SlideShare ist ein Scribd-Unternehmen logo

Oracle forensics 101

F
fangjiafu
Technologie
1 von 59
Downloaden Sie, um offline zu lesen
Oracle Forensics Alexander Kornbrust
Agenda ¡  Introduction ¡  Current Status ¡  Forensic Problems ¡  Available Tools ¡  New Approach ¡  Typical Patterns ¡  Summary
About Red-Database- Security ¡  Founded 2004 in Germany ¡  Dedicated to Oracle Security ¡  Consulting / Training / Software ¡  More than 1500 security vulnerabilities found in Oracle products ¡  More than 2000 Oracle databases audited in 2011
Introduction •  More and more databases affected by attacks •  Database forensic is still an exotic/academic topic •  No easy to use tools available. •  Collected data is difficult to analyse è This presentation will show new approaches which will make the analysis easier
Current Status – Books & Documents •  Oracle Forensics from Paul M. Wright out of stock (used copies 230 USD) , new books coming soon http://www.amazon.com/gp/product/0977671526/sr=8-2/ qid=1315500507/ref=olp_product_details? ie=UTF8&me=&qid=1315500507&sr=8-2&seller= •  Oracle Forensics Series from David Litchfield http://www.databasesecurity.com/oracle-forensics.htm •  Several smaller documents
Available Tools for Forensic •  Logminer (free, Oracle) •  Data Unloader (most commercial, e.g. qDUL from Qualea) •  Verity Data Block Examiner, cadfile, … (free, v3rity Ltd.) •  McAfee Security Scanner for Databases (commercial, Analysis)
Traces Different kind of traces could be used •  Files on OS level •  Results from OS Commands at OS level •  Volatile tables –only available if DB is up and running •  Temporary tables – content automatically by Oracle after a while •  Permanent tables
Find Traces (files) •  Listener.log •  Trace files •  Incident Response Files •  Alert.logs •  Data files •  SYSDBA Audit Logs •  Redo/Archive Logs •  Unix History Files •  …
Find Traces (Tables/Views) •  GV$* (Volatile, use GV$* instead of V$ to be Oracle cluster (RAC) compliant) •  WRH$* (Temporary) •  Audit Views •  USER$ •  MON_MOD$ (Temporary) •  COL_USAGE$ (Temporary) •  Recycle-Bin •  …
Oracle Forensic Problems •  Still requires a deep knowledge of database architecture/design •  Requires good SQL know how (Outer-Joins are mandatory in many Selects queries, e.g. join audit&user tables) •  Requires a strong knowledge of the Oracle (and the application) repository •  Requires a strong knowledge about typical database attacks (what can be found where) •  Little to less tool support
Typical Approach for DB Forensics •  Collect traces from the file system and database •  OS: copy files •  DB: spool the output from SQL statements to a spool file to preserve the evidence1 •  Copy the collected files to the examiner PC •  Analyze the collected evidence è  Difficult to analyze because the data type, format, dependencies is lost. è  Just a big text file. No query language. 1 http://www.databasesecurity.com/dbsec/LiveResponse.pdf
Current Approach Victim DB Sqlplus / as sysdba SQL> spool coll.lst SQL> SELECT LAST_ACTIVE_TIME, PARSING_USER_ID, SQL_TEXT FROM V$SQL ORDER BY LAST_ACTIVE_TIME ASC; SQL> SELECT ST.PARSING_SCHEMA_ID, TX.SQL_TEXT FROM WRH$_SQLSTAT ST, WRH$_SQLTEXT TX WHERE TX.SNAP_ID = ST.SNAP_ID; SQL> SELECT * FROM AUD$; SQL> SELECT USER_ID, SESSION_ID, SAMPLE_TIME FROM SYS.WRH $_ACTIVE_SESSION_HISTORY ; SQL> SELECT SID, USER#, USERNAME, TERMINAL, OSUSER, PROGRAM, LOGON_TIME FROM V$SESSION; SQL> SELECT USER#, NAME, ASTATUS, PASSWORD, CTIME, PTIME, LTIME FROM SYS.USER$ WHERE TYPE#=1; Examiner PC Notepad coll.lst
Advanced Approach •  Same data collection approach but use external tables instead of unstructured text files •  An Oracle external table allows to preserve the entire table data including binary data, data types, …. in a binary file è  Requires Oracle 10.2 or higher è  Analysis will be much easier è  Much faster than normal spooling è  Joins and lookups between the difference collected information is still possible by using the renamed external tables 1 http://www.databasesecurity.com/dbsec/LiveResponse.pdf
Advanced Approach 1.) Victim DB •  UNIX: •  As root:collect_unix_artifacts_as_root.sh •  As Oracle: collect_unix_artifacts_as_oracle.sh •  Oracle: •  As SYS: collect_db_artifact_as_sys.sql 2.) Transfer Data to Examiner PC (+ burn to DVD) 3.) Examiner PC * Create objects (prepare_examiner_db_case001.sql) 4.) Analyse
Advanced Approach II (Tables/Views) Victim DB CREATE TABLE forensicmat.ext_gvversion ORGANIZATION EXTERNAL( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY data_unload_dir LOCATION ( 'ext_gvversion.dmp' )) AS select * from gv$version; Examiner PC CREATE TABLE "EXT_GVVERSION” ("INST_ID" NUMBER, "BANNER" VARCHAR2(80)) ORGANIZATION EXTERNAL ( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY for_ora_ext_tables1 LOCATION ( 'ext_gvversion.dmp’ ) );
Advanced Approach (OS Commands) Victim DB ls -laR --full-time $ORACLE_HOME | tee -a >$FORDIR/ oracle/commands/all_files.txt Examiner PC CREATE TABLE ext_all_files (file_mode varchar2(11), num_of_links number, owner_name varchar2(32), group_name varchar2(32), bytes number, file_last_mod_date varchar2(10), file_last_mod_time varchar2(20), gmt varchar2(6), filename varchar2(256) ) ORGANIZATION EXTERNAL ( TYPE oracle_loader DEFAULT DIRECTORY for_ora_commands1 ACCESS PARAMETERS (RECORDS DELIMITED BY NEWLINE FIELDS TERMINATED BY ' ' MISSING FIELD VALUES ARE NULL ) LOCATION ('all_files.txt') ) PARALLEL 5 REJECT LIMIT UNLIMITED;
