Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Oracle Security Presentation Help?

  1. #11
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default

    I already tryed that. The Scott/Tiger account has been locked and expired on Oracle 10g.

    And secunia says Oracle 10g is great! (Security wise)

    By "hack" he means "Obtain DBA Access from a remote computer on the network"....

    Also I know Oracle isnt 100% right out-of-the-box so I know there must be a way around the username/password problem.

  2. #12
    Senior Member
    Join Date
    Feb 2008
    Posts
    681

    Default

    Quote Originally Posted by >Dart> View Post

    Also about the forums, I'm not trying to make "assumptions" on people helping me, and I don't know if ill get a answer for sure here, but I sure can try.
    No I was saying that we would have to assume, that what you were saying was true.

    Anyway I thought I cleared this up. I didn't mean it, seriously.

    I was just demonstrating what kind of reaction you may get.

    Fortunately I was wrong. I'm sorry if you take offence.
    [FONT=Courier New][SIZE=2][FONT=Courier New]hehe...
    [/FONT][/SIZE][/FONT]

  3. #13
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by >Dart> View Post
    I already tryed that. The Scott/Tiger account has been locked and expired on Oracle 10g.

    And secunia says Oracle 10g is great! (Security wise)

    By "hack" he means "Obtain DBA Access from a remote computer on the network"....

    Also I know Oracle isnt 100% right out-of-the-box so I know there must be a way around the username/password problem.
    Mr Google says when searching for "Oracle 10g exploits".

    http://www.red-database-security.com..._exploits.html
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #14
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default

    Its ok .lonewolf. I forgive you. Im new to the forums, trying to make friends and fit in and such.

    Iv been on that Red database site before, but somehow I missed that page. Ill check it out ASAP!

    EDIT:

    Ok I checked out all of that code on the Red Database website...I bet our verion of Oracle is old and is missing those patches...bad part is You NEED to already have a SQL account (I think) then you can bump it up to DBA....

    Now im back to square 1...trying to get into a Oracle Account from SQLPlus.....

    Its almost time for class but Ill just tell the Professor I haven't figured it out yet...maybe I might find something this week for next Thursday.

    EDIT 2:

    Ok everyone I finally think im on to something. I just finished class...we had a lot of fun with REVOKE and GRANT in Oracle... Then when I got done I started playing with BT on Cracking Oracle again. I dug open OAT on BT2 and found opwg.sh (wonder how I missed it). I made a .txt file under /tmp for my passfile and one for my userfile with my info I have on the class server for my user. I pulled the IP and from TNSNames, I entered in the server SID and WHAM! It started to process.

    Now as soon as it started it stoped and throw a big error in my face: "Could Not Load JBCD Driver....."

    Now I looked into it more and the set of OAT tools are JAVA based. I talked to my teacher about it and found out that BT does "not" come with java (we tried "java -v" and got "Could not create the JAVA VM".

    So I think I need Java running on BT before I run it.

    So does anyone have a .iso of BT with Java? Or give me a quick tut on how to install it who has done it before to save me some time? Ill research it more tommrow (if I have time).

    Thanks.

  5. #15
    Senior Member
    Join Date
    Feb 2008
    Posts
    681

    Default

    Quote Originally Posted by >Dart> View Post
    Its ok .lonewolf. I forgive you. Im new to the forums, trying to make friends and fit in and such.

    Iv been on that Red database site before, but somehow I missed that page. Ill check it out ASAP!

    EDIT:

    Ok I checked out all of that code on the Red Database website...I bet our verion of Oracle is old and is missing those patches...bad part is You NEED to already have a SQL account (I think) then you can bump it up to DBA....

    Now im back to square 1...trying to get into a Oracle Account from SQLPlus.....

    Its almost time for class but Ill just tell the Professor I haven't figured it out yet...maybe I might find something this week for next Thursday.

    EDIT 2:

    Ok everyone I finally think im on to something. I just finished class...we had a lot of fun with REVOKE and GRANT in Oracle... Then when I got done I started playing with BT on Cracking Oracle again. I dug open OAT on BT2 and found opwg.sh (wonder how I missed it). I made a .txt file under /tmp for my passfile and one for my userfile with my info I have on the class server for my user. I pulled the IP and from TNSNames, I entered in the server SID and WHAM! It started to process.

