Backtrack Oracle
The following short tutorial explains how to do a (limited) pentest against Oracle (8.1.7.4 –
10.2.0.2). This tutorial will be extended in the future…
The following tutorial explains how to do an Oracle pentest with Backtrack 2.0. I want to
thank the entire Backtrack-Team for this great collection of security tools and Max for the
collaboration.
Nowadays there are many Oracle 10g databases around. Oracle did a good job (but not a
perfect) hardening the database out of the box. Most tutorials still describe how to break older
8i/9i databases. Most of the older tools are not working against the new 10g listener. We will
show how to connect to an Oracle database, decrypt Oracle passwords, hack the TNS listener
and escalate privileges.
Questions and comments are welcome.
Nov. 2006 - http://www.red-database-security.com 1 / 19
At a glance:
1. Find the Oracle database + port of the listener (with nmap/amap)
nmap –v
2. Get the version number of the database (with tnscmd)
tnscmd10g.pl version –h
3. Get the SID/servicename (with tnscmd or sidguess)
tnscmd10g.pl status –h
sidguess host=
4. Connect to the database (with sqlplus)
sqlplus user/password@//
5. Check the database for weak passwords(with checkpwd)
checkpwd user/password@//
default_password.txt
6. Hacking the TNS Listener with tnscmd10g.pl
7. Escalating Privileges via sqlplus
a. dbms_export_extension
b. more coming soon.
0 comments:
Post a Comment