Advanced Approach (OS Files) Victim DB cp -p -v /etc/passwd $FORDIR/unix/files/passwd.txt Examiner PC CREATE TABLE ext_etc_passwd (username varchar2(32), shadow varchar2(32), userid number, groupid number, usercomment varchar2(128), shell varchar2(128) ) ORGANIZATION EXTERNAL ( TYPE oracle_loader DEFAULT DIRECTORY for_unix_files1 ACCESS PARAMETERS (RECORDS DELIMITED BY NEWLINE FIELDS TERMINATED BY ':' MISSING FIELD VALUES ARE NULL ) LOCATION ('passwd.txt') ) PARALLEL 5 REJECT LIMIT UNLIMITED;
Timeline Creation ¡  A timeline can be helpful during the analysis of forensic data ¡  Data from different source is displayed together ¡  Easy to implement
Timeline Creation ¡  Every information with a timestamp (e.g. User locking) will be a separate row and unified with the UNION command ¡  SYS.USER$ contains different timestamps ¡  CTIME – User created ¡  PTIME – Password changed ¡  LTIME – User locked ¡  A single row in SYS.USER$ will become 3 lines in the timeline table/view ¡  Additional information must be added from different tables/view (e.g. DB startup, auditing, ...)
Timeline Creation select 0 as inst_id, 'DBA' as dstype, 'DBA_USERS' as datasource, created as timest, 'User Created' as activity, 'CREATED' as timestamp_name,username as detail1, username as username, null as serial#, null as session_id from ext_dba_users union all select 0 as inst_id, 'DBA' as dstype,'DBA_USERS' as datasource, lock_date as timest, 'User Locked' as activity, 'LOCK_DATE' as timestamp_name,username as detail1, username as username, null as serial#, null as session_id from ext_dba_users where lock_date is not null union all select 0 as inst_id, 'DBA' as dstype,'DBA_OBJECTS' as datasource, created as timest, 'Table Created' as activity, 'CREATED' as timestamp_name,owner||'.'|| object_name as detail1, owner as username, null as serial#, null as session_id from ext_dba_objects where object_type='TABLE‘ union all select 0 as inst_id, 'DBA' as dstype,'DBA_OBJECTS' as datasource, created as timest, 'View Created' as activity, 'CREATED' as timestamp_name,owner||'.'|| object_name as detail1, owner as username, null as serial#, null as session_id from ext_dba_objects where object_type='VIEW‘ ...
Timeline Demo - Forensic
Timeline
Timeline
Timeline
Typical Tables and Pattern •  The following slides contain typical database objects (like sys.user$) and common attack traces which can be found in these objects. •  Data from audit.logs (disabled in most cases in the real world) is not covered in this presentation •  Files (like listener.log) are skipped to save some time.
Tables ¡  Audit-Tables / Audit-Logs ¡  sys.user$ ¡  sys.wrh$_active_session_history ¡  sys.wrh$_sqltext ¡  sys.mon_mods$
Tables – sys.user$ ¡  Interesting Columns ¡  lcount ¡  Number of invalid login attempts ¡  Resetted after successful login ¡  Maximum number dependent from the profile setting ¡  ltime (Lock-Time) ¡  Lock time of the account
Tables – sys.user$ ¡  Typical attack patterns - lcount ¡  Multiple accounts have a lcount > 0 è Someone tries to guess user accounts without locking them ¡  Agent Accounts (e.g. Tivoli) have an lcount> 0 & lcount < max from Profile è Someone tries to guess the password of an agent account. Lcount of agent accounts is normally 0 or max Profile ¡  Big lcount value (e.g. 30.000) è Bruteforce attack using a tool or someone forgot to change the client side password of an agent.
Tables – sys.user$ ¡  Typical attack patterns- ltime ¡  Multiple accounts with similar ltime è Someone tried to guess user accounts but the accounts were locked.
Tables – sys.wrh$_ active_session_history ¡  Interesting Columns ¡  program ¡  Used Program ¡  Module ¡  Used module name ¡  Machine (since 11.2) ¡  What user was coming from what machine è Important for password changes ¡  Warning!. The data from sys.wrh $active_session_history is not always reliable. Sometimes 0 (=SYS) is used even if the connect was not done by SYS.
Tables – sys.wrh$_ active_session_history ¡  Typical attack patterns ¡  Program ¡  Unwanted/unauthorized programs ¡  Export utilities ¡  Module ¡  Program and Module do not match (e.g. oracle.exe & „TOAD 10.3.0.1“ è renamed tool to bypass login trigger ¡  Machine ¡  Login from unusual machine ¡  Combination User & Machine
Tables – sys.wrh$_ active_session_history (11.2) select program, username, machine, count(*) as cnt from sys.wrh$_active_session_history w, dba_users d where w.user_id=d.user_id (+) and (lower(program) not like '%oracle%(%)%') group by program, username, machine
Tables – sys.wrh$_ active_session_history select program, username, count(*) as cnt from sys.wrh$_active_session_history w, dba_users d where w.user_id=d.user_id (+) and (lower(program) not like '%oracle%(%)%') group by program, username
Tables – sys.wrh$_sqltext ¡  Interesting Columns ¡  sqltext ¡  SQL Statement of a user session
Tables – sys.wrh$_sqltext ¡  Typical attack patterns ¡  sqltext ¡  Suspicious SQL statements (Insert/Update/Delete/ Select)
Tables – sys.mon_mods$ ¡  Interesting Columns ¡  Inserts ¡  Updates ¡  Deletes
