Home
E-mail Us
Oracle Articles
New Oracle Articles

Oracle Training
Oracle Tips
Oracle Forum
Class Catalog

Remote DBA
Oracle Tuning
Emergency 911
RAC Support
Apps Support
Analysis
Design
Implementation
Oracle Support

SQL Tuning
Security
Oracle UNIX
Oracle Linux
Monitoring
Remote support
Remote plans
Remote services
Application Server
Applications
Oracle Forms
Oracle Portal
App Upgrades
SQL Server
Oracle Concepts
Software Support
Remote Support
Development
Implementation

Consulting Staff
Consulting Prices
Help Wanted!

Oracle Posters
Oracle Books
Oracle Scripts
Ion
Excel-DB

Don Burleson Blog

Ten Stages of a Network Attack

Oracle Forensics tips by Paul Wright

This Chapter is a tutorial on IT Security with references paid to Oracle.

The motives of attackers are commonly political, intellectual challenge, commercial gain perhaps via a competitor, and also internal career progression. Whatever the motives, there are patterns in the historical pattern of attacks that enable us to make a model of what attacks look like.

10 stage Generic attack process in a nutshell (in chronological order)

1. Reconnaissance

2. Network mapping

3. Port scanning and banner grabbing a host

4. Vulnerability identification

5. Exploitation

6. Privilege escalation

7. Rootkit installation

8. Hiding tracks

9. Monitoring

10. Using unauthorized privilege gained for benefit

Of course in a single incident the exact order and number of stages may be changed but this is a good framework to work with.

Now drilling down into the 10 stage list we see more detail about each stage in this generic attack process.

1. Reconnaissance to find out about the target before attack.

WhoIs Internet searches for administrative contact phone numbers and emails
DNS Lookup for ISP details http://www.networksolutions.com/whois/index.jsp
Google and google cache to find deleted information about the victim http://www.googleguide.com/ and http://johnny.ihackstuff.com/
SamSpade (http://www.samspade.org/).
Netcraft (http://www.netcraft.com).

Reconnaissance would be done anonymously so not to tip off the victim. Tor is an encrypted channel for anonymous web browsing http://tor.eff.org/ . Alternatively an attacker could bounce between multiple Internet proxies such as www.proxify.com .

2. Network mapping of a subnet.

nmap http://insecure.org/nmap/ is the defacto network mapping tool.
Paketo keiretsu enables faster scanning of large networks by separating the send and receive functionality of the scanner.

3. Port scanning of an individual host

Nmap again as well as amap http://www.thc.org/thc-amap/ . Nmap, by default, works by using port number to identify the application running so for instance if the Oracle Listener is on port 1522 then nmap will present this port as being rna-lm as per the IANA default port assignments. http://www.iana.org/assignments/port-numbers . By using the additional ?sV switch of nmap it will correctly identify many applications by their banner.

4. Banner grabbing a host to identify the actual service being ran and vulnerability identification from the version gained from the banner. This will allow identification of likely vulnerabilities.

nessus will identify applications running and then match vulnerabilities http://www.nessus.org/
Typhon is a commercial banner grabbing network/host scanner.
http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
CANVAS is a commercially available tool that comes with exploits written by Dave Aitel?s ImmunitySec http://www.immunitysec.com/products-canvas.shtml
CORE Impact is a similar commercially available tool. http://www.coresecurity.com/?module=ContentMod&action=item&id=32
For Oracle protocol detection, can use tnsping utility to tell if a port that is listening is talking in the TNS protocol or not. Tnsping is usually found in the $ORACLE_HOME/bin

5. Exploitation of a software flaw to gain unauthorized access.

Metasploit has pre-coded exploits for many OS and applications http://www.metasploit.com/
Research web sites such as http://www.argeniss.com/research.html and
http://www.red-database-security.com/exploits/oracle_exploits.html
Commercial software such as NGS SQuirreL for Oracle have new vulnerability advisories contained within.

These software exploits often consist of buffer overflows due to incorrect bounds checking of input variables. Another exploit common to Oracle is SQL Injection into Web Front end, Forms and PLSQL packages which can result in privilege escalation. These will be looked at it in greater detail later on in the book.

6. Cracking passwords and user names is basically the process of taking an encrypted password and then decrypting it or guessing it correctly by attempting many times until the correct password is gained.

JTR (John the Ripper) is a good password cracker http://www.openwall.com/john/ . There is now a patch for John to be able to crack Oracle hashes.
Also ?Cain? is an easy to use Windows based password cracker http://www.oxid.it/cain.html
Rainbow crack is a tool used to pre-compute hash-to-cleartext correlations i.e. ?you give me the hash I will give you the password because I have already computed all the possible permutations?. Rainbow crack has been converted to allow generation of hashes for the Oracle usernames as discussed at this URL http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049569.html.These correlations can accessed online at http://www.rainbowcrack-online.com/

7. Rootkit installation enables covert access at a later date and generally involves the installation of software by the attacker to hide their presence after they have gained privileged access to the target server.

http://www.rootkit.com/ which has links to AFX and hacker-defender rootkits for example.
The concept of root kits has been transferred to databases as will be discussed.

8. Hiding tracks to clear up evidence involves deletion of logs and tools as well as resetting timestamps.

Change timestamps to show that files have not been changed using timestamps for instance
Secure deletion of files so that recycle bin or forensic data recovery cannot bring the attackers tools back after they have deleted them. Oracle now has a Recycle bin which uses the PURGE keyword to empty or avoid it. We will look in detail at this command.

9. Monitoring the system over time which typically requires a covert channel.

Loki sends shell commands over ICMP
Time based covert channels also exist.

10. Using unauthorized privilege for benefit

Credit card numbers and Social security IDs form a saleable resource to a commercially minded hacker.
An attacker might blackmail a bank if they were able to gain customers data.
A competitor may seek advantage in hiring a hacker to subvert another company or spy upon them to gain their intellectual property or list of customers.
Internally an employee may seek advantage over an internal competitor by taking an unauthorized action that disadvantages their adversary e.g. causing a mistake to occur and making it look like their adversary did it.

Lists always come in groups of 10 but the 11th stage in this case should be ?getting caught?, which is the responsibility of the reader once this book is finished. This person will collect all the evidence and attempt to deduce the knowable information from an incident with the aim of identifying the culprit and recovering any losses legally if necessary.

Further detail on general computer security in general can be found in a book which has been made available free of charge by the Author who is Professor Ross Anderson of Cambridge University. http://www.cl.cam.ac.uk/~rja14/book.html

This is an excerpt from the book "Oracle Forensics: Oracle Security Best Practices", by Paul M. Wright, the father of Oracle Forensics.

��