One of my key issues with Oracle security is to reduce the possible direct access to the database from as many people as possible in any organisation that i work with. I generally call this the "access Issue" as its basically means that anyone who can find out the four pieces of information necessary (The hostname{or IP Address}, Port Number, SID, USERNAME/PASSWORD) can log into the database. As we know the IP address and port number can be found easily within an organisation using port scanners such as nmap or amap. We also know from orldy experience of conducting database security audits for many years that usernames/passwords can be found easilly (some are defaults, some because bad naming conventions occur), passwords in our experience are even easier as we often find most passwords very easily because sites still set them to the username, a default, a simple dictionary word or its too short. This issue is one of the key issues in Oracle security. If you reduce the chance that anyone who should not do so (remember those that should do so should be very small) should not be able to attempt a direct connection to the database. Whilst this does not fix Oracle security it certainly reduces the risk. If you cannot get a connection you cannot run anything or read anything. We of course need to also solve the problem of the legitimate access use as well!. I talked about this subject at the UKOUG conference in my back to basics talk and also in my Oracle security masterclass. The presentations are available on my Oracle Security white papers page.
So the only piece of information that is slightly harder to find is the SID/Service name. Alexandr Polyakov has written an excellent paper on how to find database SID's. I have had a couple of email conversations with him over the last week or so and promised to ppost a link here to his paper. There are SID guess and SID brute force tools out there but this is the first detailed discussion on how to find SID's. This is an excellent paper called "Different ways to guess Oracle database SID"
A paper on how to find Oracle SID's
There has been 2 Comments posted on this article
January 23rd, 2009 at 09:26 am
Pete Finnigan says:
Hi Alexis,
Thanks for your comment. I know the excellent paper written by Mark as we worked together at the time at Pentest. It is a little old now, as it was written in 2001 but still a valuable paper. The getsids that is referenced there was the first tool by many years to try and enumerate SIDs written by Patrik at cqure. Thanks for the reminder of the paper
cheers
Pete
January 22nd, 2009 at 09:18 pm
Pete Finnigan says:
Hi Pete,
Very nice paper which tries to wrap-up ways to discover Oracle SID's. It could be completed with other well-known penetration methods. See for example the article "Identifying Oracle database installations during a network scan" by Mark rowe (maybe you already mentioned it here).
http://www.pentest.co.uk/documents/ora_db_on_network.htm
Regards,
Alexis