Fri 19 Feb 2010
RMOUG presentation
Posted by Slavik under Oracle, OUG, security
[2] Comments
I had a great time at RMOUG this year. Did one of my usual presentation about attack vectors on the database and how to defend against them. I think the presentation was well received and the attendees loved the demos – I mostly just demonstrate instead of going through slides.
One of my favorite demos is what I call “from nothing to DBA in 5 simple steps”.
Basically, I start with finding databases (using tools like nmap), guessing the SID, enumerating the usernames, attacking the password and then running one of the privilege escalation attacks. Of course, there are many other options, including attacking the listener instead or sniffing the network but I find that this demo usually sets the right mood for the rest of the presentation.
In some of my next posts, I’m going to publish some of the scripts I wrote for the above demo starting with a nice little script to enumerate and guess Oracle service names.
A picture of people arriving before the presentation (click to see the full picture)…
People arriving to my presentation
2 Responses to “ RMOUG presentation ”
Trackbacks & Pingbacks:
-
[...] promised, here is a small Python script to allow you to enumerate and find Oracle [...]
Great Presentation; about time RMOUG had something on security. I know that where I work they will never listen to “a DBA” about security. The SA (guys) know all – gesh! My friend asked me if I was afraid afterwards; response – “yes!”.
As I sit here reading my new and improved credit card agreement; they are removing themselves from all liability from hackers and loss of information. Is it time to go back in time to money under the mattress and cash only? ;-P