Tables – sys.mon_mods$ ¡  Typical attack patterns ¡  obj# ¡  Suspicious Statements (Insert/Update/Delete/Select) ¡  Inserts ¡  Insert in critical tables (Privileges, ...) ¡  Updates ¡  Update of log entries (e.g. AUD$, custom Log- Tables, ...) ¡  Update of critical data ¡  High value of update values on SYS.USER$ can be an indication of brute force attacks (high lcount value) ¡  Deletes ¡  Delete of log entries (e.g. AUD$, custom Log- Tables, ...)
Tables – sys.mon_mods$ select u.name as owner,o.name as table_name, m.inserts, m.updates, m.deletes, m.timestamp from sys.mon_mods$ m, sys.user$ u, sys.obj$ o where o.obj#=m.obj# and u.user#=o.owner#
Database Blocks ¡  Contain data from tables ¡  Contain deleted/updated data as well
Database Blocks SQL> conn sig/sig Connected. SQL> create table password (name varchar2(20), password varchar2(20)); Table created. SQL> insert into password values ('Alex','Supersecret1'); 1 row created. SQL> insert into password values ('Anna','Password1'); 1 row created. SQL> insert into password values ('Anton','Pr0d@adm1n'); 1 row created. SQL> commit; Commit complete.
Database Blocks SQL> select distinct dbms_rowid.rowid_block_number(rowid) from password; DBMS_ROWID.ROWID_BLOCK_NUMBER(ROWID) ------------------------------------ 57170 SQL> select tablespace_name from user_segments where segment_name in ('PASSWORD' ); TABLESPACE_NAME ------------------------------ SYSTEM SQL> select file_id from dba_data_files where tablespace_name='SYSTEM'; FILE_ID ---------- 1 9 SQL> alter system dump datafile 1 block 57170; System altered.
Database Blocks 4715170 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 4715180 70347237 04C10277 C0000201 8D000DA3 [7r4pw...........] 4715190 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 47151A0 70347237 03C10277 C0000201 8C000DA3 [7r4pw...........] 47151B0 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 47151C0 02012C37 746E4105 500A6E6F 40643072 [7,...Anton.Pr0d@] 47151D0 316D6461 02012C6E 6E6E4104 61500961 [adm1n,...Anna.Pa] 47151E0 6F777373 2C316472 41040201 0C78656C [ssword1,...Alex.] 47151F0 65707553 63657372 31746572 B0FF0601 [Supersecret1....]
Database Blocks SQL> update password set password='HappyHacker' where name='Anna'; 1 row updated. SQL> commit; Commit complete. SQL> alter system dump datafile 1 block 57170; System altered.
Database Blocks 4715170 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 4715180 70347237 04C10277 C0000201 8D000DA3 [7r4pw...........] 4715190 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 47151A0 70347237 03C10277 C0000201 02022CA3 [7r4pw........,..] 47151B0 6E6E4104 61480B61 48797070 656B6361 [.Anna.HappyHacke] 47151C0 02002C72 746E4105 500A6E6F 40643072 [r,...Anton.Pr0d@] 47151D0 316D6461 02022C6E 6E6E4104 61500961 [adm1n,...Anna.Pa] 47151E0 6F777373 2C316472 41040200 0C78656C [ssword1,...Alex.] 47151F0 65707553 63657372 31746572 B1EB0603 [Supersecret1....]
Database Blocks (Anonymisation) SQL> update password set password='xxx' ; 3 rows updated. SQL> commit; Commit complete. SQL> alter system dump datafile 1 block 57170; System altered.
Database Blocks 4715170 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 4715180 70347237 04C10277 0502012C 6F746E41 [7r4pw...,...Anto] 4715190 7878036E 02012C78 6E6E4104 78780361 [n.xxx,...Anna.xx] 47151A0 02012C78 656C4104 78780378 02012C78 [x,...Alex.xxx,..] 47151B0 6E6E4104 61480B61 48797070 656B6361 [.Anna.HappyHacke] 47151C0 02012C72 746E4105 500A6E6F 40643072 [r,...Anton.Pr0d@] 47151D0 316D6461 02022C6E 6E6E4104 61500961 [adm1n,...Anna.Pa] 47151E0 6F777373 2C316472 41040201 0C78656C [ssword1,...Alex.] 47151F0 65707553 63657372 31746572 B2230607 [Supersecret1..#.]
Pattern – Privilege Escalation •  Privilege escalation often uses stored procedures as helper function for privilege escalation •  Additional entries in DBA_ROLE_PRIVS, DBA_TAB_PRIVS, DBA_SYS_PRIVS •  Probably deleted entries in SYS.SYSAUTH$ / SYS.OBJAUTH$ / (visible in data blocks)
Pattern – Run OS Commands •  DBA_EXTERNAL_TABLES: External Table with preprocessor (column ACCESS_PARAMETERS) •  DBA_JAVA_POLICY: new entries •  DBA_LIBRARIES: new entries •  CTXSYS.CTX_PREFERENCE_VALUES: Oracle Text user filter , e.g. PRV_ATTRIBUTE=oratclsh.exe
Pattern – Backdoors •  Various places depending from the used backdoor •  SYS.USER$ •  Oracle Password File •  Logon trigger •  Privileges (e.g. grant execute on SYS.DBMS_STREAMS_RPC to public) •  ...
Pattern – Manipulated Audit/ Log Tables •  Update Log data: Modified ora_rowscn •  Delete Log data: Gaps in rowid •  Entries in SYS.MON_MODS$
Pattern – Data Export •  Attackers often export the database (or parts of it) using the official export utilities. •  These traces can be easily found in the •  Listener.log •  sys.wrh$_ active_session_history (requires special license)
Pattern – oradebug •  Details of this attacks will be shown by Laszlo Toth talk “Almost invisible cloak in Oracle databases” at Hacktivity (15:10-15:55) •  Oradebug commands are recorded in the trace files and sometimes incident response files (if oradebug causes an Oracle error (e.g. ORA-07445)) •  Tracefiles can easily be removed on OS level
Summary •  More convenient tools for databases forensics needed to allow non-databases (security) experts to find traces. •  Atomization for multiple databases needed •  Top down approaches are often easier to understand than bottom up approaches
Thank you ¡  Contact: Red-Database-Security GmbH Bliesstr. 16 D-.66538 Neunkirchen Germany

