The problem is that local accounts most often do not expire, are not checked for complexity, and still have privileged access. Plus, password policies do not always allow flexible configuration of requirements, for example, they do not prohibit the use of dictionary passwords (remember everyone's favorite P @ ssw0rd).
We at QIWI had similar problems, and in an attempt to solve them, we tried different solutions for a full-fledged database scan. Alas, they are mainly aimed at checking the configuration of the DBMS and nothing more. At the same time, the price of such a scanner is quite impressive.
And if we talk in general about a security scanner that can check your infrastructure for vulnerabilities, then you need to have a set of such scanners, which is very expensive.
In this post I will talk about what we used for our tasks and how in the process we came to the conclusion that it is better and easier to make our own. And I will share the solution with everyone.
We are using a fairly good popular scanner. But it was difficult to implement the functionality we needed on it - we had to create audit files for each database (since the configurations in our DBMS are different), plus create many accounts for scanning, and then add new accounts, again changing auditors by hand.
In addition, this scanner does not know how to brute passwords in offline mode, which is a problem. And that's why.
Brute force can be carried out in two modes - online and offline. If we are talking about online brute-force, then this is emulation of user logins and active brute-force attacks. One such program is Hydra, and it supports most DBMSs. The approach is applicable in most cases for conducting penetration tests and detecting default accounts and passwords. But not suitable for regular checks and non-default accounts (user and service). Because accounts in this case will be blocked if there is an appropriate security policy.
Unlike online brute-force, its offline version is that logins and password hashes are unloaded, and then brute-force is performed with utilities like hashcat or John the Ripper. There is no load on the database, and without the risk of locking the account with brute force. And you can also use dictionaries with several million entries: which is almost impossible with online brute-force.
We make our
Since it is difficult to implement the described functionality with the current scanner, and it is expensive to buy an additional one, the idea came to make your own scanner.
As a result, we have our own scanner for offline brute-force local accounts.
The scanner supports MS SQL, Oracle and PostgreSQL. Of course, there were some technical difficulties, for example, pulling hashes in a format that hashcat supports. But the main difficulty is to understand how to work with the results found: how to change the password without harming productivity, how to make sure that such passwords do not appear again, etc.
But we will leave this outside the scope of this article.
The UI is not much improved while using the django admin panel. It looks like this:
- it is possible to view the list of databases and add new ones
- you can see the brute force status for each account
- you can see the scan results
- if a weak password matches, it displays this in the results (password hash, guess password and account name)
- you can set the scan time
Main pluses
- Knows how to brut in offline mode
- There is a dictionary check
- It's all free
If you doubt whether you need to deploy such a scanner, you can try to manually pick up password hashes from local accounts and run them through hashcat Request
examples:
oracle 11g
select user#, name, spare4 from sys.user$ where spare4 is not null;
microsoft sql server (above 2005):
select name, cast (name+'|'+master.dbo.fn_VarBinToHexStr(password_hash) as varchar(1000)) FROM master.sys.sql_logins
Our scanner will not replace a full-fledged security scanner, but it will be an important and pleasant addition. And now it is available to everyone: github.com/qiwi/bruteforce
If you have any questions or difficulties with deployment, create an issue on github, we will definitely answer.
Many thanks for the implementationSurdum and slezhuk