Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Internals >> Oracle username enumeration
        
(Message started by: Pete Finnigan on Nov 2^nd, 2005, 12:06pm)

Title: Oracle username enumeration
Post by Pete Finnigan on Nov 2^nd, 2005, 12:06pm

Hello,

I found it possible to remotely determine if a particular username is valid or not for a database instance. In order to do this i use the oracle client libraries.
I wrote a tool that seems to work against oracle 9 and 10.

I wondered about releasing that tool. Is there a public tool already out there doing this?

Title: Re: Oracle username enumeration
Post by Pete Finnigan on Nov 2^nd, 2005, 4:36pm

Bartavelle,

I'm not aware of such a tool. Did you look at the tools
collection of Pete (http://www.petefinnigan.com/tools.htm)?

regards,

Ivan

Title: Re: Oracle username enumeration
Post by Pete Finnigan on Nov 2^nd, 2005, 4:56pm

I did. I might publish that tool although it only work on linux x86 and needs the oracle client libs in a few weeks if i can't find evidence it has been done before ...

Title: Re: Oracle username enumeration
Post by Pete Finnigan on Apr 4^th, 2006, 10:18pm

Yes, it s possible even without using cli. libs. None released it. Take care.