Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 59 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » January 2009 » A paper on how to find Oracle SID's

[Previous entry: "A PL/SQL Fuzzer / Fuzzor"] [Next entry: "Google hacking and Oracle database security audits"]

A paper on how to find Oracle SID's

January 22nd, 2009 by Pete

One of my key issues with Oracle security is to reduce the possible direct access to the database from as many people as possible in any organisation that i work with. I generally call this the "access Issue" as its basically means that anyone who can find out the four pieces of information necessary (The hostname{or IP Address}, Port Number, SID, USERNAME/PASSWORD) can log into the database. As we know the IP address and port number can be found easily within an organisation using port scanners such as nmap or amap. We also know from orldy experience of conducting database security audits for many years that usernames/passwords can be found easilly (some are defaults, some because bad naming conventions occur), passwords in our experience are even easier as we often find most passwords very easily because sites still set them to the username, a default, a simple dictionary word or its too short. This issue is one of the key issues in Oracle security. If you reduce the chance that anyone who should not do so (remember those that should do so should be very small) should not be able to attempt a direct connection to the database. Whilst this does not fix Oracle security it certainly reduces the risk. If you cannot get a connection you cannot run anything or read anything. We of course need to also solve the problem of the legitimate access use as well!. I talked about this subject at the UKOUG conference in my back to basics talk and also in my Oracle security masterclass. The presentations are available on my Oracle Security white papers page.

So the only piece of information that is slightly harder to find is the SID/Service name. Alexandr Polyakov has written an excellent paper on how to find database SID's. I have had a couple of email conversations with him over the last week or so and promised to ppost a link here to his paper. There are SID guess and SID brute force tools out there but this is the first detailed discussion on how to find SID's. This is an excellent paper called "Different ways to guess Oracle database SID"

There has been 2 Comments posted on this article

January 22nd, 2009 at 09:18 pm

Alexis Gil Gonzales says:

Hi Pete,

Very nice paper which tries to wrap-up ways to discover Oracle SID's. It could be completed with other well-known penetration methods. See for example the article "Identifying Oracle database installations during a network scan" by Mark rowe (maybe you already mentioned it here).



January 23rd, 2009 at 09:26 am

Pete Finnigan says:

Hi Alexis,

Thanks for your comment. I know the excellent paper written by Mark as we worked together at the time at Pentest. It is a little old now, as it was written in 2001 but still a valuable paper. The getsids that is referenced there was the first tool by many years to try and enumerate SIDs written by Patrik at cqure. Thanks for the reminder of the paper



January 2009

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!