Empfohlen

Brief introduction of Slick
Brief introduction of SlickBrief introduction of Slick
Brief introduction of SlickKnoldus Inc.
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteDEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteFelipe Prado
 
Persistences
PersistencesPersistences
PersistencesTraining Guide
 
Sql lite android
Sql lite androidSql lite android
Sql lite androidDushyant Nasit
 
Android datastorage
Android datastorageAndroid datastorage
Android datastorageKrazy Koder
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Android Data Storagefinal
Android Data StoragefinalAndroid Data Storagefinal
Android Data StoragefinalNakka Srilakshmi
 
Information Retrieval - Data Science Bootcamp
Information Retrieval - Data Science BootcampInformation Retrieval - Data Science Bootcamp
Information Retrieval - Data Science BootcampKais Hassan, PhD
 

Empfohlen

Brief introduction of Slick
Brief introduction of SlickBrief introduction of Slick
Brief introduction of SlickKnoldus Inc.
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteDEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteFelipe Prado
 
Persistences
PersistencesPersistences
PersistencesTraining Guide
 
Sql lite android
Sql lite androidSql lite android
Sql lite androidDushyant Nasit
 
Android datastorage
Android datastorageAndroid datastorage
Android datastorageKrazy Koder
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Android Data Storagefinal
Android Data StoragefinalAndroid Data Storagefinal
Android Data StoragefinalNakka Srilakshmi
 
Information Retrieval - Data Science Bootcamp
Information Retrieval - Data Science BootcampInformation Retrieval - Data Science Bootcamp
Information Retrieval - Data Science BootcampKais Hassan, PhD
 
Android - Data Storage
Android - Data StorageAndroid - Data Storage
Android - Data StorageMingHo Chang
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
Schemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST APISchemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST APIlucenerevolution
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android Aakash Ugale
 
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UNSolr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UNLucidworks
 
Web scraping using scrapy - zekeLabs
Web scraping using scrapy - zekeLabsWeb scraping using scrapy - zekeLabs
Web scraping using scrapy - zekeLabszekeLabs Technologies
 
Tthornton code4lib
Tthornton code4libTthornton code4lib
Tthornton code4libtrevorthornton
 
Validating JSON -- Percona Live 2021 presentation
Validating JSON -- Percona Live 2021 presentationValidating JSON -- Percona Live 2021 presentation
Validating JSON -- Percona Live 2021 presentationDave Stokes
 
Cassandra nice use cases and worst anti patterns no sql-matters barcelona
Cassandra nice use cases and worst anti patterns no sql-matters barcelonaCassandra nice use cases and worst anti patterns no sql-matters barcelona
Cassandra nice use cases and worst anti patterns no sql-matters barcelonaDuyhai Doan
 
Cassandra Drivers and Tools
Cassandra Drivers and ToolsCassandra Drivers and Tools
Cassandra Drivers and ToolsDuyhai Doan
 
Cassandra drivers and libraries
Cassandra drivers and librariesCassandra drivers and libraries
Cassandra drivers and librariesDuyhai Doan
 
09.Local Database Files and Storage on WP
09.Local Database Files and Storage on WP09.Local Database Files and Storage on WP
09.Local Database Files and Storage on WPNguyen Tuan
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersJonathan Levin
 
Rapid Prototyping with Solr
Rapid Prototyping with SolrRapid Prototyping with Solr
Rapid Prototyping with SolrErik Hatcher
 
Beyond full-text searches with Lucene and Solr
Beyond full-text searches with Lucene and SolrBeyond full-text searches with Lucene and Solr
Beyond full-text searches with Lucene and SolrBertrand Delacretaz
 
Mutexes 2
Mutexes 2Mutexes 2
Mutexes 2Narendranath Reddy T
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
09.1. Android - Local Database (Sqlite)
09.1. Android - Local Database (Sqlite)09.1. Android - Local Database (Sqlite)
09.1. Android - Local Database (Sqlite)Oum Saokosal
 
Faster Data Analytics with Apache Spark using Apache Solr
Faster Data Analytics with Apache Spark using Apache SolrFaster Data Analytics with Apache Spark using Apache Solr
Faster Data Analytics with Apache Spark using Apache SolrChitturi Kiran
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache SolrChristos Manios
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Android - Data Storage
Android - Data StorageAndroid - Data Storage
Android - Data StorageMingHo Chang
 
Schemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST APISchemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST APIlucenerevolution
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android Aakash Ugale
 
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UNSolr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UNLucidworks
 
Web scraping using scrapy - zekeLabs
Web scraping using scrapy - zekeLabsWeb scraping using scrapy - zekeLabs
Web scraping using scrapy - zekeLabszekeLabs Technologies
 
Validating JSON -- Percona Live 2021 presentation
Validating JSON -- Percona Live 2021 presentationValidating JSON -- Percona Live 2021 presentation
Validating JSON -- Percona Live 2021 presentationDave Stokes
 
Cassandra nice use cases and worst anti patterns no sql-matters barcelona
Cassandra nice use cases and worst anti patterns no sql-matters barcelonaCassandra nice use cases and worst anti patterns no sql-matters barcelona
Cassandra nice use cases and worst anti patterns no sql-matters barcelonaDuyhai Doan
 
Cassandra Drivers and Tools
Cassandra Drivers and ToolsCassandra Drivers and Tools
Cassandra Drivers and ToolsDuyhai Doan
 
Cassandra drivers and libraries
Cassandra drivers and librariesCassandra drivers and libraries
Cassandra drivers and librariesDuyhai Doan
 
09.Local Database Files and Storage on WP
09.Local Database Files and Storage on WP09.Local Database Files and Storage on WP
09.Local Database Files and Storage on WPNguyen Tuan
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersJonathan Levin
 
Rapid Prototyping with Solr
Rapid Prototyping with SolrRapid Prototyping with Solr
Rapid Prototyping with SolrErik Hatcher
 
Beyond full-text searches with Lucene and Solr
Beyond full-text searches with Lucene and SolrBeyond full-text searches with Lucene and Solr
Beyond full-text searches with Lucene and SolrBertrand Delacretaz
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
 
09.1. Android - Local Database (Sqlite)
09.1. Android - Local Database (Sqlite)09.1. Android - Local Database (Sqlite)
09.1. Android - Local Database (Sqlite)Oum Saokosal
 
Faster Data Analytics with Apache Spark using Apache Solr
Faster Data Analytics with Apache Spark using Apache SolrFaster Data Analytics with Apache Spark using Apache Solr
Faster Data Analytics with Apache Spark using Apache SolrChitturi Kiran
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache SolrChristos Manios
 

Was ist angesagt? (20)

Android - Data Storage
Android - Data StorageAndroid - Data Storage
Android - Data Storage
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Schemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST APISchemaless Solr and the Solr Schema REST API
Schemaless Solr and the Solr Schema REST API
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android
 
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UNSolr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
Solr vs. Elasticsearch, Case by Case: Presented by Alexandre Rafalovitch, UN
 
Web scraping using scrapy - zekeLabs
Web scraping using scrapy - zekeLabsWeb scraping using scrapy - zekeLabs
Web scraping using scrapy - zekeLabs
 
Tthornton code4lib
Tthornton code4libTthornton code4lib
Tthornton code4lib
 
Validating JSON -- Percona Live 2021 presentation
Validating JSON -- Percona Live 2021 presentationValidating JSON -- Percona Live 2021 presentation
Validating JSON -- Percona Live 2021 presentation
 
