Bugtraq mailing list archives
Re: Oracle Question Slightly OT
From: David Cravshaw <david.cravshaw () gmail com>
Date: Wed, 29 Jun 2005 14:12:15 -0500
Oracle has some security specific information on the OTN page - http://www.oracle.com/technology/deploy/security/db_security/index.html One you may find particularly useful is the 9iR2 security checklist - http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf (although I couldn't find this linked anywhere on that page...odd) Pete Finnigan, though, is propably the best reference for Oracle security information. He has a comprehensive list of Oracle security references here: http://www.petefinnigan.com/orasec.htm There have been several other good Oracle whitepapers including those written by AppSec, Inc (http://www.appsecinc.com/techdocs/whitepapers/research.html), Integrigy (http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf), and NGSSoftware (http://www.nextgenss.com/papers/hpoas.pdf). Happy reading! On 6/29/05, Ginski, Richard J. <rginski () co pinellas fl us> wrote:
Forgive me for this being slightly off topic. We've checked Oracle's site, including posting to their "Technology Network", and have yet to find a best practices document for securing Oracle databases. Am I missing something? ... Or should something this obvious be available on Oracle's site? Can anyone provide links to such information? -----Original Message----- From: Joshua Wright [mailto:jwright () hasborg com] Sent: Wednesday, June 29, 2005 10:16 AM To: bugtraq () securityfocus com Subject: Auditing Privilged Oracle Passwords - hashattack -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've put together a tool that can be used to build a table of Oracle password hashes from a dictionary file for a designated username. Hashes are calculated by creating a user account similar to the target account to be audited and repeatedly changing the password with "ALTER USER" for each dictionary word, storing the hash for each password in a table. Once the table of hashes is built, a simple SELECT can be issued to determine if the password hash for a target user is a simple dictionary word: SQL> select h.username, h.password, h.hash 2 from hashattack h, dba_users d 3 where d.password = h.hash and h.username = 'SYS'; USERNAME PASSWORD HASH - ---------- -------------------- -------------------- SYS KILTPLEAT 2BBDC477FFB28563 SQL> Written in PL/SQL, available at http://802.11ninja.net/code/hashattack-0.1.tgz, http://802.11ninja.net/code/hashattack-0.1.tgz.asc Comments, questions, concerns welcome. - -Josh - -- - -Joshua Wright jwright () hasborg com 2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF Today I stumbled across the world's largest hotspot. The SSID is "linksys". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwq0QTS8i9jZYpL8RApOqAKCnTqrAwCaqKT3KALl0b8CDRo9I0QCfRKnB LcY+tDFFcNAeMbsIg7YWe88= =L/x5 -----END PGP SIGNATURE-----
Current thread:
- Oracle Question Slightly OT Ginski, Richard J. (Jun 29)
- Re: Oracle Question Slightly OT Susan Bradley (Jun 29)
- Re: Oracle Question Slightly OT David Cravshaw (Jun 29)
- Re: Oracle Question Slightly OT Joshua Wright (Jun 29)