Oracle TNS-poison attack

The TNS Poison attack is a type of man-in-the-middle attack. With this attack an attacker can hijack a session and can send SQL commands to database from this session. If the hijacked session user has some critical privileges ( like DBA roles )  the attacker can completely manipulate Oracle database.

 

At this note, I will show you; how you can check that an Oracle database has this vulnerability and the solution for Oracle databases at Oracle 11.2 version.

 

With nmap ( at Kali ) we can check The TNS Poison attack.   We can use; oracle-tns-poison.nse nmap script .This script has not been included in standard distribution. Therefore we add this script into nmap environment and after updating nmap we can use it

First; get oracle-tns-poison.nse script from

https://gist.github.com/JukArkadiy/3d6cff222d1b87e963e7   link.

Nmap is a free and open source (license) utility for network discovery and security auditing. That’s why you can get all source from github .

Get the script and put it in a file called oracle-tns-poison.nse  at /usr/share/nmap directory.

 

1.png

And update nmap with this new script

1.png

Now we are ready to use; oracle-tns-poison.nse script.

But first I will show you the target database which has this vulnerability. This is an Oracle 11.2.0.4 database; at standard installation all databases have this vulnerability.  And the solution for this vulnerability is to change the listener configuration

Therefore the initial configuration of the listener are given below.

1

Now check the vulnerability with this command;

nmap –script=oracle-tns-poison.nse -p 1521 192.200.11.9

As you see we have the vulnerability at this site.

1.png

The solution for this is to use Valid Node Checking For Registration for the all listeners ; (Metalink Doc ID 1600630.1)

Simply add this parameter for all listeners ( we have one listener only )

VALID_NODE_CHECKING_REGISTRATION_LISTENER=on

1.png

 

And rebounce the listener

lsnrctl stop

lsnrctl start

1.png

 

Now check the vulnerability again

1.png

 

It is done, It is not vulnerable.

 

If  there was a scan listener  In this case ; we would use below configuration

 

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1

REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(node1,node2)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1

REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(node1,node2)

 

For Oracle 12c database there is no tns-poison vulnerability. Therefore all the time we advise DBAs to upgrade databases for the sake of security.

I will make the same test with Oracle 12c database without any configuration;

1.png

 

And the listener.ora file

1.png

Check the vulnerability against this database.

nmap –script=oracle-tns-poison.nse -p 1521 192.200.11.7

1.png

As you see ; Oracle 12c  is not vulnerable.

Simply ; If you have Oracle 11g database and below , you have tns-poison vulnerability from the beginning. To protect your database ;  use Valid Node Checking For Registration  for Oracle 11g .

if your version is Oracle 10g the solution is different and very  complicated. I do not want to mention the solution here.  Do not stay at Oracle 10g version ;  the solution is upgrade your database to 11g .

If you have Oracle 12c ; you have nothing to do. You are secure againt tns-poision attack from the beginning   .

Thanks.

Anıl Akduygu

 

Postgres security Checks Password Encryption

This test checks if postgresql passwords are stored in encrypted or clear text format.

First check pg_shadow table  to find any clear-text passwords. For this reason we can use below query.

select usename,passwd from pg_shadow

 where passwd not like ‘md5%’ or length(passwd) <> 35;

The output of this query should be null. If you find any passwords in clear-text format. you should change these passwords .

At the same time you should check Password_encryption parameter. This parameter controls ALTER USER and CREATE USER commands, If you don’t specify ENCRYPTED or UNENCRYPTED at this command , the database encrypts passwords.

The value of Password_encryption parameter should be on

postgres=# show Password_encryption;

password_encryption

———————

on

(1 row)

 

 

Interactively Installation of PostgreSQL on Oracle Linux 7

At this writing; I will show how you can install PostgreSQL interactively on Oracle Linux 7. The same procedure applies to Red Hat Linux and other linux versions as well.

