Database Reference
In-Depth Information
Chapter 2
Current State of the Art
This chapter is designed to give you the advice you need in order to protect your systems. Do not use this information
for negative purposes please. This information is relevant to current production systems as of this writing, which
will include mainly 10.2 through 11.2. In the later chapters we will delve more into newer 12c research, which will be
relevant moving forward.
Google Hacking tnsnames.ora
Similar to domestic burglary, a large percentage of electronic hacks are opportunistic. Googling for tnsnames
files fits into this category. This is easier than port scanning and is not strictly against the law—depending on
intention—whereas port scanning arguably is. The following URL searches for files with file extension .ora paired
with tnsnames.
After finding a
tnsnames.ora
file an attacker would attempt a single default password per common default
account. This is done using an EZCONNECT command derived from the
tnsnames.ora
file, as in the following
example. A single attempt is unlikely to lock the account but has a high chance of being successful.
Then select the SYS password and crack the password hash offline using
John the Ripper
which is a password
Select password from sys.user$ where name='SYS';
And following is the command to invoke John the Ripper to effectively derive the password:
root@orlin $ ./run/john ./hashes.txt
Only a very low skill level is required for this attack, but there is a high probability of gaining SYS privileges on
a large number of both development and production boxes globally, as well as announcing oneself to a number of
global honeypots. I suggest taking my word for this and not trying it at home just in case there is a knock at the door.
