics Mobile, eForensics Computer, eForensics Database and eForensics Network. Within the issue of eForensics Free you will find two positions concerning mobile forensics, an article about network forensics, three pieces focused on computer forensics and an article about database forensics. The article created by M-Tahar Kechadi and Lamine Aoud will discuss an increasingly important role of mobile forensics in criminal investigations, law disputes and in information security. Eamon Doherty will describe tools used to recover data from mobile devices. Craig S. Wright will introduce you to free tools which can be used to create a powerful network forensics and incident response toolkit. Arup Nanda will show you how to identify potential attacks by adversaries through default accounts. George Chlapoutakis guides you step by step through digital forensic investigation. Last but not least, I would like to announce the beginning of two article series. One of them, by Craig S. Wright, will take you through the process of carving files from a hard drive . The other, by Praveen Parihar, will take you on a journey through advanced Steganography. Thank you all for your great support and invaluable help. Enjoy reading! Aleksandra Bielska & eForensics Team
4
MOBILE
6 . ISSUES IN MOBILE DEVICE FORENSICS by Eamon Doherty
This article discusses some of the mobile devices and accessories that one may encounter on a suspect during an investigation, examples of usage of these mobile devices and accessories and the tools that one can use to examine them. The article also starts off with some certifications that make one more marketable in this emerging field. In this article author discusses using tools such as Access Data’s FTK, Guidance Software’s Encase, and RecoverMyFiles to recover evidence from a digital camera with a FAT file system.
12. MOBILE PHONE FORENICS: HUGE CHALLENGE OF THE FUTURE by M-Tahar Kechadi, Lamine Aouad
While the processes and procedures are well established in traditional hard drive based computer forensics, their counterparts for the rapidly emerging mobile ecosystem have proven to be much more challenging. In this article author shares some thoughts about the reasons leading to this, as well as the current state of mobile digital forensics, what is needed, and what to expect in the future.
8. LIVE CAPTURE PROCEDURES by Craig S. Wright
NETWORK
As we move to a world of cloud based systems, we are increasingly finding that we are required to capture and analyse data over networks. Once, analysing a disk drive was a source of incident analysis and forensic material. Now we find that we cannot access the disk in an increasingly cloud based and remote world requiring the use of network captures. This is not a problem however. The tools that are freely available in both Windows and Linux offer a means to capture traffic and carve out the evidence we require. In this article author introduces a few tools that, although free, can be used together to create a powerful network forensics and incident response toolkit.
24. ADVANCED STEGANOGRAPHY: ADD SILENCE TO SOUND by Praveen Parihar
COMPUTER
Steganography is a very comprehensive topic for all techno-geeks because it involves such an interesting and comprehensive analysis to extract the truth, as we have heard this term many times in the context of terrorist activities and their communications. In this article author discusses methods of Steganography.
28. INVESTIGATING FRAUD IN WINDOWS-BASED DRIVING EXAMINATION THEORY SYSTEMS AND SOFTWARE by George Chlapoutakis
Fraud can take many forms, can take place practically anywhere, any when and any how. Theoretical driving examinations are now computerized in most parts of the world and the overwhelming majority of such systems tend to have some to no security at all, relying instead on the invigilators of the exam to catch those suspected of fraud. But, what happens when the invigilators fail and you, the digital forensic investigator, is asked to look into the case?In this article author shares his experience from the point of view of the digital forensics investigator.
32. DRIVE AND PARTITION CARVING PROCEDURES by Craig S. Wright
This article is the start of a series of papers that will take the reader through the process of carving files from a hard drive. We explore the various partition types and how to determine these (even on formatted disks), learn what the starting sector of each partition is and also work through identifying the length the sector for each partition. In this, we cover the last two bytes of the MBR and why they are important to the forensic analyst. We start by learning about hard disk drive geometry. In this article author takes the reader through the process of carving files from a hard drive.
38. DETECTION OF ATTACKS THROUGH DEFAUL ACCOUNTS AND PASSWORDS IN ORACLE by Arup Nanda
DATABASE
An Oracle database comes with many default userids (and, worse, well known default passwords), which ideally shouldn’t have a place in a typical production database but database administrators may have forgotten to remove the accounts or lock them after setting up production environment. This provides for one of the many ways an adversary attacks a database system – by attempting to guess the presence of a default userid and password, either by brute force or by a social engineering techniques. In this article author will show you how to identify such attacks and trace back to the source quickly and effectively. You will also learn how to set up a honey pot to lure such adversaries into attacking so as to disclose their identity. www.eForensicsMag.com
5
MOBILE
6
CYBER CRIME LAWYERS
Pannone are one of the first UK firms to recognise the need for specialist cyber crime advice. We can both defend and prosecute matters on behalf of private individuals and corporate bodies. We are able to examine material or secure evidence in-situ and will then represent your needs at every step of the way. Our team has a wealth of experience in this growing area and are able to give discrete, specialist advice.
