The Oracle Hacker's Handbook Book Review

by David Litchfield

4 Stars

Required Reading for Breaking into Oracle Databases

I've been doing some Oracle research and of course this is the only book on the market that really covers breaking into Oracle with the exception of The Database Hacker's Handbook which came out in 2005. Justin Clark's (and others) SQL Injection Book published in 2009 also covers some Oracle material but not enough to make this book obsolete.

A bit more on sensepost's reDuh

sensepost page on it: http://www.sensepost.com/research/reDuh/

reDuh comes with a reDuh.jsp, aspx, and php pages. Work your magic to upload the page to the remote server. Once its there you can connect to it with the reDuh Client

In early 2009 a client contacted me for a penetration test to fulfill their PCI obligation. In the past, pentests with this organization were limited in scope to the web application. Thanks to a previous round of pentests, plus a clued-in developer/admin/security staffer, all of the typical low-hanging fruit for a web app assessment was not found. Minor issues were found in the past, but they were pretty much useless to lead to an actual penetration, even in conjunction with other issues. Such issues were only useful in padding the report. (the world will certainly end due to the high-severity "traceroute to host" for instance)

Nothing new, probably covered else where but useful to revisit (maybe)...at least for my notes.

We had to try to bruteforce the ColdFusion admin password on a past pentest (more on that in another post--still testing the new MSF ColdfFusion modules). After trying my popular passwords (short) list I came nil so decided to use some words from the site we were trying to break into and use john to mangle the list up for some additional passwords to try.

you start with you initial list of words (you can also use CeWL http://www.digininja.org/projects/cewl.php to generate a site specific wordlist for you)

you then throw them into John and have the rules file mangle them.

Anyone knows me, knows i'm not fan of web apps and here's why. They might notice that...

Ummm what???!!!

http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=1...

http://www.wired.com/threatlevel/2009/09/judge-closes-gmail-account/

cue another....what happened to the dumbass employee?

more obvious questions:

why was any information of that sort being sent to ANY gmail account???!!!

why wasnt that information encrypted???!!!

once again the more serious issues of the case being completely overlooked.

Like the end of the first article mentions, what a horrible precedent is about to get set where I can send you some proprietary or sensitive info. You then get your email account deactivated or you taken to court because of my mistake. something is definitely not right there.

while I cant speak for anyone else I've been slacking but busy.

Brucon is coming up. Joe and I will be teaching the Crash Course in Penetration Testing workshop on Wed/Thurs then I'll be speaking on Open Source Information Gathering on Saturday. So I've been busy preparing for both of those.

http://www.brucon.org/index.php/Main_Page

Training detail: http://www.brucon.org/index.php/Training_1

Hopefully some actual content coming up soon :-)

Good write up by Rich Mogull about the Hannaford, Heartland, 7-Eleven, and the other 2 retailers breaches

http://securosis.com/blog/heartland-hackers-caught-answers-and-questions/

and the actual indictment

http://voices.washingtonpost.com/securityfix/heartlandIndictment.pdf

i'm sure A LOT of the technical details are lost but i'm left wondering how these guys went from sql injection on a public facing website to internal pwnage? who set up that network? and how did that even vaguely pass any common sense network design check?

I can understand the AV evasion, because most AV sucks and its easy to evade it.

Hello all,

It took me a week to recover from Vegas, but I am here now, and I am releasing the Tor Backdoor talked about in Vegas. It is a bit rudimentary but it also is very nice if you want to hide.

I hope people find it useful, if nothing else as a place to start for a more robust backdoor.

http://blog.attackresearch.com/publications/metaphish/Alpha_tor_shell.ta...

What this gives you:
1) an encrypted Command and Control channel out of the victim network
2) anonymity, noone knows who is controlling the client
3) cross platform, works on Unix if mono is installed
a) default on Ubuntu/Debian

email me with questions dkerb@attackresearch.com.

couple of notes on the metasploit oracle mixin since I keep getting emails

install instructions are here:
http://trac.metasploit.com/wiki/OracleUsage

the oracle mixin thus far DOES NOT work with windows, if you get it working please let me now

the oracle mixin thus far DOES NOT work with ruby 1.9.1.

the libs we used are not compatible with ruby 1.9.1 so far i havent been able to figure out the proper mix of development libs (ruby-dbi, ruby-oci8) to get it working. if you figure it out, you'll be my new best friend.

there is a walkthru in the Blackhat whitepaper
http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-Orac...

slides are here:
http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-Orac...