Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> OraBrute
(Message started by: Pete Finnigan on Jan 16th, 2007, 10:57am)

Title: OraBrute
Post by Pete Finnigan on Jan 16th, 2007, 10:57am
Pete,
Thanks for linking to my paper from your blog http://www.ngssoftware.com/research/papers/oraclepasswords.pdf
and
http://www.ngssoftware.com/research/papers/oraclepasswords.zip
Please note that OraBrute is designed for a Security Auditor who is Blackbox testing and has no access to the hashes or the database previously. This fact distinguishes it from orabf and the other tools currently available.
Paul

Title: Re: OraBrute
Post by Pete Finnigan on Jan 16th, 2007, 2:49pm
Hi Paul,

Thanks for the update. My blog comments are aimed at an auditor (or a DBA) who would more likely be testing in an open mode and would have access to the hashes. I agree that its a blackbox test tool, I hope that came across in my comments as i implied access to the hashes.

cheers

Pete

Title: Re: OraBrute
Post by Pete Finnigan on Jan 16th, 2007, 6:24pm
Pete,
Also just to add if I may ~  the main thrust of the paper is that the Oracle Listener and DB allows very quick repeated Failed Logins as SYS AS SYSDBA, with differing passwords from different IPs indefinitely which makes the brute force via OraBrute feasible (along with the non-lockout and default config).
I have put an executive summary at http://orasec.blogspot.com/   which you also mentioned previously.
Thanks and Cheers,
Paul



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board