Please contact David Cook on
0161 909 3000
for a discussion in confidence or email david.cook@pannone.co.uk
www.pannone.com www.eForensicsMag.com
7
MOBILE
MOBILE PHONE FORENSICS:
HUGE CHALLENGE OF THE FUTURE While the processes and procedures are well established in traditional hard drive based computer forensics, their counterparts for the rapidly emerging mobile ecosystem have proven to be much more challenging. This article shares some thoughts about the reasons leading to this, as well as the current state of mobile digital forensics, what is needed, and what to expect in the future.
8
The information and data era is rapidly evolving. As a result, there has been an exponential growth of consumer electronics, and especially mobile devices over the past few years, with ever-increasing trends and forecasts for the coming years. Mobile devices have already overtaken PCs, and mobile data traffic is expected to increase 18-fold over the next five years to approach 11 Exabyte per month, according to Cisco systems [1]. Their computing power, storage, and functionality have tremendously increased. Phones have been transformed from simple handheld devices, essentially emitting and receiving calls or text messages, into highly effective devices capable of doing more or less everything a desktop or a laptop computer can do, and even more. A large range of Android -based smartphones, iPhones, BlackBerrys, and even tablets products, are all examples of these mobile devices. Their typical storage capacity today is higher than a powerful desktop back in the late 1990s! And the vast majority can also be fed memory cards.
suspect he was about to arrest was using his smartphone to listen to the police secure channels streaming via the Internet! [2]. All classes of crimes can involve some type of digital evidence (a photo, a video, a received or emitted call, messages, web pages, etc.). These devices are also commonly used is social networking nowadays, and in carrying out sensitive operations online, including online banking, shopping, electronic reservations, etc. Hacking becomes then a huge problem. In February 2011, hackers were remotely monitoring the calls made and received from about 150,000 infected mobile devices in China [3]. Another example is the Zeus man-in-the -mobile Trojan, discovered in September 2010, which was the first Trojan in the mobile devices environment to compromise the online banking’s two-factor authentication mechanism [4] [5]. It is indeed quite easy for cyber criminals to build a Trojan application nowadays [6], because these mobile systems are at their early stages.
This tremendous computational and storage capacity have turned mobile devices into data repositories capable of computing and storing a large amount of personal, organisational and also sensorial information. Indeed, although these devices can be input limited, they have remarkable context awareness because of all the sensors and various connectivity options. Unfortunately, criminals use this technology. They have not missed this proliferation of mobile systems and its data revolution, and these devices are being used as a support to criminal activities. For instance, earlier this year, a US officer found out that the
Valuable information can then be obtained from a mobile device: text messages, e-mails, communication logs, contacts, multimedia files, geo-location information (GPS and Wi-Fi hotspots), etc. These can only help answering crucial questions in cybercrime investigations, and solve the related cases. However, there are still a huge number of challenges facing a forensics investigator in obtaining forensically sound evidence from these devices. In this article, we present the process of recovering digital evidence and its challenges, and then share some information about current methods and tools, and few prospects for the future.
secureninja.com
Forging IT Security Experts
• Security+ • CISSP® • CEH (Professional Hacking) v7.1 • CAP (Certified Authorization Professional) • CISA • CISM • CCNA Security • CWNA • CWSP • DIACAP • ECSA / LPT Dual Certification • ECSP (Certified Secure Programmer) • EDRP (Disaster Recovery Professional) • CCE (Computer Forensics) • CCNA Security
Expert IT Security Training & Services
• CHFI • ISSEP • Cloud Security • Digital Mobile Forensics • SSCP • Security+ • Security Awareness Training … And more
Free Hotel Offer on Select Boot Camps Offers ends on Jan 31, 2012 – Call 703-535-8600 and
mention code: PentestNinja to secure your special rate.
