I have released a new tool that can be used to verify password quality against several database engines. Make sure to check it out here.
I have released a new version of my MSSQLScan tool. It contains fixes for running out of sockets when scanning large networks with low timeouts and re-scheduling of unsuccesful probes.
Let me know how/if it works and please send me bug reports.
I have launched a new blog with “random thoughts about random things” … The reason why I’m launching a new site when barely keeping up with this one is that I want to keep this one security oriented while the new one a bit more “random”. The new blog can be found here http://patrik.cqure.net.
I’m guessing we might have to outdated blogs in a couple of weeks 🙂
I finally got to publishing a tool, which due to a number of reasons, has not happened for quite some time now. The MSSQLScan tool scans for Microsoft SQL Server *surprise*. It does so by using UDP which means that it can either discover servers by hitting a broadcast address or by querying each and everyone. This will make sure that you find all instances and servers that no longer use the 1433 TCP port due to dynamic port allocations.
As usual your more than welcome to provide me with feedback, suggestions or bug reports.
I attended the T2 security conference last Friday where I presented a talk on SQL injection and out-of-band channelling. Unfortunately I wasn’t able to stay for the whole conference but the talks I attended were very good. Make sure to check it out next year. Hopefully, I will have a chance to publish my updated slides during this week.
Finally, Oracle has made changes to the way they store passwords. Oracle 11g introduces a different algorithm (SHA1), supports mixed-case passwords and adds salts to stored passwords. This all sounds great EXCEPT that the old weaker hashes are still being stored in the sys.user$ table.
It seems as if several different people have been looking in to this at more or less the same time and have documented their efforts. One of them is Pete Finnigan http://www.petefinnigan.com/weblog/archives/00001097.htm. Recurity Labs have done a more technical analysis of the 150Mb Oracle Linux binary http://www.phenoelit.net/lablog/oracle.sl and conclude their work with this excellent comment:
“And we would like to welcome Oracle Corp. in the year 2007, the century of highly advanced, mixed-case passwords. 🙂 It should be noted that Oracle, in fine tradition, makes the same mistake Microsoft did a decade ago when they put the insecure LANMAN hash next to the brand new NTLM one. The table sys.user$ still holds the case insensitive DES encrypted password version next to the new one.”
Core security released their PSH (passing-the-hash) toolkit today. Even though the concept of passing-the-hash is old, few tools putting it into practise have been available to the public. A number of companies working within security industry have had their own tools, some being more proud of them than others 😉 I myself attempted to write a generic proxy implementation for this in 2001 and published it here on cqure.net. It worked alright at the time, but has not done so for quite a while now.
In short passing-the-hash allows you to extract encrypted passwords (hashes) from a Windows system and use the hashes, without knowing the password, in order to authenticate to other Windows systems with users having the same passwords. The risk associated with this should be obvious to most people.
Martyn’s Ruks presentation and MQ tools are now available on their website. You can get the material from here.
Even though I missed some of the great presentations at Defcon I had a chance to see quite a few. Here is a brief summary of the most inspiring.
“MQ Jumping” by Martyn Ruks. This was a great presentation of IBM Websphere MQ and some of it’s security problems. Martyn presented a number of ways to remotely own the system of an unhardened MQ installation using some in-house developed tools. He mentioned publishing the python classes and some sample code once he got back. So keep an eye out for that.
“HoneyJax (AKA Web Security Monitoring and Intelligence 2.0)” by Dan Hubbard. A very entertaining talk on deployment of bots in web communities which aid in identifying and tracking of malicious code. The audience was introduced to both passive and active bots which were both used in order to collect data in the environment and alert in case of suspicious activity. A talk on a very interesting topic delivered by a great speaker with the right amount of humor.