|
||
|
Title: OraBrute Post by Pete Finnigan on Jan 16th, 2007, 10:57am Pete, Thanks for linking to my paper from your blog http://www.ngssoftware.com/research/papers/oraclepasswords.pdf and http://www.ngssoftware.com/research/papers/oraclepasswords.zip Please note that OraBrute is designed for a Security Auditor who is Blackbox testing and has no access to the hashes or the database previously. This fact distinguishes it from orabf and the other tools currently available. Paul |
||
|
Title: Re: OraBrute Post by Pete Finnigan on Jan 16th, 2007, 2:49pm Hi Paul, Thanks for the update. My blog comments are aimed at an auditor (or a DBA) who would more likely be testing in an open mode and would have access to the hashes. I agree that its a blackbox test tool, I hope that came across in my comments as i implied access to the hashes. cheers Pete |
||
|
Title: Re: OraBrute Post by Pete Finnigan on Jan 16th, 2007, 6:24pm Pete, Also just to add if I may ~ the main thrust of the paper is that the Oracle Listener and DB allows very quick repeated Failed Logins as SYS AS SYSDBA, with differing passwords from different IPs indefinitely which makes the brute force via OraBrute feasible (along with the non-lockout and default config). I have put an executive summary at http://orasec.blogspot.com/ which you also mentioned previously. Thanks and Cheers, Paul |
||
|
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |