Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

A new version of the Oracle password cracker woraauthbf is available

The Oracle password cracker woraauthbf written by Laszlo Toth has been updated and released as a new version 0.21R2 (The R2) is the new part, so even if you are running version 0.21 then please download the new release. The fix relates to a bug I found in 11g that if more than one user has the same password the cracker found the first occurance only. The bug fix corrects this. This is minor as the cracker could be used without error on the earlier database releases and its unlikely that many people are running 11g in production yet anyway.

A binary version of the cracker is available here and the source code here.

Thanks to Laszlo for a great useful free tool to help secure Oracle databases.

Slides from Pete Finnigan Oracle Security webinar available

This afternoon UK time, Morning time states side I gave a 45 minute webinar with Sentrigo around the subject of Oracle security, particularly around the issues with auditing, hacking and securing an Oracle database. I started out with a 10 - 15 minute demo of how real systems are hacked, this is based on extensive experience with reviewing real systems and the fact that the easiest way in is simply by using default accounts, badly designed features and easy to guess TNS settings. The rest of the slides are based on my two hour master class. The slides for this webinar are now available on my Oracle security white papers page.

This was my first webinar as a speaker, I have done podcasts before so that was good experience. It was enjoyable but slightly wierd to sit in your own office and simply talk into the phone with no reaction or feedback verbally and without seeing anyones face to see recations.

A new release of Inguma

Wow it's been a while since I had the chance to write blog entries. Business has really taken off and all my spare time is devoted to that at the moment, work, some admin, proposals, accounting......

Whilst this site is a good marketing tool for my business that has risen as a side effect of creating a lot of content over the years. The site existed before the company and also existed whilst i took a sabatical into salaried work as well some time ago so has always gone on and will always do so even if i work for a company of the same name and it helps promote me, i always treat it as a place to share information. I always enjoy researching and finding out new things about Oracle. I am still doing this day to day as part of real work (paid work) and also as part of internal projects but writing here has become hard to fit it, even answering all emails has become hard to fit in, but I am keeping a "todo" list for the blog. It's not dead!

The great tool written by Joxean Koret called Inguma has just been updated to version by Joxean. Whilst the tool is certainly much more than an Oracle security tool its got some great Oracle features, including the PL/SQL fuzzer. The latest version has fixed a lot of bugs and enhanced a lot of sections including the Oracle ones.

There are 5 new Oracle modules, 4 for the January 2008 CPU and one for the Oracle PL/SQL gateway flaw. Simply pass an IP Address and run "oragateway", the module will guess the DAD and use the bypass technique and open an SQL terminal.

Looks good, give it a download from here, the download page on the main site seems to get into a redirect loop.

Pete Finnigan is doing a live webinar on Oracle Security March 28th

I will be doing a live webinar on Oracle Security on March 28th in conjunction with Sentrigo. This is free and you can be registered at this link for this event.

The webinar is based on my 2 hour Oracle security masterclass and is a treatise on how to secure an Oracle database by performing an audit against the database. It covers why there are problems, how databases can be hacked and how they are hacked and then we discuss how to perform an audit of an Oracle database to locate the key issues that should be corrected to make your database secure.

Oracle security audit training in the Netherlands with Pete Finnigan

Oracle Security training in the Netherlands

I will provide a training course in Oracle Security on April 16/17 with a Dutch Oracle training company, Transfer Solutions (

This is my how to perform an Oracle security audit training course which teaches delegates how to plan and perform an Oracle security audit against an Oracle database and is being taught in conjunction with Transfer Solutions who were founded 12.5 years ago and now have 140 Oracle experts. They deliver Consultancy, Managed Services and Training, all on a very high quality.

For more information about this event go to: alternatley there is also a link on the Transfer Solutions home page . If you live and work in Holland or would like to travel to Holland for this training please contact Transfer Solutions for more details.