Your sensitive data is at risk. The DBAs must be aware of these penetration tests and secure the db system.
Oracle Penetration Testing Methodology
- Locate a system running Oracle.
- Determine Oracle Version.
- Determine Oracle SID.
- Guess/Bruteforce USERNAME/PASS.
- Privilege Escalation via SQL Injection.
- Manipulate Data/Post Exploitation
- Become DBA
- Execute OS Code
- Cover Tracks.
There are several tools being used for ORACLE penetration tests, but Metasploit and ODAT do their job.
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
Usage examples of ODAT:
You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA
You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database.
Starting ODAT on Kali Linux.
From the begging it can be noticed that the database is vulnerable to TNS poisoning, and also the SID which in our case is ORCL, the default one.
Starting TNS poisoning. The vulnerability affects the component called TNS Listener, which is the responsible of connections establishment. To exploit the vulnerability no privilege is needed, just network access to the TNS Listener. The exploit is enabled by default in all Oracle versions starting with Oracle 8i and ending with Oracle 11g.
The attack is like a man-in-the-middle, because all the connections goes through the attacker’s box.The attacker can record all the data exchanged between server and the client machine.
SOLUTION : If you set set dynamic_registration_listener=off in the in your listener.ora file then you are completely protected against this TNS poison attack, not an option if you’re using Oracle DataGuard, RAC or the PL/SQL Gateway in connection with APEX.
ODAT is a powerful tool that can be used for penetration tests with a lot of features.
Starting with the tnscmd module and ending with the John The Ripper for cracking hash passwords, Metasloit gives all the features to an attacker.
For a DBA or for the security responsible it is very important to take into consideration all of these types of attacks :
1. Brute-force (or not) cracking of weak or default usernames/passwords
2. Privilege escalation
3. Exploiting unused and unnecessary database services and functionality
4. Targeting unpatched database vulnerabilities
5. SQL injection
6. Stolen backup (unencrypted) tapes
cosmin.chauciuc [@] enisei.ro