Cassandra nice use cases and worst anti patterns no sql-matters barcelona
Cassandra nice use cases and worst anti patterns no sql-matters barcelonaCassandra nice use cases and worst anti patterns no sql-matters barcelona
Cassandra nice use cases and worst anti patterns no sql-matters barcelona
 
Cassandra Drivers and Tools
Cassandra Drivers and ToolsCassandra Drivers and Tools
Cassandra Drivers and Tools
 
Cassandra drivers and libraries
Cassandra drivers and librariesCassandra drivers and libraries
Cassandra drivers and libraries
 
09.Local Database Files and Storage on WP
09.Local Database Files and Storage on WP09.Local Database Files and Storage on WP
09.Local Database Files and Storage on WP
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
 
Rapid Prototyping with Solr
Rapid Prototyping with SolrRapid Prototyping with Solr
Rapid Prototyping with Solr
 
Beyond full-text searches with Lucene and Solr
Beyond full-text searches with Lucene and SolrBeyond full-text searches with Lucene and Solr
Beyond full-text searches with Lucene and Solr
 
Mutexes 2
Mutexes 2Mutexes 2
Mutexes 2
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
09.1. Android - Local Database (Sqlite)
09.1. Android - Local Database (Sqlite)09.1. Android - Local Database (Sqlite)
09.1. Android - Local Database (Sqlite)
 
Faster Data Analytics with Apache Spark using Apache Solr
Faster Data Analytics with Apache Spark using Apache SolrFaster Data Analytics with Apache Spark using Apache Solr
Faster Data Analytics with Apache Spark using Apache Solr
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache Solr
 

Andere mochten auch

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011fangjiafu
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engfangjiafu
 
Santorini island. 2
Santorini island. 2Santorini island. 2
Santorini island. 2Nikos
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 

Andere mochten auch (8)

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_eng
 
Santorini island. 2
Santorini island. 2Santorini island. 2
Santorini island. 2
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 

Ähnlich wie Oracle forensics 101

How ElasticSearch lives in my DevOps life
How ElasticSearch lives in my DevOps lifeHow ElasticSearch lives in my DevOps life
How ElasticSearch lives in my DevOps life琛琳 饶
 
AWR, ADDM, ASH, Metrics and Advisors.ppt
AWR, ADDM, ASH, Metrics and Advisors.pptAWR, ADDM, ASH, Metrics and Advisors.ppt
AWR, ADDM, ASH, Metrics and Advisors.pptbugzbinny
 
Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)DCIT, a.s.
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAsKellyn Pot'Vin-Gorman
 
Kåre Rude Andersen - Be a hero – optimize scom and present your services
Kåre Rude Andersen - Be a hero – optimize scom and present your servicesKåre Rude Andersen - Be a hero – optimize scom and present your services
Kåre Rude Andersen - Be a hero – optimize scom and present your servicesNordic Infrastructure Conference
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 
Python and Oracle : allies for best of data management
Python and Oracle : allies for best of data managementPython and Oracle : allies for best of data management
Python and Oracle : allies for best of data managementLaurent Leturgez
 
Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2PoguttuezhiniVP
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesYourHelper1
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunk
 
Berlin Buzz Words - Apache Drill by Ted Dunning & Michael Hausenblas
Berlin Buzz Words - Apache Drill by Ted Dunning & Michael HausenblasBerlin Buzz Words - Apache Drill by Ted Dunning & Michael Hausenblas
Berlin Buzz Words - Apache Drill by Ted Dunning & Michael HausenblasMapR Technologies
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
Rapid Prototyping with Solr
Rapid Prototyping with SolrRapid Prototyping with Solr
Rapid Prototyping with SolrErik Hatcher
 
Let your DBAs get some REST(api)
Let your DBAs get some REST(api)Let your DBAs get some REST(api)
Let your DBAs get some REST(api)Ludovico Caldara
 
Privilege Escalation with Metasploit
Privilege Escalation with MetasploitPrivilege Escalation with Metasploit
Privilege Escalation with Metasploitegypt
 

Ähnlich wie Oracle forensics 101 (20)

#WeSpeakLinux Session
#WeSpeakLinux Session#WeSpeakLinux Session
#WeSpeakLinux Session
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
How ElasticSearch lives in my DevOps life
How ElasticSearch lives in my DevOps lifeHow ElasticSearch lives in my DevOps life
How ElasticSearch lives in my DevOps life
 
AWR, ADDM, ASH, Metrics and Advisors.ppt
AWR, ADDM, ASH, Metrics and Advisors.pptAWR, ADDM, ASH, Metrics and Advisors.ppt
AWR, ADDM, ASH, Metrics and Advisors.ppt
 
Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs
 
Kåre Rude Andersen - Be a hero – optimize scom and present your services
Kåre Rude Andersen - Be a hero – optimize scom and present your servicesKåre Rude Andersen - Be a hero – optimize scom and present your services
Kåre Rude Andersen - Be a hero – optimize scom and present your services
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
Python and Oracle : allies for best of data management
Python and Oracle : allies for best of data managementPython and Oracle : allies for best of data management
Python and Oracle : allies for best of data management
 
Oracle Tracing
Oracle TracingOracle Tracing
Oracle Tracing
 
Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2Postgresql Database Administration Basic - Day2
Postgresql Database Administration Basic - Day2
 
Char Drivers And Debugging Techniques
Char Drivers And Debugging TechniquesChar Drivers And Debugging Techniques
Char Drivers And Debugging Techniques
 
Local Storage
Local StorageLocal Storage
Local Storage
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with Splunk
 
Berlin Buzz Words - Apache Drill by Ted Dunning & Michael Hausenblas
Berlin Buzz Words - Apache Drill by Ted Dunning & Michael HausenblasBerlin Buzz Words - Apache Drill by Ted Dunning & Michael Hausenblas
Berlin Buzz Words - Apache Drill by Ted Dunning & Michael Hausenblas
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
Rapid Prototyping with Solr
Rapid Prototyping with SolrRapid Prototyping with Solr
Rapid Prototyping with Solr
 
Let your DBAs get some REST(api)
Let your DBAs get some REST(api)Let your DBAs get some REST(api)
Let your DBAs get some REST(api)
 
Privilege Escalation with Metasploit
Privilege Escalation with MetasploitPrivilege Escalation with Metasploit
Privilege Escalation with Metasploit
 

Mehr von fangjiafu

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronizationfangjiafu
 
Network security
Network securityNetwork security
Network securityfangjiafu
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing securityfangjiafu
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosfangjiafu
 
