Re: Oracle Question Slightly OT

From: David Cravshaw (david.cravshaw_at_gmail.com)
Date: 06/29/05

  • Next message: Kurczaba Associates Advisories: "Mozilla Multiple Product JavaScript Issue" 
    Date: Wed, 29 Jun 2005 14:12:15 -0500
To: "Ginski, Richard J." <rginski@co.pinellas.fl.us>

    Oracle has some security specific information on the OTN page -
    http://www.oracle.com/technology/deploy/security/db_security/index.html
    One you may find particularly useful is the 9iR2 security checklist -
    http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf
    (although I couldn't find this linked anywhere on that page...odd)

    Pete Finnigan, though, is propably the best reference for Oracle
    security information. He has a comprehensive list of Oracle security
    references here: http://www.petefinnigan.com/orasec.htm

    There have been several other good Oracle whitepapers including those
    written by AppSec, Inc
    (http://www.appsecinc.com/techdocs/whitepapers/research.html),
    Integrigy (http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf),
    and NGSSoftware (http://www.nextgenss.com/papers/hpoas.pdf).

    Happy reading!

    On 6/29/05, Ginski, Richard J. <rginski@co.pinellas.fl.us> wrote:
    > Forgive me for this being slightly off topic. We've checked Oracle's
    > site, including posting to their "Technology Network", and have yet to
    > find a best practices document for securing Oracle databases. Am I
    > missing something? ... Or should something this obvious be available on
    > Oracle's site? Can anyone provide links to such information?
    >
    > -----Original Message-----
    > From: Joshua Wright [mailto:jwright@hasborg.com]
    > Sent: Wednesday, June 29, 2005 10:16 AM
    > To: bugtraq@securityfocus.com
    > Subject: Auditing Privilged Oracle Passwords - hashattack
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > I've put together a tool that can be used to build a table of Oracle
    > password hashes from a dictionary file for a designated username.
    > Hashes are calculated by creating a user account similar to the target
    > account to be audited and repeatedly changing the password with "ALTER
    > USER" for each dictionary word, storing the hash for each password in a
    > table.
    >
    > Once the table of hashes is built, a simple SELECT can be issued to
    > determine if the password hash for a target user is a simple dictionary
    > word:
    >
    > SQL> select h.username, h.password, h.hash
    > 2 from hashattack h, dba_users d
    > 3 where d.password = h.hash and h.username = 'SYS';
    >
    > USERNAME PASSWORD HASH
    > - ---------- -------------------- --------------------
    > SYS KILTPLEAT 2BBDC477FFB28563
    >
    > SQL>
    >
    >
    > Written in PL/SQL, available at
    > http://802.11ninja.net/code/hashattack-0.1.tgz,
    > http://802.11ninja.net/code/hashattack-0.1.tgz.asc
    >
    > Comments, questions, concerns welcome.
    >
    > - -Josh
    > - --
    > - -Joshua Wright
    > jwright@hasborg.com
    >
    > 2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
    > fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF
    >
    > Today I stumbled across the world's largest hotspot. The SSID is
    > "linksys".
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.1 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFCwq0QTS8i9jZYpL8RApOqAKCnTqrAwCaqKT3KALl0b8CDRo9I0QCfRKnB
    > LcY+tDFFcNAeMbsIg7YWe88=
    > =L/x5
    > -----END PGP SIGNATURE-----
    >

  • Next message: Kurczaba Associates Advisories: "Mozilla Multiple Product JavaScript Issue"
    • Quantcast