First you need to download PostgreSQL binary;  you can connect to

http://www.enterprisedb.com/products-services-training/pgdownload

web site to download and we choose Linux x86-64.Capture01.PNG

Now the binary file is ready to install

 

Capture02.PNG

To run the binary give necessary rights.

 

Capture03.PNG

 

Now you can start the binary installation.Capture04.PNG

 

Actually the other parts are simple ; just Next ;

Choose the Installation Directory

 

 

Capture06.PNG

 

The other step is

Choose the directory where the data will stay

 

Capture07.PNG

Enter password for the superuser (postgres)

Capture08.PNG

And choose a port number for the database;

Capture09.PNG

Choose locale

Capture10.PNG

And then installation starts.

 

Capture11.PNG

Installation is finished you can check the programs are installed correctly.

 

If you see all these programs . It is OK.

Capture12.PNG

 

 

START &STOP PostgreSQL

At this configuration we can start , stop and check the status of the database like that;

[root@localhost ~]# su – postgres

Last login: Sat Apr 23 18:51:45 EEST 2016 on pts/1

-bash-4.2$ . pg_env.sh

-bash-4.2$ pg_ctl status

pg_ctl: server is running (PID: 4080)

/opt/PostgreSQL/9.5/bin/postgres “-D” “/opt/PostgreSQL/9.5/data”

-bash-4.2$ pg_ctl stop

waiting for server to shut down…. done

server stopped

-bash-4.2$ pg_ctl start

server starting

-bash-4.2$ 2016-04-23 18:56:38 EEST LOG:  redirecting log output to logging collector process

2016-04-23 18:56:38 EEST HINT:  Future log output will appear in directory “pg_log”.

 

-bash-4.2$ psql

Password:

psql.bin (9.5.2)

Type “help” for help.

postgres=# \l

List of databases

Name    |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges

 

———–+———-+———-+————+————+——————–

postgres  | postgres | UTF8     | en_GB.utf8 | en_GB.utf8 |

template0 | postgres | UTF8     | en_GB.utf8 | en_GB.utf8 | =c/postgres

+

|          |          |            |            | postgres=CTc/postgr

es

template1 | postgres | UTF8     | en_GB.utf8 | en_GB.utf8 | =c/postgres

+

|          |          |            |            | postgres=CTc/postgr

es

(3 rows)

Managing PostgreSQL with plsql Commands

psql Commands

 

 

To see the database version

 

C:\Program Files\PostgreSQL\9.5\bin>psql –version

psql (PostgreSQL) 9.5.2

 

C:\Program Files\PostgreSQL\9.5\bin>

 

List Databases and then quit

 

C:\Program Files\PostgreSQL\9.5\bin>psql -l -U postgres

 

List of databases

Name    |  Owner   | Encoding |          Collate           |           Ctype            |   Access privileges

———–+———-+———-+—————————-+—————————-+———————–

postgres  | postgres | UTF8     | English_United States.1252 | English_United States.1252 |

template0 | postgres | UTF8     | English_United States.1252 | English_United States.1252 | =c/postgres          +

|          |          |                            |                            | postgres=CTc/postgres

template1 | postgres | UTF8     | English_United States.1252 | English_United States.1252 | =c/postgres          +

|          |          |                            |                            | postgres=CTc/postgres

(3 rows)

 

C:\Program Files\PostgreSQL\9.5\bin>

 

Getting Help for psql

 

C:\Program Files\PostgreSQL\9.5\bin>psql –help

psql is the PostgreSQL interactive terminal.

 

Usage:

psql [OPTION]… [DBNAME [USERNAME]]

 

General options:

-c, –command=COMMAND    run only single command (SQL or internal) and exit

-d, –dbname=DBNAME      database name to connect to (default: “Administrator”)

-f, –file=FILENAME      execute commands from file, then exit

-l, –list               list available databases, then exit

-v, –set=, –variable=NAME=VALUE

set psql variable NAME to VALUE

(e.g., -v ON_ERROR_STOP=1)

-V, –version            output version information, then exit

-X, –no-psqlrc          do not read startup file (~/.psqlrc)