Sqlmap readme
Sqlmap readmeSqlmap readme
Sqlmap readmefangjiafu
 

Mehr von fangjiafu (20)

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 
Unit05
Unit05Unit05
Unit05
 
Network security
Network securityNetwork security
Network security
 
Ids
IdsIds
Ids
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dos
 
Sqlmap readme
Sqlmap readmeSqlmap readme
Sqlmap readme
 
Wisr2011 en
Wisr2011 enWisr2011 en
Wisr2011 en
 

Kürzlich hochgeladen

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Kürzlich hochgeladen (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

Oracle forensics 101

  • 2. Agenda ¡  Introduction ¡  Current Status ¡  Forensic Problems ¡  Available Tools ¡  New Approach ¡  Typical Patterns ¡  Summary
  • 3. About Red-Database- Security ¡  Founded 2004 in Germany ¡  Dedicated to Oracle Security ¡  Consulting / Training / Software ¡  More than 1500 security vulnerabilities found in Oracle products ¡  More than 2000 Oracle databases audited in 2011
  • 4. Introduction •  More and more databases affected by attacks •  Database forensic is still an exotic/academic topic •  No easy to use tools available. •  Collected data is difficult to analyse è This presentation will show new approaches which will make the analysis easier
  • 5. Current Status – Books & Documents •  Oracle Forensics from Paul M. Wright out of stock (used copies 230 USD) , new books coming soon http://www.amazon.com/gp/product/0977671526/sr=8-2/ qid=1315500507/ref=olp_product_details? ie=UTF8&me=&qid=1315500507&sr=8-2&seller= •  Oracle Forensics Series from David Litchfield http://www.databasesecurity.com/oracle-forensics.htm •  Several smaller documents
  • 6. Available Tools for Forensic •  Logminer (free, Oracle) •  Data Unloader (most commercial, e.g. qDUL from Qualea) •  Verity Data Block Examiner, cadfile, … (free, v3rity Ltd.) •  McAfee Security Scanner for Databases (commercial, Analysis)
  • 7. Traces Different kind of traces could be used •  Files on OS level •  Results from OS Commands at OS level •  Volatile tables –only available if DB is up and running •  Temporary tables – content automatically by Oracle after a while •  Permanent tables
  • 8. Find Traces (files) •  Listener.log •  Trace files •  Incident Response Files •  Alert.logs •  Data files •  SYSDBA Audit Logs •  Redo/Archive Logs •  Unix History Files •  …
  • 9. Find Traces (Tables/Views) •  GV$* (Volatile, use GV$* instead of V$ to be Oracle cluster (RAC) compliant) •  WRH$* (Temporary) •  Audit Views •  USER$ •  MON_MOD$ (Temporary) •  COL_USAGE$ (Temporary) •  Recycle-Bin •  …
  • 10. Oracle Forensic Problems •  Still requires a deep knowledge of database architecture/design •  Requires good SQL know how (Outer-Joins are mandatory in many Selects queries, e.g. join audit&user tables) •  Requires a strong knowledge of the Oracle (and the application) repository •  Requires a strong knowledge about typical database attacks (what can be found where) •  Little to less tool support
  • 11. Typical Approach for DB Forensics •  Collect traces from the file system and database •  OS: copy files •  DB: spool the output from SQL statements to a spool file to preserve the evidence1 •  Copy the collected files to the examiner PC •  Analyze the collected evidence è  Difficult to analyze because the data type, format, dependencies is lost. è  Just a big text file. No query language. 1 http://www.databasesecurity.com/dbsec/LiveResponse.pdf
  • 12. Current Approach Victim DB Sqlplus / as sysdba SQL> spool coll.lst SQL> SELECT LAST_ACTIVE_TIME, PARSING_USER_ID, SQL_TEXT FROM V$SQL ORDER BY LAST_ACTIVE_TIME ASC; SQL> SELECT ST.PARSING_SCHEMA_ID, TX.SQL_TEXT FROM WRH$_SQLSTAT ST, WRH$_SQLTEXT TX WHERE TX.SNAP_ID = ST.SNAP_ID; SQL> SELECT * FROM AUD$; SQL> SELECT USER_ID, SESSION_ID, SAMPLE_TIME FROM SYS.WRH $_ACTIVE_SESSION_HISTORY ; SQL> SELECT SID, USER#, USERNAME, TERMINAL, OSUSER, PROGRAM, LOGON_TIME FROM V$SESSION; SQL> SELECT USER#, NAME, ASTATUS, PASSWORD, CTIME, PTIME, LTIME FROM SYS.USER$ WHERE TYPE#=1; Examiner PC Notepad coll.lst
  • 13.
  • 14. Advanced Approach •  Same data collection approach but use external tables instead of unstructured text files •  An Oracle external table allows to preserve the entire table data including binary data, data types, …. in a binary file è  Requires Oracle 10.2 or higher è  Analysis will be much easier è  Much faster than normal spooling è  Joins and lookups between the difference collected information is still possible by using the renamed external tables 1 http://www.databasesecurity.com/dbsec/LiveResponse.pdf
  • 15. Advanced Approach 1.) Victim DB •  UNIX: •  As root:collect_unix_artifacts_as_root.sh •  As Oracle: collect_unix_artifacts_as_oracle.sh •  Oracle: •  As SYS: collect_db_artifact_as_sys.sql 2.) Transfer Data to Examiner PC (+ burn to DVD) 3.) Examiner PC * Create objects (prepare_examiner_db_case001.sql) 4.) Analyse
  • 16. Advanced Approach II (Tables/Views) Victim DB CREATE TABLE forensicmat.ext_gvversion ORGANIZATION EXTERNAL( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY data_unload_dir LOCATION ( 'ext_gvversion.dmp' )) AS select * from gv$version; Examiner PC CREATE TABLE "EXT_GVVERSION” ("INST_ID" NUMBER, "BANNER" VARCHAR2(80)) ORGANIZATION EXTERNAL ( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY for_ora_ext_tables1 LOCATION ( 'ext_gvversion.dmp’ ) );
  • 17.
