When you are working closely with a company, you may get direct access to the iso‐
lated network to look for vulnerabilities. Regardless of where the system resides,
organizations should definitely be locking down their databases and remediating any
vulnerabilities found.
Oracle is a large company that built its business on enterprise databases.
If a company
needs large databases with sensitive information, it may well have gone to Oracle. The
program
oscanner
that comes installed in Kali scans Oracle databases to perform
checks. The program uses a plug-in architecture to enable tests of Oracle databases,
including trying to get the security identifiers (SIDs)
from the database server, list
accounts, crack passwords, and several other attacks.
oscanner
is written in Java, so it
should be portable across multiple operating systems.
oscanner
also comes with several lists,
including list of accounts, users, and services.
Some of the files don’t have a lot of possibilities in them, but they are starting points
for attacks against Oracle. As with so many other tools you will run across, you will
gather your own collection
of service identifiers, users, and potential passwords as
you go. You can add to these files for better testing of Oracle databases. As you test
more and more systems and networks, you should be increasing
the data possibilities
you have for running checks. This will, over time, increase the possibility of success.
Keep in mind that when you are running word lists for usernames and passwords,
you are going to be successful only if the username or
password configured on the
system matches something in the word lists exactly.