Welcome Military – Veterans Benefits & GI Bill Post 9/11 Approved WIA (Workforce Investment Act) Approved
www.secureninja.com
703 535 8600
www.eForensicsMag.com
Sign Up & Get Free Quiz Engine From cccure.org 9
NETWORK
LIVE CAPTURE PROCEDURES As we move to a world of cloud based systems, we are increasingly finding that we are required to capture and analyse data over networks. Once, analysing a disk drive was a source of incident analysis and forensic material. Now we find that we cannot access the disk in an increasingly cloud based and remote world requiring the use of network captures. This is not a problem however. The tools that are freely available in both Windows and Linux offer a means to capture traffic and carve out the evidence we require. As we move to a world of cloud based systems, we are increasingly finding that we are required to capture and analyse data over networks. To do this, we need to become familiar with the various tools that are available for these purposes. In this article, we look at a few of the more common free tools that will enable you to capture traffic for analysis within your organisation. Once, analysing a disk drive was a source of incident analysis and forensic material. Now we find that we cannot access the disk in an increasingly cloud based and remote world requiring the use of network captures. This is not a problem however. The tools that are freely available in both Windows and Linux offer a means to capture traffic and carve out the evidence we require. For this reason alone we would require the ability to capture and analyse data over networks, but when we start to add all of the other benefits, we need to ask, why are you not already doing this?
Tcpdump
LIVE CAPTURE PROCEDURES
-A
Print each packet (minus its link level header) in ASCII.
-c
Exit after receiving a set number of packets (defined after c).
-C
Before writing a raw packet to a savefile, check whether
In the event that a live network capture is warranted, we can easily run a network sniffer to capture communication flows to and from the compromised or otherwise suspect system. There are many tools that can be used (such as WireShark, SNORT and others) to capture network traffic, but Tcpdump is generally the best capture program when set to capture raw traffic. The primary benefit is that this tool will minimize any performance issues while allowing the data to be captured in a format that can be loaded into more advanced protocol analysers for review. That stated there are only minor differences between Tcpdump and Windump and most of what you can do in one is the same on the other (some flags do vary).
Tcpdump uses the libpcap library. This can capture traffic from a file or an interface. This means that you can save a capture and analyse it later. This is a great aid in incident response and network forensics. With a file such as, “capture.pcap”, we can read and display the data using the „-r” flag. For instance: tcpdump -r capture. pcap will replay the data saved in the file, “capture.pcap”. By default, this will display the output to the screen. In reality, the data is sent to STDOut (Standard Out), but for most purposes the console and STDOut are one and the same thing. Using BPF (Berkley Packet Filters), you can also restrict the output - both collected and saved. In this way, you can collect all data to and from a host and then strip selected ports (or services) from this saved file. Some of the options that apply to tcpdump include (quoted with alterations from the Redhat tcpdump MAN file):
the file is currently larger than a given file_size. Where this is the case, close the current savefile and open a new one. -d
Dump the compiled packet-matching code in a human readable form to standard output and stop.
-dd
Dump packet-matching code as a C program fragment.
-ddd Dump packet-matching code as decimal numbers (prce ded with a count). -D
Print the list of the network interfaces available on the system and on which tcpdump can capture packets.
10
COMPUTER
ADVANCED STEGANOGRAPHY: ADD SILENCE TO SOUND Steganography is a very comprehensive topic for all techno-geeks because it involves such an interesting and comprehensive analysis to extract the truth, as we have heard this term many times in the context of terrorist activities and their communications.
Steganography means covert writing: hiding confidential Information into a cover file. This cover file can be in the form of pdf, xls, exe, jpeg, mp3 or mp4, etc. Least Significant Bit (LSB) Method is very famous & fascinating when Steganography is discussed because when we discuss the case study of hiding a secret text behind an image it actually sounds interesting, To understand this concept, first we need to understand how an image is classified and what happens when a small bit is altered in an image which has been described below: Images are composed of small elements which are called pixels and we have basically three types of images. A pixel is the essential component of an image: 1) Black and white – each pixel is composed of a single bit and is either a zero or a one. 2) Grayscale – each pixel is composed of 8 bits (in rare cases, 16 bits) which defines the shade of grey of the pixel, from zero (black) to 255 (white). 3) Full color – also called 24-bit color as there are 3 primary colors (red, green, blue), each of these are defined by 8 bits. Although we can have different types of images, but we assume that a grayscale image has been used and 8-bit grayscale consists of pixels which have 28 = 256 possible levels of grey, and each component in an image contributes its different parts such as: 1. LSB (Least Significant Bit) contributes 1/256th of the information
So, changing that LSB only affects 1/256th of the intensity and humans simply cannot perceive a difference. In fact, it is difficult to perceive a difference in 1/16th of an intensity change, so we can easily alter the 4 LSBs with little or no perceptible difference. Here we have shown these two images which illustrates why Steganography has become famous and how an image does not get distorted even if we embed secret or confidential information.
