[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <32c5e51a050629121270a59d25@mail.gmail.com>
Date: Wed, 29 Jun 2005 14:12:15 -0500
From: David Cravshaw <david.cravshaw@...il.com>
To: "Ginski, Richard J." <rginski@...pinellas.fl.us>
Cc: bugtraq@...urityfocus.com
Subject: Re: Oracle Question Slightly OT
Oracle has some security specific information on the OTN page -
http://www.oracle.com/technology/deploy/security/db_security/index.html
One you may find particularly useful is the 9iR2 security checklist -
http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf
(although I couldn't find this linked anywhere on that page...odd)
Pete Finnigan, though, is propably the best reference for Oracle
security information. He has a comprehensive list of Oracle security
references here: http://www.petefinnigan.com/orasec.htm
There have been several other good Oracle whitepapers including those
written by AppSec, Inc
(http://www.appsecinc.com/techdocs/whitepapers/research.html),
Integrigy (http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf),
and NGSSoftware (http://www.nextgenss.com/papers/hpoas.pdf).
Happy reading!
On 6/29/05, Ginski, Richard J. <rginski@...pinellas.fl.us> wrote:
> Forgive me for this being slightly off topic. We've checked Oracle's
> site, including posting to their "Technology Network", and have yet to
> find a best practices document for securing Oracle databases. Am I
> missing something? ... Or should something this obvious be available on
> Oracle's site? Can anyone provide links to such information?
>
> -----Original Message-----
> From: Joshua Wright [mailto:jwright@...borg.com]
> Sent: Wednesday, June 29, 2005 10:16 AM
> To: bugtraq@...urityfocus.com
> Subject: Auditing Privilged Oracle Passwords - hashattack
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've put together a tool that can be used to build a table of Oracle
> password hashes from a dictionary file for a designated username.
> Hashes are calculated by creating a user account similar to the target
> account to be audited and repeatedly changing the password with "ALTER
> USER" for each dictionary word, storing the hash for each password in a
> table.
>
> Once the table of hashes is built, a simple SELECT can be issued to
> determine if the password hash for a target user is a simple dictionary
> word:
>
> SQL> select h.username, h.password, h.hash
> 2 from hashattack h, dba_users d
> 3 where d.password = h.hash and h.username = 'SYS';
>
> USERNAME PASSWORD HASH
> - ---------- -------------------- --------------------
> SYS KILTPLEAT 2BBDC477FFB28563
>
> SQL>
>
>
> Written in PL/SQL, available at
> http://802.11ninja.net/code/hashattack-0.1.tgz,
> http://802.11ninja.net/code/hashattack-0.1.tgz.asc
>
> Comments, questions, concerns welcome.
>
> - -Josh
> - --
> - -Joshua Wright
> jwright@...borg.com
>
> 2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
> fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF
>
> Today I stumbled across the world's largest hotspot. The SSID is
> "linksys".
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCwq0QTS8i9jZYpL8RApOqAKCnTqrAwCaqKT3KALl0b8CDRo9I0QCfRKnB
> LcY+tDFFcNAeMbsIg7YWe88=
> =L/x5
> -----END PGP SIGNATURE-----
>
Powered by blists - more mailing lists