.

Hacking Oracle

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jun 14, 2010 7:00 am

Hacking Oracle

In a lab, I have 2 servers with Oracle 10g installed on.

I want to check if they are both secure, but I don't know how I should proceed with the pentest. I know I need the SID along with a tool to make a connection to the database.

So far, all that I found on the internet was pretty old, using tools in backtrack 2 or talking about Oracle 9i or older.

Anyone knowing about tools or a useful link on that topic?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Mon Jun 14, 2010 12:24 pm

Re: Hacking Oracle

Chris Gate's has done some pentesting work on oracle & has written some walkthroughs. May want to check out some of his posts on his Blog http://carnal0wnage.blogspot.com/search?q=oracle (Scroll down)
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jun 15, 2010 7:01 am

Re: Hacking Oracle

Thanks xXxKrisxXx,

I will give it a try tonight in my lab.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Jun 18, 2010 7:04 am

Re: Hacking Oracle

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Jun 18, 2010 10:50 am

Re: Hacking Oracle

Thanks awesec, I am waiting for my new assignment and if it involves Oracle, I will probably buy one of them...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

jimbob

Post Fri Jun 18, 2010 11:11 am

Re: Hacking Oracle

For tools to connect to Oracle check out SQLPlus, the command line tool that ships with oracle. A free GUI  called SQL Developer is available from Oracle if you want something more visual.

There are a few good oracle security tools out there and some modules in metasploit for Oracle scanning and enumeration. POET is a recently release tool for Oracle pen testing.

http://pentestit.com/2010/06/08/poet-pa ... loit-tool/

Cheers,
Jim
<<

LSOChris

Post Sat Jun 19, 2010 8:30 am

Re: Hacking Oracle

you can check out my whitepaper from Blackhat to get you started

http://www.blackhat.com/presentations/b ... -PAPER.pdf

you may also need to check out the metasploit wiki to get the gem installed to use the oracle mixin

http://www.metasploit.com/redmine/proje ... racleUsage

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software