-1 (“one”), –single-transaction

execute as a single transaction (if non-interactive)

-?, –help[=options]     show this help, then exit

–help=commands      list backslash commands, then exit

–help=variables     list special variables, then exit

 

Input and output options:

-a, –echo-all           echo all input from script

-b, –echo-errors        echo failed commands

-e, –echo-queries       echo commands sent to server

-E, –echo-hidden        display queries that internal commands generate

-L, –log-file=FILENAME  send session log to file

-n, –no-readline        disable enhanced command line editing (readline)

-o, –output=FILENAME    send query results to file (or |pipe)

-q, –quiet              run quietly (no messages, only query output)

-s, –single-step        single-step mode (confirm each query)

-S, –single-line        single-line mode (end of line terminates SQL command)

 

Output format options:

-A, –no-align           unaligned table output mode

-F, –field-separator=STRING

field separator for unaligned output (default: “|”)

-H, –html               HTML table output mode

-P, –pset=VAR[=ARG]     set printing option VAR to ARG (see \pset command)

-R, –record-separator=STRING

record separator for unaligned output (default: newline)

-t, –tuples-only        print rows only

-T, –table-attr=TEXT    set HTML table tag attributes (e.g., width, border)

-x, –expanded           turn on expanded table output

-z, –field-separator-zero

set field separator for unaligned output to zero byte

-0, –record-separator-zero

set record separator for unaligned output to zero byte

 

Connection options:

-h, –host=HOSTNAME      database server host or socket directory (default: “local socket”)

-p, –port=PORT          database server port (default: “5432”)

-U, –username=USERNAME  database user name (default: “Administrator”)

-w, –no-password        never prompt for password

-W, –password           force password prompt (should happen automatically)

 

For more information, type “\?” (for internal commands) or “\help” (for SQL

commands) from within psql, or consult the psql section in the PostgreSQL

documentation.

 

Report bugs to <pgsql-bugs@postgresql.org>.

 

C:\Program Files\PostgreSQL\9.5\bin>

 

 

 

 

PGUSER Linux environment Variables

 

Holds user name to connect  to the database

Normally unset it

 

unset PGUSER

Defaults DBs

  • postgres : master DB to control RDBMS in Cluster databases.
  • template0 — used to reconstruct template1 ,
  • template1 – – copy of template0 is used to generate new DB s

 

Connect to Database interactively with postgres user

 

C:\Program Files\PostgreSQL\9.5\bin>psql –U postgres

psql (9.5.2)

WARNING: Console code page (437) differs from Windows code page (1252)

8-bit characters might not work correctly. See psql reference

page “Notes for Windows users” for details.

Type “help” for help.

 

postgres=#  à This shows It is a super user.

 

SQL Specific Help

 

postgres=#  \h

Available help:

