The Oracle Hacker's Handbook Book Review
by David Litchfield
4 Stars
Required Reading for Breaking into Oracle Databases
I've been doing some Oracle research and of course this is the only book on the market that really covers breaking into Oracle with the exception of The Database Hacker's Handbook which came out in 2005. Justin Clark's (and others) SQL Injection Book published in 2009 also covers some Oracle material but not enough to make this book obsolete.
I bought this book immediately when it came out in 2007 (yeah I'm super late on the review) but frankly put it down because it was confusing and definitely not suited for anyone that didn't already have a basic exposure to Oracle. I picked it up again in late 2008 after doing the background research on Oracle security and administration. Armed with a better understanding of Oracle in general I attacked the book again, focusing on SQL Injection in the Oracle PL/SQL packages with the goal of going from locating an open TNS listener to getting a shell on the system.
The author is well known in the security industry and one of only a handful of Oracle Security "experts", so the skill level was definitely there.
Breakdown of the Chapters:
Introduction.
Chapter 1 Overview of the Oracle RDBMS.
Chapter 2 The Oracle Network Architecture.
Chapter 3 Attacking the TNS Listener and Dispatchers.
Chapter 4 Attacking the Authentication Process.
Chapter 5 Oracle and PL/SQL.
Chapter 6 Triggers.
Chapter 7 Indirect Privilege Escalation.
Chapter 8 Defeating Virtual Private Databases.
Chapter 9 Attacking Oracle PL/SQL Web Applications.
Chapter 10 Running Operating System Commands.
Chapter 11 Accessing the File System.
Chapter 12 Accessing the Network.
Appendix A Default Usernames and Passwords.
I think most of the background chapters are "adequate" and the exploitation chapters are very good. At the time of publishing the author released code for vulnerabilities that were brand new. I do have issues with Chapter 5 Oracle and PL/SQL. I think the coverage of PL/SQL is only adequate if you already know PL/SQL. It took me going and reading a lot of other material on the net about PL/SQL to understand things that are glossed over in the chapter. The chapter is good and covers tons of material but from an attacking Oracle perspective more time should have been spent on teaching the reading how to use the "describe" package option in PL/SQL to describe the package to learn how to craft your queries correctly as well as how to research and write your own SQL Injection queries based on published vulnerabilities. More coverage on default privileges and roles would have been useful as well. Again, if you have been an Oracle DBA, you understand this already. If you are an Oracle security researchers you know this already. If you are a pentester trying to get some Oracle under your belt you'll have to go pick up another book or hit the internet to get the background material.
The other chapters are good and they cover their stated topics. More examples would have been nice of course. A couple of times we are told to check out the Oracle coverage in The Database Hacker's Handbook. That's just frustrating. While I'm not a huge fan of republishing materials, if information is needed to understand or better understand a topic then include it, its not like OHH was "running long" its very slim for a security book.
What knocked the book down to 4 stars was when I went and read the Oracle sections of The Database Hacker's Handbook and it had material that wasn't included in OHH. Given the "slimness" of the book, it wouldn't have hurt the book to reproduce the content from DHH as it is relevant and helps explain the concepts better than the coverage in OHH.
source code download location
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470080221,descCd-DOW...
Comments
Additional resources to consider
Hi all,
I am used to have Alexander Kornbrust as a regular OraGuru advisor for my company (Germany) his site is a nice source of info. :
http://www.red-database-security.com/
Specially his presentation decks contain a huge amount of tips&tricks
http://www.red-database-security.com/whitepaper/presentations.html
Additionaly I use these sites for info:
http://www.petefinnigan.com/
http://www.idevelopment.info/
http://www.vttoth.com/oracle.htm
http://www.dsecrg.com/
http://www.digilife.be/quickreferences/QRC/ORACLE%20Server%20Architectur...
Best Regards. TT
Good review
Sounds like a fair review. In my opinion the set of hackers handbooks are some of the most informative books on the market. OHH and DBHH are a must for anyone considering pen testing Oracle.
Intro Oracle book
If you could give me the title of the Oracle intro book, I would really appreciate that. Thanks!
If it is not to much trouble
If it is not to much trouble I would like to know the title of the intro book too. Thanks for the other books/links.
hey thanks for the
hey thanks for the responses.
from the pl/sql perspective i bought the pl/sql book from apress
http://www.amazon.com/Beginning-PL-SQL-Novice-Professional/dp/1590598822/
also several Internet pl/sql tutorials
http://infolab.stanford.edu/~ullman/fcdb/oracle/or-plsql.html
was one i could immediately find.
I also bought an intro to oracle book (dont remember which one) if you are really interested let me know and i'll find it at home.
Good book, but a little rough in the edges
It's definitely one of the most detailed books from a security perspective on Oracle, but it is a little rough on the edges here and there. Also keep in mind that it contains errors, when you really delve into TNS and start analysing it with wireshark. Some of the packet sequences, which Litchfield describes in the book are not what I've seen in the wild when running his own accompied tools. Still his tools are the fastest brute forcers around, due to cleaver connection reuse. It is still on my todo list to implement it for the metasploit modules some day.
I am very interesting which resources you found usefull to understand PL/SQL better from a pentester perspective. I'm lacking some PL/SQL knowledge as well and I agree with you that it makes some parts of the book hard to read.
Overall a good review!