(Original Image)
2. MSB (Most Significant Bit) contributes ½ of the information
www.eForensicsMag.com
11
COMPUTER
INVESTIGATING FRAUD IN WINDOWS-BASED DRIVING EXAMINATION THEORY SYSTEMS AND SOFTWARE
Fraud can take many forms, can take place practically anywhere, any when and any how. Theoretical driving examinations are now computerized in most parts of the world and the overwhelming majority of such systems tend to have some to no security at all, relying instead on the invigilators of the exam to catch those suspected of fraud. But, what happens when the invigilators fail and you, the digital forensic investigator, is asked to look into the case? Where does one start, where does one go and where does one end up? What do we investigate, how do we go about it and what tools with?
In this article, I will attempt to share my experiences investigating such systems from the point of view of the digital forensic investigator who first arrives in the scene of the crime, from the moment of arrival to the end report submitted to the client. Let us, then, start our journey from the moment we (the digital forensic investigators) get the fateful call, where we are told it’s a case of fraud in the Driving Test Centre and we have been called to investigate it and present a report. To begin with, it should be stated that, as most driving test centres are part of a country’s internal services, we are going to always be dealing with a mixture of government officials (of middle-management persuasion) and local law enforcement, and we are always going to be needing to deal with red-tape -style bureaucracy, where everything is moving much more slowly than when dealing with the private sector. 12
This means we are going to be dealing with the nightmare scenario where our crime scene is possibly several months old and very seriously tainted (as non-essential government bodies tend to respond fairly slowly and after much red-tape to such cases), and where normal digital forensic processes and practices don’t usually work. The nightmare comes from the fact that, in such a scenario, you cannot explicitly trust the data you collect or any information that you are given and cannot corroborate in a straightforward way. The data has been tainted, the exams are running 2-3 times a week and the test centre cannot be closed down for the duration of the investigation, so we are told we have to release the (many, plus servers) computers within a very specific and finite length of time (1-2 days at most). So, we arrive in the vicinity of the crime scene (the building).
COMPUTER
DRIVE AND PARTITION CARVING PROCEDURES This article is the start of a series of papers that will take the reader through the process of carving files from a hard drive. We explore the various partition types and how to determine these (even on formatted disks), learn what the starting sector of each partition is and also work through identifying the length the sector for each partition. In this, we cover the last two bytes of the MBR and why they are important to the forensic analyst. This process is one that will help the budding analyst or tester in gaining an understanding of drive partitions and hence how they can recover and carve these from a damaged or formatted drive. We start by learning about hard disk drive geometry. This article is the start of a series of papers that will the reader through the process of carving files from a hard drive. We explore the various partition types and how to determine these (even on formatted disks), learn what the starting sector of each partition is and also work through identifying the length the sector for each partition. In this, we cover the last two bytes of the MBR and why they are important to the forensic analyst. This process is one that will help the budding analyst or tester in gaining an understanding of drive partitions and hence how they can recover and carve these from a damaged or formatted drive. We start by learning about hard disk drive geometry. The format of this article is a step by step process that is designed to take the reader through the analysis of a hard drive. Although the process may vary somewhat for each drive, the fundamentals remain the same and following these steps will allow the analyst to recover drive partitions that have been damaged or formatted even when the automated tools fail.
THE BEGINNING
There are a number of commands we shall be using in this article that are fairly standard on most Linux distro’s. In this article, it is assumed that the analyst has already creates a bitwise raw image of the hard disk drive to be examined using “dd” or a similar tool.
The commands we will start with to copy our MBR (master boot record): • dd if=Image.dd of=MBR.img bs=512 count=1 • ls -al *img • khexedit MBR.img & Here, we first extract the MBR from our image file (in this case IMG.dd) and extract the data to a file called MBR.img. Note that we have extracted only the first 512 bytes and we can validate the size of this image file using the command “ls -al *img”.
MASTER BOOT RECORD (MBR)
In most drive formats (there are exceptions with some RISC systems etc.) that we will analyse, each Partition entry is always 16 bytes in length. More, the end of any MBR marker is 0x55AA (ALWAYS)! Many modern Linux, Macintosh and the most recent of Intel PCs have started using GPT instead of MBR. MBR limits the size of partitions to 2.19TB, this is why it starts to be replaced. We will look at other partition formats in later papers.
Partition
Offset
Byte Place
1st
0x01BE
446
2nd
0x01CE
462
3rd
0x01DE
478
4th
0x01EE
492
Table 1 The HDD table www.eForensicsMag.com
13
Global I.T. Security Training & Consulting
In February 2002, Mile2 was established in response to the critical need for an international team of IT security training experts to mitigate threats to national and corporate security far beyond USA borders in the aftermath of 9/11.