ABORT                            DEALLOCATE

ALTER AGGREGATE                  DECLARE

ALTER COLLATION                  DELETE

ALTER CONVERSION                 DISCARD

ALTER DATABASE                   DO

ALTER DEFAULT PRIVILEGES         DROP AGGREGATE

ALTER DOMAIN                     DROP CAST

ALTER EVENT TRIGGER              DROP COLLATION

ALTER EXTENSION                  DROP CONVERSION

ALTER FOREIGN DATA WRAPPER       DROP DATABASE

ALTER FOREIGN TABLE              DROP DOMAIN

ALTER FUNCTION                   DROP EVENT TRIGGER

ALTER GROUP                      DROP EXTENSION

ALTER INDEX                      DROP FOREIGN DATA WRAPPER

ALTER LANGUAGE                   DROP FOREIGN TABLE

ALTER LARGE OBJECT               DROP FUNCTION

ALTER MATERIALIZED VIEW          DROP GROUP

ALTER OPERATOR                   DROP INDEX

ALTER OPERATOR CLASS             DROP LANGUAGE

ALTER OPERATOR FAMILY            DROP MATERIALIZED VIEW

ALTER POLICY                     DROP OPERATOR

ALTER ROLE                       DROP OPERATOR CLASS

ALTER RULE                       DROP OPERATOR FAMILY

ALTER SCHEMA                     DROP OWNED

ALTER SEQUENCE                   DROP POLICY

ALTER SERVER                     DROP ROLE

ALTER SYSTEM                     DROP RULE

ALTER TABLE                      DROP SCHEMA

ALTER TABLESPACE                 DROP SEQUENCE

ALTER TEXT SEARCH CONFIGURATION  DROP SERVER

ALTER TEXT SEARCH DICTIONARY     DROP TABLE

ALTER TEXT SEARCH PARSER         DROP TABLESPACE

ALTER TEXT SEARCH TEMPLATE       DROP TEXT SEARCH CONFIGURATION

ALTER TRIGGER                    DROP TEXT SEARCH DICTIONARY

ALTER TYPE                       DROP TEXT SEARCH PARSER

ALTER USER                       DROP TEXT SEARCH TEMPLATE

ALTER USER MAPPING               DROP TRANSFORM

ALTER VIEW                       DROP TRIGGER

ANALYZE                          DROP TYPE

BEGIN                            DROP USER

CHECKPOINT                       DROP USER MAPPING

CLOSE                            DROP VIEW

CLUSTER                          END

COMMENT                          EXECUTE

COMMIT                           EXPLAIN

COMMIT PREPARED                  FETCH

COPY                             GRANT

CREATE AGGREGATE                 IMPORT FOREIGN SCHEMA

— More  —

 

postgres=# \h CREATE TABLE

 

Command:     CREATE TABLE

Description: define a new table

Syntax:

CREATE [ [ GLOBAL | LOCAL ] { TEMPORARY | TEMP } | UNLOGGED ] TABLE [ IF NOT EXISTS ] table_

{ column_name data_type [ COLLATE collation ] [ column_constraint [ … ] ]

| table_constraint

| LIKE source_table [ like_option … ] }

[, … ]

] )

[ INHERITS ( parent_table [, … ] ) ]

[ WITH ( storage_parameter [= value] [, … ] ) | WITH OIDS | WITHOUT OIDS ]

[ ON COMMIT { PRESERVE ROWS | DELETE ROWS | DROP } ]

[ TABLESPACE tablespace_name ]

 

CREATE [ [ GLOBAL | LOCAL ] { TEMPORARY | TEMP } | UNLOGGED ] TABLE [ IF NOT EXISTS ] table_

OF type_name [ (

{ column_name WITH OPTIONS [ column_constraint [ … ] ]

| table_constraint }

[, … ]

) ]

[ WITH ( storage_parameter [= value] [, … ] ) | WITH OIDS | WITHOUT OIDS ]

[ ON COMMIT { PRESERVE ROWS | DELETE ROWS | DROP } ]

[ TABLESPACE tablespace_name ]

 

where column_constraint is:

 

[ CONSTRAINT constraint_name ]

{ NOT NULL |

NULL |

CHECK ( expression ) [ NO INHERIT ] |

DEFAULT default_expr |

UNIQUE index_parameters |

PRIMARY KEY index_parameters |

REFERENCES reftable [ ( refcolumn ) ] [ MATCH FULL | MATCH PARTIAL | MATCH SIMPLE ]

[ ON DELETE action ] [ ON UPDATE action ] }

[ DEFERRABLE | NOT DEFERRABLE ] [ INITIALLY DEFERRED | INITIALLY IMMEDIATE ]

 

 

Psql  Specific Help

 

postgres-# \?

