[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42C2F9B1.5090802@pacbell.net>
Date: Wed, 29 Jun 2005 12:42:41 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: "Ginski, Richard J." <rginski@...pinellas.fl.us>,
bugtraq@...urityfocus.com
Subject: Re: Oracle Question Slightly OT
www.cisecurity.org has documents.
http://www.cisecurity.org/bench_oracle.html
Ginski, Richard J. wrote:
>Forgive me for this being slightly off topic. We've checked Oracle's
>site, including posting to their "Technology Network", and have yet to
>find a best practices document for securing Oracle databases. Am I
>missing something? ... Or should something this obvious be available on
>Oracle's site? Can anyone provide links to such information?
>
>-----Original Message-----
>From: Joshua Wright [mailto:jwright@...borg.com]
>Sent: Wednesday, June 29, 2005 10:16 AM
>To: bugtraq@...urityfocus.com
>Subject: Auditing Privilged Oracle Passwords - hashattack
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I've put together a tool that can be used to build a table of Oracle
>password hashes from a dictionary file for a designated username.
>Hashes are calculated by creating a user account similar to the target
>account to be audited and repeatedly changing the password with "ALTER
>USER" for each dictionary word, storing the hash for each password in a
>table.
>
>Once the table of hashes is built, a simple SELECT can be issued to
>determine if the password hash for a target user is a simple dictionary
>word:
>
>SQL> select h.username, h.password, h.hash
> 2 from hashattack h, dba_users d
> 3 where d.password = h.hash and h.username = 'SYS';
>
>USERNAME PASSWORD HASH
>- ---------- -------------------- --------------------
>SYS KILTPLEAT 2BBDC477FFB28563
>
>SQL>
>
>
>Written in PL/SQL, available at
>http://802.11ninja.net/code/hashattack-0.1.tgz,
>http://802.11ninja.net/code/hashattack-0.1.tgz.asc
>
>Comments, questions, concerns welcome.
>
>- -Josh
>- --
>- -Joshua Wright
>jwright@...borg.com
>
>2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
>fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF
>
>Today I stumbled across the world's largest hotspot. The SSID is
>"linksys".
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (MingW32)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFCwq0QTS8i9jZYpL8RApOqAKCnTqrAwCaqKT3KALl0b8CDRo9I0QCfRKnB
>LcY+tDFFcNAeMbsIg7YWe88=
>=L/x5
>-----END PGP SIGNATURE-----
>
>
>
Powered by blists - more mailing lists