HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 57 guests online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Hacking Oracle
EH-Net
May 25, 2012, 09:40:50 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Hacking Oracle  (Read 4248 times)
0 Members and 1 Guest are viewing this topic.
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 660



View Profile
« on: June 14, 2010, 07:00:20 AM »
In a lab, I have 2 servers with Oracle 10g installed on.

I want to check if they are both secure, but I don't know how I should proceed with the pentest. I know I need the SID along with a tool to make a connection to the database.

So far, all that I found on the internet was pretty old, using tools in backtrack 2 or talking about Oracle 9i or older.

Anyone knowing about tools or a useful link on that topic?
Logged
GPEN, GSEC, CEH, CISSP, PMP
xXxKrisxXx
Sr. Member
****
Offline Offline

Posts: 491



View Profile
« Reply #1 on: June 14, 2010, 12:24:59 PM »
Chris Gate's has done some pentesting work on oracle & has written some walkthroughs. May want to check out some of his posts on his Blog http://carnal0wnage.blogspot.com/search?q=oracle (Scroll down)
Logged
OSCP, OWSP, eCPPT
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 660



View Profile
« Reply #2 on: June 15, 2010, 07:01:03 AM »
Thanks xXxKrisxXx,

I will give it a try tonight in my lab.
Logged
GPEN, GSEC, CEH, CISSP, PMP
aweSEC
Hero Member
*****
Offline Offline

Posts: 1100


View Profile
« Reply #3 on: June 18, 2010, 07:04:59 AM »
I haven't read those books, but they should fit your needs:

HOWTO Secure and Audit Oracle 10g and 11g
The Oracle Hacker's Handbook: Hacking and Defending Oracle
Logged
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 660



View Profile
« Reply #4 on: June 18, 2010, 10:50:53 AM »
Thanks awesec, I am waiting for my new assignment and if it involves Oracle, I will probably buy one of them...
Logged
GPEN, GSEC, CEH, CISSP, PMP
jimbob
Guest
« Reply #5 on: June 18, 2010, 11:11:13 AM »
For tools to connect to Oracle check out SQLPlus, the command line tool that ships with oracle. A free GUI  called SQL Developer is available from Oracle if you want something more visual.

There are a few good oracle security tools out there and some modules in metasploit for Oracle scanning and enumeration. POET is a recently release tool for Oracle pen testing.

http://pentestit.com/2010/06/08/poet-padding-oracle-exploit-tool/

Cheers,
Jim
Logged
LSOChris
Guest
« Reply #6 on: June 19, 2010, 08:30:37 AM »
you can check out my whitepaper from Blackhat to get you started

http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-PAPER.pdf

you may also need to check out the metasploit wiki to get the gem installed to use the oracle mixin

http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.119 seconds with 22 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.