Penetration testing of ORACLE DATABASE
-
Hi Friends, I am recently working on a Security and penetration testing project.I am able to get the Admin Page of the application.There are a lot of ways to proceed further now,can you suggest me some of the better way than others. Database used is ORACLE and application developed in the aspx.
HARISHCHOWDHARY wrote:
Now please suggest me the ways to get into the database and to bypass the authentication mechanisms so that i can suggest the improvements of the security features of the application under test.
1. You can research that and buy books on the subject. 2. I would suggest that you tell your employer (presumably there is one) that you are not the best person to do this because real testing requires real and substantial knowledge. Without that such testing is unlikely to be close to sufficient.
-
There is an obvious test to try - however I am not going to tell you because: (1)Anyone with any serious experience of databases will know about this. (2)If you are working on a security testing project and are having to ask this question then you should not be on that project. (3)As others have said how can we trust your intentions? [edit ] in your favour with regards to (1) I have come across a few 'experienced' DBA's who themselves have not heard about this 'feature'...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
GuyThiebaut wrote:
this 'feature'...
Oh, you mean xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ? ;P ;P Cheers, Peter
Software rusts. Simon Stephenson, ca 1994.
-
How do we know your intentions are good?
Unrequited desire is character building. OriginalGriff
This is the major drawback when we are talking to each other on a virtual environment that there is no button called "Trust Authentication".But i can only tell you that go through my profile on internet(Facebook:Search Harry kaizen Ivon) if you feel like,as i don't have any intentions check-o-meter to make someone believe that i am a good man with really good intentions to improve the holes in the systems. Thanks for a great question.
-
Nobody, is going to provide this sort of information on a public forum, even if they have it.
Unrequited desire is character building. OriginalGriff
If we do not share the information then how we can avoid attacks.I know public forum is that kind of place to share that kind of information but we can find some other way.
-
There is an obvious test to try - however I am not going to tell you because: (1)Anyone with any serious experience of databases will know about this. (2)If you are working on a security testing project and are having to ask this question then you should not be on that project. (3)As others have said how can we trust your intentions? [edit ] in your favour with regards to (1) I have come across a few 'experienced' DBA's who themselves have not heard about this 'feature'...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
I think you do not believe in Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
-
I think you do not believe in Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
I do! You just need to ask your question another 1,000,000,000,000,000,000 times and people will give you the answer - that's what I do and it always works ;) [edit] I think the reason why you have not had an answer so far is that the information you seek can be used to both protect and attack a system(that's why I won't give you the information)...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
-
HARISHCHOWDHARY wrote:
Now please suggest me the ways to get into the database and to bypass the authentication mechanisms so that i can suggest the improvements of the security features of the application under test.
1. You can research that and buy books on the subject. 2. I would suggest that you tell your employer (presumably there is one) that you are not the best person to do this because real testing requires real and substantial knowledge. Without that such testing is unlikely to be close to sufficient.
Can you suggest me the name of the books as i have lot of them but in case if i missed an important one,, it will be a great help. Thanks :)
-
This is the major drawback when we are talking to each other on a virtual environment that there is no button called "Trust Authentication".But i can only tell you that go through my profile on internet(Facebook:Search Harry kaizen Ivon) if you feel like,as i don't have any intentions check-o-meter to make someone believe that i am a good man with really good intentions to improve the holes in the systems. Thanks for a great question.
The fact that you do not seem to understand the issues here speaks volumes about your suitability for the task you are asking about.
Unrequited desire is character building. OriginalGriff
-
I do! You just need to ask your question another 1,000,000,000,000,000,000 times and people will give you the answer - that's what I do and it always works ;) [edit] I think the reason why you have not had an answer so far is that the information you seek can be used to both protect and attack a system(that's why I won't give you the information)...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
Before asking u i had already asked 2*999,999,999,999,999,999 times :-D Thanks for your support mate. ;) Some hints would certainly help.
-
Hi Friends, I am recently working on a Security and penetration testing project.I am able to get the Admin Page of the application.There are a lot of ways to proceed further now,can you suggest me some of the better way than others. Database used is ORACLE and application developed in the aspx.
As others have pointed out, you aren't likely to get an answer here. There are two reasons: 1. Even if we believe that your intentions are good, this is a public forum which means that the answer is available for anybody to see; and we don't know their intentions. 2. Pen testing is a huge topic, best left to professionals. You can train in this side, and this might be your best option.
Forgive your enemies - it messes with their heads
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
My blog | My articles | MoXAML PowerToys | Mole 2010 - debugging made easier - my favourite utility
-
Hi Friends, I am recently working on a Security and penetration testing project.I am able to get the Admin Page of the application.There are a lot of ways to proceed further now,can you suggest me some of the better way than others. Database used is ORACLE and application developed in the aspx.
Hi, I don't mean any disrespect... but if you have to ask these types of questions... maybe you should defer the security audit to a seasoned security professional. With that being said... some basics: 1.) Check for the Oracle default passwords. 2.) Implement an ascii permutative brute force password scanner. You could probably scan for weak passwords <= 5 characters in a single day. 3.) Use the Metasploit framework[^] to check for public vunerabilities[^]. 4.) Purchase a Zero-Day licence at one of the security research groups. I would recommend Vupen[^]. Best Wishes, -David Delaune
-
Hi, I don't mean any disrespect... but if you have to ask these types of questions... maybe you should defer the security audit to a seasoned security professional. With that being said... some basics: 1.) Check for the Oracle default passwords. 2.) Implement an ascii permutative brute force password scanner. You could probably scan for weak passwords <= 5 characters in a single day. 3.) Use the Metasploit framework[^] to check for public vunerabilities[^]. 4.) Purchase a Zero-Day licence at one of the security research groups. I would recommend Vupen[^]. Best Wishes, -David Delaune
Hi, Thanks for the help.Sometimes we have to ask this type of questions to find a new approach.But i am grateful for your answer. With Warm Regards, Harish Chaudhary