Re: [PEN-TEST] hacking oracle questions

[Talisker <Talisker () NETWORKINTRUSION CO UK>]

Anindya
If you have DBA access then you pretty much have it hacked, if you want to
give the customer value for money, audit the Database Security for them.

Check how many DBAs there are,
what privileges are assigned to what roles,
which users are in those roles
also check for roles within roles (a common oversight)
In Oracle 6 there were just 3 system privileges, with Oracle 7 & 8 there are
over 80 some of them are pretty powerful and are granted to remedy a problem
then not revoked.
Find out whether they rely on Oracle or the underlying operating system for
security.  In Oracle 7 The security isn't up to much, there is no password
quality or aging, though it improves somewhat with 8.  Either way IMHO it is
best to rely on the OS for security.  Trusted Oracle is pretty good, but
still prone to privilege runaway.

My notes are at work otherwise I'd give you the syntax for the above, if you
do want to go down this route let me know and I'll pass the info on.

Disclaimer.  It's been 12 months since carrying out my last manual Oracle
audit, therefore the above is from memory, if there are inaccuracies feel
free to flame but please be gentle

Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo
talisker () networkintrusion co uk

The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "anindya" <anindya () GOONDA ORG>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Thursday, November 30, 2000 2:17 AM
Subject: [PEN-TEST] hacking oracle questions


> Hi folks,
>
> I have some questions about hacking Oracle, specifically
> version 7.x or 8.x. I have a DBA access account, and can query
> the SYS.* tables no problem. I also have access to the tnsnames.ora
> file, so I know the SIDs and where the listeners are. I should
> mention the target is on an NT 4.0 box.
>
> 1) How do I discover what table names exist in a particular Oracle
database
>    i.e. the schema? Once I have the table names, I can use the
>    "describe" command in svrmgrl to get the columns in the
>    table , but apparently there is no easy way to get the
>    table names themselves..
>
> 2) It appears I may need to use the Schema Editor (java interface),
>    but it doesn't appear that the username/password there match
>    up with any user accounts in Oracle. What is the relationship
>    between the accounts for the java interface versus actual
>    Oracle accounts (accessible through sqlplus)?
>
> 3) The field I want is apparently using Oracle's field-level
>    encryption, this is commonly used for credit card numbers
>    and the like, does anyone have experience decrypting this?
>
> This is the only hacking oracle info I have found on the net
> so far, its quite useful:
>
> http://www.wittys.com/files/vvandal/
>
> Any help would be appreciated, thanks,
> --Anindya