General

\copyright             show PostgreSQL usage and distribution terms

\g [FILE] or ;         execute query (and send results to file or |pipe)

\gset [PREFIX]         execute query and store results in psql variables

\q                     quit psql

\watch [SEC]           execute query every SEC seconds

 

Help

\? [commands]          show help on backslash commands

\? options             show help on psql command-line options

\? variables           show help on special variables

\h [NAME]              help on syntax of SQL commands, * for all commands

 

Query Buffer

\e [FILE] [LINE]       edit the query buffer (or file) with external editor

\ef [FUNCNAME [LINE]]  edit function definition with external editor

\p                     show the contents of the query buffer

\r                     reset (clear) the query buffer

\w FILE                write query buffer to file

 

Input/Output

\copy …              perform SQL COPY with data stream to the client host

\echo [STRING]         write string to standard output

\i FILE                execute commands from file

\ir FILE               as \i, but relative to location of current script

\o [FILE]              send all query results to file or |pipe

\qecho [STRING]        write string to query output stream (see \o)

 

Informational

(options: S = show system objects, + = additional detail)

\d[S+]                 list tables, views, and sequences

\d[S+]  NAME           describe table, view, sequence, or index

\da[S]  [PATTERN]      list aggregates

\db[+]  [PATTERN]      list tablespaces

\dc[S+] [PATTERN]      list conversions

\dC[+]  [PATTERN]      list casts

\dd[S]  [PATTERN]      show object descriptions not displayed elsewhere

\ddp    [PATTERN]      list default privileges

\dD[S+] [PATTERN]      list domains

 

Some Special Plsql Commands

 

 

postgres-# \l+   Show Detailed information about databases

 

postgres-# \du+   Return detailed list of users

List of roles

Role name |                         Attributes                         | Member of | Description

———–+————————————————————+———–+————-

postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}        |

 

postgres-# \! Returns to shell

 

postgres-# \q to quit

 

 

postgres=# select version();

version

————————————————————-

PostgreSQL 9.5.2, compiled by Visual C++ build 1800, 64-bit

(1 row)

 

 

psql –U postgres –f filename.sql  to run a sql file

 

template1=# \c postgres  to connect to anaother database

WARNING: Console code page (437) differs from Windows code page (1252)

8-bit characters might not work correctly. See psql reference

page “Notes for Windows users” for details.

You are now connected to database “postgres” as user “postgres”.

postgres=#

 

\c DBNAME RemoteHOSTNAME   connect to Remote Host and database

to connect to a database

 

C:\Program Files\PostgreSQL\9.5\bin>psql -U postgres template1

psql (9.5.2)

WARNING: Console code page (437) differs from Windows code page (1252)

8-bit characters might not work correctly. See psql reference

page “Notes for Windows users” for details.

Type “help” for help.

 

template1=#

 

 

List Database Objects

 

postgres=# \dS

 

 

 

postgres=# \dS+

List of relations

Schema   |              Name               | Type  |  Owner   |    Size    | Description

————+———————————+——-+———-+————+————-

pg_catalog | pg_aggregate                    | table | postgres | 48 kB      |

pg_catalog | pg_am                           | table | postgres | 40 kB      |

pg_catalog | pg_amop                         | table | postgres | 80 kB      |

pg_catalog | pg_amproc                       | table | postgres | 64 kB      |

pg_catalog | pg_attrdef                      | table | postgres | 8192 bytes |

pg_catalog | pg_attribute                    | table | postgres | 384 kB     |

pg_catalog | pg_auth_members                 | table | postgres | 0 bytes    |

pg_catalog | pg_authid                       | table | postgres | 40 kB      |

pg_catalog | pg_available_extension_versions | view  | postgres | 0 bytes    |

pg_catalog | pg_available_extensions         | view  | postgres | 0 bytes    |

pg_catalog | pg_cast                         | table | postgres | 48 kB      |

pg_catalog | pg_class                        | table | postgres | 136 kB     |

pg_catalog | pg_collation                    | table | postgres | 40 kB      |

pg_catalog | pg_constraint                   | table | postgres | 48 kB      |

pg_catalog | pg_conversion                   | table | postgres | 56 kB      |

pg_catalog | pg_cursors                      | view  | postgres | 0 bytes    |

pg_catalog | pg_database                     | table | postgres | 8192 bytes |

pg_catalog | pg_db_role_setting              | table | postgres | 8192 bytes |

pg_catalog | pg_default_acl                  | table | postgres | 0 bytes    |