  • 18. Advanced Approach (OS Commands) Victim DB ls -laR --full-time $ORACLE_HOME | tee -a >$FORDIR/ oracle/commands/all_files.txt Examiner PC CREATE TABLE ext_all_files (file_mode varchar2(11), num_of_links number, owner_name varchar2(32), group_name varchar2(32), bytes number, file_last_mod_date varchar2(10), file_last_mod_time varchar2(20), gmt varchar2(6), filename varchar2(256) ) ORGANIZATION EXTERNAL ( TYPE oracle_loader DEFAULT DIRECTORY for_ora_commands1 ACCESS PARAMETERS (RECORDS DELIMITED BY NEWLINE FIELDS TERMINATED BY ' ' MISSING FIELD VALUES ARE NULL ) LOCATION ('all_files.txt') ) PARALLEL 5 REJECT LIMIT UNLIMITED;
  • 19.
  • 20.
  • 21. Advanced Approach (OS Files) Victim DB cp -p -v /etc/passwd $FORDIR/unix/files/passwd.txt Examiner PC CREATE TABLE ext_etc_passwd (username varchar2(32), shadow varchar2(32), userid number, groupid number, usercomment varchar2(128), shell varchar2(128) ) ORGANIZATION EXTERNAL ( TYPE oracle_loader DEFAULT DIRECTORY for_unix_files1 ACCESS PARAMETERS (RECORDS DELIMITED BY NEWLINE FIELDS TERMINATED BY ':' MISSING FIELD VALUES ARE NULL ) LOCATION ('passwd.txt') ) PARALLEL 5 REJECT LIMIT UNLIMITED;
  • 22.
  • 23. Timeline Creation ¡  A timeline can be helpful during the analysis of forensic data ¡  Data from different source is displayed together ¡  Easy to implement
  • 24. Timeline Creation ¡  Every information with a timestamp (e.g. User locking) will be a separate row and unified with the UNION command ¡  SYS.USER$ contains different timestamps ¡  CTIME – User created ¡  PTIME – Password changed ¡  LTIME – User locked ¡  A single row in SYS.USER$ will become 3 lines in the timeline table/view ¡  Additional information must be added from different tables/view (e.g. DB startup, auditing, ...)
  • 25. Timeline Creation select 0 as inst_id, 'DBA' as dstype, 'DBA_USERS' as datasource, created as timest, 'User Created' as activity, 'CREATED' as timestamp_name,username as detail1, username as username, null as serial#, null as session_id from ext_dba_users union all select 0 as inst_id, 'DBA' as dstype,'DBA_USERS' as datasource, lock_date as timest, 'User Locked' as activity, 'LOCK_DATE' as timestamp_name,username as detail1, username as username, null as serial#, null as session_id from ext_dba_users where lock_date is not null union all select 0 as inst_id, 'DBA' as dstype,'DBA_OBJECTS' as datasource, created as timest, 'Table Created' as activity, 'CREATED' as timestamp_name,owner||'.'|| object_name as detail1, owner as username, null as serial#, null as session_id from ext_dba_objects where object_type='TABLE‘ union all select 0 as inst_id, 'DBA' as dstype,'DBA_OBJECTS' as datasource, created as timest, 'View Created' as activity, 'CREATED' as timestamp_name,owner||'.'|| object_name as detail1, owner as username, null as serial#, null as session_id from ext_dba_objects where object_type='VIEW‘ ...
  • 30. Typical Tables and Pattern •  The following slides contain typical database objects (like sys.user$) and common attack traces which can be found in these objects. •  Data from audit.logs (disabled in most cases in the real world) is not covered in this presentation •  Files (like listener.log) are skipped to save some time.
  • 31. Tables ¡  Audit-Tables / Audit-Logs ¡  sys.user$ ¡  sys.wrh$_active_session_history ¡  sys.wrh$_sqltext ¡  sys.mon_mods$
  • 32. Tables – sys.user$ ¡  Interesting Columns ¡  lcount ¡  Number of invalid login attempts ¡  Resetted after successful login ¡  Maximum number dependent from the profile setting ¡  ltime (Lock-Time) ¡  Lock time of the account
  • 33. Tables – sys.user$ ¡  Typical attack patterns - lcount ¡  Multiple accounts have a lcount > 0 è Someone tries to guess user accounts without locking them ¡  Agent Accounts (e.g. Tivoli) have an lcount> 0 & lcount < max from Profile è Someone tries to guess the password of an agent account. Lcount of agent accounts is normally 0 or max Profile ¡  Big lcount value (e.g. 30.000) è Bruteforce attack using a tool or someone forgot to change the client side password of an agent.
  • 34. Tables – sys.user$ ¡  Typical attack patterns- ltime ¡  Multiple accounts with similar ltime è Someone tried to guess user accounts but the accounts were locked.
  • 35. Tables – sys.wrh$_ active_session_history ¡  Interesting Columns ¡  program ¡  Used Program ¡  Module ¡  Used module name ¡  Machine (since 11.2) ¡  What user was coming from what machine è Important for password changes ¡  Warning!. The data from sys.wrh $active_session_history is not always reliable. Sometimes 0 (=SYS) is used even if the connect was not done by SYS.
  • 36. Tables – sys.wrh$_ active_session_history ¡  Typical attack patterns ¡  Program ¡  Unwanted/unauthorized programs ¡  Export utilities ¡  Module ¡  Program and Module do not match (e.g. oracle.exe & „TOAD 10.3.0.1“ è renamed tool to bypass login trigger ¡  Machine ¡  Login from unusual machine ¡  Combination User & Machine
  • 37. Tables – sys.wrh$_ active_session_history (11.2) select program, username, machine, count(*) as cnt from sys.wrh$_active_session_history w, dba_users d where w.user_id=d.user_id (+) and (lower(program) not like '%oracle%(%)%') group by program, username, machine
  • 38. Tables – sys.wrh$_ active_session_history select program, username, count(*) as cnt from sys.wrh$_active_session_history w, dba_users d where w.user_id=d.user_id (+) and (lower(program) not like '%oracle%(%)%') group by program, username
  • 39. Tables – sys.wrh$_sqltext ¡  Interesting Columns ¡  sqltext ¡  SQL Statement of a user session
  • 40. Tables – sys.wrh$_sqltext ¡  Typical attack patterns ¡  sqltext ¡  Suspicious SQL statements (Insert/Update/Delete/ Select)
  • 41. Tables – sys.mon_mods$ ¡  Interesting Columns ¡  Inserts ¡  Updates ¡  Deletes
