Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 17th, 2017, 9:20pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Database Security
   Database Security
(Moderator: Pete Finnigan)
   Database Security issue
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Database Security issue  (Read 2751 times)
helena
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile | Email

Posts: 6
Database Security issue
« on: Jun 7th, 2007, 8:12pm »
Quote | Modify

Hi
 
We need to find a Unix command which will scan all unix files and let us
 
know which file is holding Database system password in encrypted format.
 
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Database Security issue
« Reply #1 on: Jun 8th, 2007, 10:04am »
Quote | Modify

hi Helana,
 
You would need to know in advance which encrypted format you are searching for. if we assume that you know this then its possible. If you dont know then the problem is not possible to solve as you dont know what you are looking for.
 
if you know you are searching for the SYSTEM users password as a database hash then you can do the following:
 
Assume SYSTEM password is MANAGER and hash is
 
Code:
SQL> select username,password
 2 from dba_users
 3 where username='SYSTEM';
 
USERNAME PASSWORD
------------------------------ ------------------------
SYSTEM D4DF7931AB130E37
 
SQL>

 
Then use  
 
Code:
# find / -name "*" -print | while read x
>do
> echo "file is $x";
> egrep -i  D4DF7931AB130E37 $x >>/tmp/pass.lis 2>/dev/null
>done

 
this should search all files and grep for the system password hash. If you want to search for the clear text password then substitute D4DF7931AB130E37 with MANAGER. If you want to search for another encrypted format then substitute that known string.
 
I have not tested this, its from memory as I dont have a Unix system here to try it on, but i am sure its correct.
 
cheers
 
Pete
>
« Last Edit: Jun 8th, 2007, 10:04am by Pete Finnigan » IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Database Security issue
« Reply #2 on: Jun 8th, 2007, 10:29am »
Quote | Modify

Helena, Pete,
 
The same as Pete but simplier (I hope):
 
 

find / -type f -print|xargs -i grep -il D4DF7931AB130E37 {} >>/tmp/pass.lis 2>/dev/null  

 
regards,
 
Ivan
IP Logged

regards,

Ivan
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Database Security issue
« Reply #3 on: Jun 8th, 2007, 1:33pm »
Quote | Modify

Thanks for your reply Ivan. I know this solution also but decided on the loop approach as it is simpler to understand.  
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
helena
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile | Email

Posts: 6
Re: Database Security issue
« Reply #4 on: Jun 11th, 2007, 4:19pm »
Quote | Modify

Hi
 
What if we need to search for a text string in files?  
 
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Database Security issue
« Reply #5 on: Jun 11th, 2007, 5:02pm »
Quote | Modify

Hi Helena,
 
you mean "some string i want to search for"?
 
if so simply add the string enclosed in double quotes where i showed the hash
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board