Penetration Testing mailing list archives
Re: [PEN-TEST] hacking oracle questions
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Thu, 30 Nov 2000 21:24:48 -0000
Anindya If you have DBA access then you pretty much have it hacked, if you want to give the customer value for money, audit the Database Security for them. Check how many DBAs there are, what privileges are assigned to what roles, which users are in those roles also check for roles within roles (a common oversight) In Oracle 6 there were just 3 system privileges, with Oracle 7 & 8 there are over 80 some of them are pretty powerful and are granted to remedy a problem then not revoked. Find out whether they rely on Oracle or the underlying operating system for security. In Oracle 7 The security isn't up to much, there is no password quality or aging, though it improves somewhat with 8. Either way IMHO it is best to rely on the OS for security. Trusted Oracle is pretty good, but still prone to privilege runaway. My notes are at work otherwise I'd give you the syntax for the above, if you do want to go down this route let me know and I'll pass the info on. Disclaimer. It's been 12 months since carrying out my last manual Oracle audit, therefore the above is from memory, if there are inaccuracies feel free to flame but please be gentle Andy http://www.networkintrusion.co.uk Talisker's Network Security Tools List ''' (0 0) ----oOO----(_)---------- | The geek shall | | Inherit the earth | -----------------oOO---- |__|__| || || ooO Ooo talisker () networkintrusion co uk The opinions contained within this transmission are entirely my own, and do not necessarily reflect those of my employer. ----- Original Message ----- From: "anindya" <anindya () GOONDA ORG> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, November 30, 2000 2:17 AM Subject: [PEN-TEST] hacking oracle questions
Hi folks, I have some questions about hacking Oracle, specifically version 7.x or 8.x. I have a DBA access account, and can query the SYS.* tables no problem. I also have access to the tnsnames.ora file, so I know the SIDs and where the listeners are. I should mention the target is on an NT 4.0 box. 1) How do I discover what table names exist in a particular Oracle
database
i.e. the schema? Once I have the table names, I can use the "describe" command in svrmgrl to get the columns in the table , but apparently there is no easy way to get the table names themselves.. 2) It appears I may need to use the Schema Editor (java interface), but it doesn't appear that the username/password there match up with any user accounts in Oracle. What is the relationship between the accounts for the java interface versus actual Oracle accounts (accessible through sqlplus)? 3) The field I want is apparently using Oracle's field-level encryption, this is commonly used for credit card numbers and the like, does anyone have experience decrypting this? This is the only hacking oracle info I have found on the net so far, its quite useful: http://www.wittys.com/files/vvandal/ Any help would be appreciated, thanks, --Anindya
Current thread:
- [PEN-TEST] hacking oracle questions anindya (Dec 01)
- Re: [PEN-TEST] hacking oracle questions Edwards, Steve (Dec 01)
- Re: [PEN-TEST] hacking oracle questions Ryan Russell (Dec 01)
- Re: [PEN-TEST] hacking oracle questions William D. Colburn (aka Schlake) (Dec 01)
- Re: [PEN-TEST] hacking oracle questions Talisker (Dec 01)
- <Possible follow-ups>
- Re: [PEN-TEST] hacking oracle questions Hull, Dave (Dec 01)
- Re: [PEN-TEST] hacking oracle questions Michael Owen (Dec 01)