IS YOUR NETWORK SECURE?
www.mile2.com TM
mile2 Boot Camps
A Network breach... Could cost your Job! Available Training Formats
C)PTETM C)PTCTM
PENETRATION TESTING (AKA ETHICAL HACKING) Certified Penetration Testing Engineer Certified Penetration Testing Consultant
C)SCETM
SECURE CODING TRAINING Certified Secure Coding Engineer
C)WSETM C)WNA/PTM
WIRELESS SECURITY TRAINING Certified Wireless Security Engineer Certified Wireless Network Associate / Professional
DR/BCP
DR&BCP TRAINING Disaster Recovery & Business Continuity Planning
C)SVMETM
VIRTUALIZATION BEST PRACTICES Certified Secure Virtual Machine Engineer
C)DFETM
DIGITAL FORENSICS Certified Digital Forensics Examiner
(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.
14
F2F CBT LOT KIT LHE
Classroom Based Training Self Paced CBT Live Online Training Study Kits & Exams Live Hacking Labs (War-Room)
Other New Courses!! ITIL CompTIA ISC2
Foundations v.3 & v.4 Security+, Network+ CISSP & CAP
Worldwide Locations
CISSPTM C)ISSO C)SLO ISCAP
GENERAL SECURITY TRAINING CISSP & Exam Prep Certified Information Systems Security Officer Certified Security Leadership Officer Info. Sys. Certification & Accred. Professional
1. 2. 3. 4. 5.
SANS GSLC GIAC Sec. Leadership Course SANS 440 Top 20 Security Controls SANS GCIH GIAC Cert Incident Handler
INFORMATION ASSURANCE SERVICES
We practice what we teach.....
Other Mile2 services available Globally: 1. Penetration Testing 2. Vulnerability Assessments 3. Forensics Analysis & Expert Witnesses 4. PCI Compliance 5. Disaster Recovery & Business Continuity
1-800-81-MILE2 +1-813-920-6799
11928 Sheldon Rd Tampa, FL 33626
DATABASE
DETECTION OF ATTACKS
THROUGH DEFAULT ACCOUNTS AND PASSWORDS IN ORACLE An Oracle database comes with many default userids (and, worse, well known default passwords), which ideally shouldn’t have a place in a typical production database but database administrators may have forgotten to remove the accounts or lock them after setting up production environment. This provides for one of the many ways an adversary attacks a database system – by attempting to guess the presence of a default userid and password, either by brute force or by a social engineering techniques. In this article you will learn how to identify such attacks and trace back to the source quickly and effectively. You will also learn how to set up a honeypot to lure such adversaries into attacking so as to disclose their identity. Besides, you will also be able to determine why a legitimate user account gets locked out that needs unlocking or a password reset. BACKGROUND
An Oracle database typically comes with several default accounts. Some of them are necessary for database operations. Examples of such userids are SYS and SYSTEM which have the DBA privileges. Other default accounts such as SCOTT, SH, BI, etc. are for demonstration only and are never needed by an application using that database. These accounts should not have been created in the first place. The database creation assistant (DBCA) has a checkbox to install samples schema (the SCOTT user), which should have been unchecked for a production database. Many DBAs, while creating the databawww.eForensicsMag.com
se, likely ignore it resulting in the schema being present. In other cases, the production database may be an upgrade from its earlier incarnation as a development or QA database where these sample schemas were indeed necessary and created. With the upgrade, these schemas have lost significance; but in the spirit of changing as little as possible during the database upgrade, they are usually left untouched and continue to linger. Whatever the reason was, these default accounts leave a backdoor entry to the database. Another problem is the presence of default passwords. 15
In the Upcoming Issue of
FREE
Smartphone Forensics & More... Available to download on August 13th
If you would like to contact eForensics team, just send an email to en@eforensicsmag.com. We will reply a.s.a.p. eForensics Magazine has a rights to change the content of the next Magazine Edition. 16
Now Hiring Teamwork Innovation Quality Integrity Passion
Sense of Security
Compliance, Protection and
Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.
www.eForensicsMag.com
info@senseofsecurity.com.au www.senseofsecurity.com.au
17
The Only Magazine about Pentesting
200 Pages of the Best Technical Content Every Month 8500 Readers 4 Specialized Issues
From theory to practice, from methodologies and standards to tools and real-life solutions! PenTest gives an excellent opportunity to observe security trends on the market for the readers, and for companies – to share their invaluable knowledge. To learn more visit: http://pentestmag.com/. 18 any questions or inquiries please mail us at: en@pentestmag.com. For