The easiest way to do this is the (free) command line interface sqlplus. More information about sidguess can be found on Ĭonnect to the database (with sqlplus) After collecting the IP-Address, port and SID/Servicename we are now able to connect to the Oracle database. In this case we can try to bruteforce / or dictionary attack the SID by using sidguess sidguess host= port= sidfile=sid.txtīacktrack Oracle Tutorial 1.10a Now we know that the SID of this database is XE and we have all the information which is necessary to connect to the database.
#Oracle 10g tutorial password#
In case of an Oracle 10g database (protected with local OS authentication) we are getting a different error message from the status commandįor security reasons Oracle is blocking status requests from external IP addresses in Oracle 10g or password protected 9i databases. If the Oracle 9i Listener is password protected we are getting the following error message from the status command We can use this value to connect to the Oracle database using sqlplus or checkpwd.
#Oracle 10g tutorial windows#
Now we know: Version: Operating System: Oracle_Home: Extproc installed: Ports:ĩ.2.0.1 Windows c:\oracle\ora (TNS), 2100 (FTP), 8080 (HTTP) This status command returns a lot of useful information like version number, OS, installation patch, SID, port, … The status command can be submitted with the following command: status –h In unprotected 8i/9i environments the easiest way to get this information is the status command. Without the knowledge of the SID it is not possible to connect to Oracle. The name of the SID/Service_name is mandatory for connecting to the database via OCI. Since Patchset 9.2.0.6 (with passwordprotection) or in Oracle 10g the listener does no longer return these values. 2 the listener always returned the SID/Servicename of the registered Oracle databases via the listener status command. version –hīacktrack Oracle Tutorial 1.10a Sample: Oracle 9i This string will always (also 10g) be returned even if the listener is password protected. This version string contains the Version, Patchlevel and Operating System of the TNS Listener. Get the Oracle version To identify the version and operating system we can get the version string from the Oracle TNS Listener. Both tools are installed on the Backtrack CD. We can use nmap or amap to identify the port where the TNS listener is running. From my experience most TNS listeners are listening on port 1521. By default this port is 1521 (sometimes also 1526) but for security reasons some DBAs are changing the default port to a different port. more coming soon.įind TNS Listener Port The first step in doing an Oracle security pentest is to identify the TNS Listener Port of the Oracle database.
Check the database for weak passwords(with checkpwd) checkpwd user/ //:/ default_password.txt 6. Connect to the database (with sqlplus) sqlplus user/ //:/ 5. Get the SID/servicename (with tnscmd or sidguess) status –h (unprotected listener) sidguess host= port= sidfile=sid.txt 4. Get the version number of the database (with tnscmd) version –h 3. Find the Oracle database + port of the listener (with nmap/amap) nmap –v 2. Questions and comments are welcome.Īt a glance: 1.
#Oracle 10g tutorial how to#
We will show how to connect to an Oracle database, decrypt Oracle passwords, hack the TNS listener and escalate privileges. Most of the older tools are not working against the new 10g listener. Most tutorials still describe how to break older 8i/9i databases. Oracle did a good job (but not a perfect) hardening the database out of the box. Nowadays there are many Oracle 10g databases around. I want to thank the entire Backtrack-Team for this great collection of security tools and Max for the collaboration. This tutorial will be extended in the future… The following tutorial explains how to do an Oracle pentest with Backtrack 2.0. & Oracle The following short tutorial explains how to do a (limited) pentest against Oracle (8.1.7.4 – 10.2.0.2).
0 kommentar(er)
