Auditing Oracle

ATTACK

ADITYA K SOOD, A.K.A.

0KN0CK

Difficulty

Auditing Oracle

in a Production

Environment

This paper is based on real penetration testing of Oracle servers

on HP-UX systems and the way the auditor has to follow to

combat the stringencies that come in a way. We will dissect the

errors and the way to bypass them to conduct the tests.

U

WHAT YOU

WILL LEARN...

The user will learn about the

methodology and how to

conduct tests.

The user will learn about Oracle

Auditing Model.

The way to penetrate deep into

systems.

Overall Oracle deployment

and responsible behavior of

disclosing bugs.

WHAT YOU

SHOULD KNOW...

Understanding of Oracle

working and implementation.The

administration knowledge

of Oracle suit will be added

advantage.

Deployment of Oracle in a

production environment.

Knowledge of basic Oracle tools.

40

HAKIN9 6/2008

sually Oracle is used as a backend in

large production environments supporting

applications like SAP and other products.

The production environment is very critical

f rom company perspective and data is one of

the prime concerns that has to be protected.

That’s why most of the attackers try to hack the

databases to leverage maximum information.

We will specifically cover the penetration testing

of Oracle servers. The prime target is to test the

Oracle by using core techniques in a tactical way.

We will talk about core Oracle processes running

in a network and the way to audit it. The essential

point is to bypass the generic problems thereby

conducting a pure audit of an Oracle database.

Understanding Oracle Services

f rom Hacker's Perspective

The Oracle database is used in a distributed

way to support a number of data centric

applications. Being client server architecture the

main database is supported on the prime server

and all the other nodes communicate with it by

connecting to the Oracle server. For Example:

in SAP organization (i.e. System Application

Programming)...