Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 19th, 2017, 4:34am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   OraBrute
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: OraBrute  (Read 5419 times)
Paul Wright
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 3
OraBrute
« on: Jan 16th, 2007, 10:57am »
Quote | Modify

Pete,
Thanks for linking to my paper from your blog http://www.ngssoftware.com/research/papers/oraclepasswords.pdf
and
http://www.ngssoftware.com/research/papers/oraclepasswords.zip
Please note that OraBrute is designed for a Security Auditor who is Blackbox testing and has no access to the hashes or the database previously. This fact distinguishes it from orabf and the other tools currently available.  
Paul
« Last Edit: Jan 16th, 2007, 11:02am by Paul Wright » IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: OraBrute
« Reply #1 on: Jan 16th, 2007, 2:49pm »
Quote | Modify

Hi Paul,
 
Thanks for the update. My blog comments are aimed at an auditor (or a DBA) who would more likely be testing in an open mode and would have access to the hashes. I agree that its a blackbox test tool, I hope that came across in my comments as i implied access to the hashes.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
paulmwright
PeteFinnigan.com Newbie
*



OracleSecurityF orensicsLondon

   
View Profile | WWW |

Gender: male
Posts: 3
Re: OraBrute
« Reply #2 on: Jan 16th, 2007, 6:24pm »
Quote | Modify

Pete,
Also just to add if I may ~  the main thrust of the paper is that the Oracle Listener and DB allows very quick repeated Failed Logins as SYS AS SYSDBA, with differing passwords from different IPs indefinitely which makes the brute force via OraBrute feasible (along with the non-lockout and default config).
I have put an executive summary at http://orasec.blogspot.com/   which you also mentioned previously.
Thanks and Cheers,
Paul
IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board