Okay. So you have already set up your Oracle Database. Are you confident that it is appropriately secure from vulnerabilities and hacking attacks?
Now, with Oracle Database Attacking Tool or ODAT, you can secure your database remotely.
Some of the things that you could do with the Oracle Database Attacking Tool include:
- Discover a valid security identifier on a remote database by using brute force attack, a dictionary attack or using ALIAS of the listener.
- Look for Oracle accounts using a dictionary attack.
- Run system commands using Java, external tables, oradbg or DBMS_SCHEDULER.
- Transmit or receive HTTP requests from the Oracle Database server using UTL_HTTP or HttpUriType.
- Get files that are stored on the Oracle Database server via UTL_FILE, CTXSYS or external tables.
- Update or modify files in the database’s server by using DBMS_ADVISOR, DBMS_XSLPROCESSOR or UTL_FILE.
- Delete files in the database server by using UTL_FILE.
- Scan ports connected to the server (both remote and local servers) using UTL_TCP, UTL_HTTP or HttpUriType.
- Attack the CVE-2012-313 vulnerability, which is present in various versions of the Oracle Database Server. CVE-2012-313 is an authentication protocol and it has a security flaw that allows hackers to get the session key and salt. The hackers can change the system files or data. The vulnerability does not give the attacker control over which files may be modified. The scope of the attack is also very limited. It is, however, very easy to exploit this vulnerability and no authentication is required to do so. Moreover, such an attack can leak a lot of things about the cryptographic hash. This makes it very easy to do a brute force attack to get passwords. You can read more details about this here.
The tool is still in its development stage but there is already a version that you can use. You would need to have the following installed on your computer as well:
- Python 2.7
- Instant Oracle basic
- Instant Oracle software development kit
- The Python library cx_Oracle
- Several Python libraries are also recommended, including colorlog, termcolor, argcomplete and pyinstaller.
You can download the Oracle Database Attacking Tool at https://github.com/quentinhardy/odat. This is an open source tool.
It makes good practice to try to weed out vulnerabilities in your Oracle Database using this tool. This way, you can be sure that you have adequately secured your database and database server from these possible attacks. Imagine if a hacker has access to this tool and you happen to have a vulnerability that it can exploit, that is a massive amount of headache and stress that you could have easily avoided!
If you want to know more about the Oracle Database Attacking Tool, call Four Cornerstone at 1 (817) 377-1144 or fill out our contact form at //fourcornerstone.com/contact. We can help you understand what ODAT is all about and how to best use it to help you secure your Oracle databases. Our team of Oracle certified database experts would also be able to help you protect your databases!
Photo courtesy of quentinhardy from GitHub.