  • 42. Tables – sys.mon_mods$ ¡  Typical attack patterns ¡  obj# ¡  Suspicious Statements (Insert/Update/Delete/Select) ¡  Inserts ¡  Insert in critical tables (Privileges, ...) ¡  Updates ¡  Update of log entries (e.g. AUD$, custom Log- Tables, ...) ¡  Update of critical data ¡  High value of update values on SYS.USER$ can be an indication of brute force attacks (high lcount value) ¡  Deletes ¡  Delete of log entries (e.g. AUD$, custom Log- Tables, ...)
  • 43. Tables – sys.mon_mods$ select u.name as owner,o.name as table_name, m.inserts, m.updates, m.deletes, m.timestamp from sys.mon_mods$ m, sys.user$ u, sys.obj$ o where o.obj#=m.obj# and u.user#=o.owner#
  • 44. Database Blocks ¡  Contain data from tables ¡  Contain deleted/updated data as well
  • 45. Database Blocks SQL> conn sig/sig Connected. SQL> create table password (name varchar2(20), password varchar2(20)); Table created. SQL> insert into password values ('Alex','Supersecret1'); 1 row created. SQL> insert into password values ('Anna','Password1'); 1 row created. SQL> insert into password values ('Anton','Pr0d@adm1n'); 1 row created. SQL> commit; Commit complete.
  • 46. Database Blocks SQL> select distinct dbms_rowid.rowid_block_number(rowid) from password; DBMS_ROWID.ROWID_BLOCK_NUMBER(ROWID) ------------------------------------ 57170 SQL> select tablespace_name from user_segments where segment_name in ('PASSWORD' ); TABLESPACE_NAME ------------------------------ SYSTEM SQL> select file_id from dba_data_files where tablespace_name='SYSTEM'; FILE_ID ---------- 1 9 SQL> alter system dump datafile 1 block 57170; System altered.
  • 47. Database Blocks 4715170 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 4715180 70347237 04C10277 C0000201 8D000DA3 [7r4pw...........] 4715190 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 47151A0 70347237 03C10277 C0000201 8C000DA3 [7r4pw...........] 47151B0 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 47151C0 02012C37 746E4105 500A6E6F 40643072 [7,...Anton.Pr0d@] 47151D0 316D6461 02012C6E 6E6E4104 61500961 [adm1n,...Anna.Pa] 47151E0 6F777373 2C316472 41040201 0C78656C [ssword1,...Alex.] 47151F0 65707553 63657372 31746572 B0FF0601 [Supersecret1....]
  • 48. Database Blocks SQL> update password set password='HappyHacker' where name='Anna'; 1 row updated. SQL> commit; Commit complete. SQL> alter system dump datafile 1 block 57170; System altered.
  • 49. Database Blocks 4715170 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 4715180 70347237 04C10277 C0000201 8D000DA3 [7r4pw...........] 4715190 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 47151A0 70347237 03C10277 C0000201 02022CA3 [7r4pw........,..] 47151B0 6E6E4104 61480B61 48797070 656B6361 [.Anna.HappyHacke] 47151C0 02002C72 746E4105 500A6E6F 40643072 [r,...Anton.Pr0d@] 47151D0 316D6461 02022C6E 6E6E4104 61500961 [adm1n,...Anna.Pa] 47151E0 6F777373 2C316472 41040200 0C78656C [ssword1,...Alex.] 47151F0 65707553 63657372 31746572 B1EB0603 [Supersecret1....]
  • 50. Database Blocks (Anonymisation) SQL> update password set password='xxx' ; 3 rows updated. SQL> commit; Commit complete. SQL> alter system dump datafile 1 block 57170; System altered.
  • 51. Database Blocks 4715170 4B1AC506 0D481B50 6D6B3234 68776477 [...KP.H.42kmwdwh] 4715180 70347237 04C10277 0502012C 6F746E41 [7r4pw...,...Anto] 4715190 7878036E 02012C78 6E6E4104 78780361 [n.xxx,...Anna.xx] 47151A0 02012C78 656C4104 78780378 02012C78 [x,...Alex.xxx,..] 47151B0 6E6E4104 61480B61 48797070 656B6361 [.Anna.HappyHacke] 47151C0 02012C72 746E4105 500A6E6F 40643072 [r,...Anton.Pr0d@] 47151D0 316D6461 02022C6E 6E6E4104 61500961 [adm1n,...Anna.Pa] 47151E0 6F777373 2C316472 41040201 0C78656C [ssword1,...Alex.] 47151F0 65707553 63657372 31746572 B2230607 [Supersecret1..#.]
  • 52. Pattern – Privilege Escalation •  Privilege escalation often uses stored procedures as helper function for privilege escalation •  Additional entries in DBA_ROLE_PRIVS, DBA_TAB_PRIVS, DBA_SYS_PRIVS •  Probably deleted entries in SYS.SYSAUTH$ / SYS.OBJAUTH$ / (visible in data blocks)
  • 53. Pattern – Run OS Commands •  DBA_EXTERNAL_TABLES: External Table with preprocessor (column ACCESS_PARAMETERS) •  DBA_JAVA_POLICY: new entries •  DBA_LIBRARIES: new entries •  CTXSYS.CTX_PREFERENCE_VALUES: Oracle Text user filter , e.g. PRV_ATTRIBUTE=oratclsh.exe
  • 54. Pattern – Backdoors •  Various places depending from the used backdoor •  SYS.USER$ •  Oracle Password File •  Logon trigger •  Privileges (e.g. grant execute on SYS.DBMS_STREAMS_RPC to public) •  ...
  • 55. Pattern – Manipulated Audit/ Log Tables •  Update Log data: Modified ora_rowscn •  Delete Log data: Gaps in rowid •  Entries in SYS.MON_MODS$
  • 56. Pattern – Data Export •  Attackers often export the database (or parts of it) using the official export utilities. •  These traces can be easily found in the •  Listener.log •  sys.wrh$_ active_session_history (requires special license)
  • 57. Pattern – oradebug •  Details of this attacks will be shown by Laszlo Toth talk “Almost invisible cloak in Oracle databases” at Hacktivity (15:10-15:55) •  Oradebug commands are recorded in the trace files and sometimes incident response files (if oradebug causes an Oracle error (e.g. ORA-07445)) •  Tracefiles can easily be removed on OS level
  • 58. Summary •  More convenient tools for databases forensics needed to allow non-databases (security) experts to find traces. •  Atomization for multiple databases needed •  Top down approaches are often easier to understand than bottom up approaches
  • 59. Thank you ¡  Contact: Red-Database-Security GmbH Bliesstr. 16 D-.66538 Neunkirchen Germany