    Now as soon as it started it stoped and throw a big error in my face: "Could Not Load JBCD Driver....."

    Now I looked into it more and the set of OAT tools are JAVA based. I talked to my teacher about it and found out that BT does "not" come with java (we tried "java -v" and got "Could not create the JAVA VM".

    So I think I need Java running on BT before I run it.

    So does anyone have a .iso of BT with Java? Or give me a quick tut on how to install it who has done it before to save me some time? Ill research it more tommrow (if I have time).

    Thanks.
    Thanks >Dart> Everything's cool then.

    I'm also relatively new here and I don't want to make too many enemies, if possible.

    I'm glad to see you making some progress with your project.

    The BT3 Beta USB extended version comes with Java installed as default. I'm not sure if the BT3 CD version does, as well, but I'm guessing that it does.

    To check what Java version you have, if any. Use this command in a terminal:
    Code:
    java -version
    I hope some one helps you more with your project.

    Peace
    [FONT=Courier New][SIZE=2][FONT=Courier New]hehe...
    [/FONT][/SIZE][/FONT]

  6. #16
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by >Dart> View Post
    So does anyone have a .iso of BT with Java? Or give me a quick tut on how to install it who has done it before to save me some time? Ill research it more tommrow (if I have time).
    Search the forum.. I believe there is an LZM for Java floating around that you could use, loading it from a USB stick or from the net when you are running the live disk.
    dd if=/dev/swc666 of=/dev/wyze

  7. #17
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default

    Ok...iv spent some time poking around the forum, I could not find a LZM of Java. shamanvirtuel did say he had one but it was on his website which is done.

    Im still looking.... Also I cant really find a good introduction of "modules" which I think LZMs are? Can anyone suggest a good thread or resource?

  8. #18
    Senior Member
    Join Date
    Feb 2008
    Posts
    681

    Default

    How's things >Dart>

    To install Java. try this:

    Code:
    bt ~ # slapt-get --update
    Retrieving package data [http://darkstar.ist.utl.pt/slackware...2.0/]...Cached
    Retrieving patch list [http://darkstar.ist.utl.pt/slackware/slackware-12.0/]... Done
    Retrieving checksum list [http://darkstar.ist.utl.pt/slackware...-12.0/]...Done
    Retrieving checksum signature [http://darkstar.ist.utl.pt/slackware...-12.0/]...Done
    Verifying checksum signature [http://darkstar.ist.utl.pt/slackware...re-12.0/]...No key for verification
    Retrieving ChangeLog.txt [http://darkstar.ist.utl.pt/slackware...-12.0/]...Done
    Reading Package Lists...Done
    bt ~ # slapt-get -i jre
    Reading Package Lists... Done
    jre is up to date.
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    
    Done
    bt ~ # java -version
    java version "1.6.0_02"
    Java(TM) SE Runtime Environment (build 1.6.0_02-b05)
    Java HotSpot(TM) Client VM (build 1.6.0_02-b05, mixed mode, sharing)
    bt ~ #
    This is a good introduction to Modules:
    Module creation and installation - A video tutorial by balding_parrot

    Hope this helps
    [FONT=Courier New][SIZE=2][FONT=Courier New]hehe...
    [/FONT][/SIZE][/FONT]

  9. #19
    Member s1lang's Avatar
    Join Date
    Sep 2007
    Posts
    189

    Default

    For what .lonewolf has kindly provided above to work, you'll need to update your slapt-get config file to set where it looks on the internet for the downloads.

    All the info is in this thread
    http://forums.remote-exploit.org/sho...ighlight=slapt
    read through it

  10. #20
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default

    Hey everyone, just a little update. Iv haven't been able to work on Oracle lately, Iv been busy with my Programming class and my Ag. Mechanics Class (Were working on plumbing). I haven't taken a shot at JAVA yet...but once I get all this homework done and get to my Oracle class ill let everyone know whats up!

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •