Logo Background

Database Service Scanning

  • By on November 26, 2008 | No Comments

    You have accessed a Unix box with the intention of hacking into an Oracle database. How do you know where the database software is installed and what it’s called?.

    Oracle databases can be distributed, parallel with many instances or stand alone.

    The Oracle installation creates a file called oratab which contains the details of the databases installed on the machine. This can be used to start and stop databases during reboots and can be used for controlling backups. The location of this file is not fixed and can be in /etc or in /var/opt/oracle. The simplest way to find it is to run the following command

    UNIX> find / -name oratab -print 2>/dev/null | more /etc/oratab

    However running a find command is not a good idea if you are trying to avoid detection. You can look in /etc, /var/opt and /opt and their sub-directories as a good starting point.

    The oratab file should be world readable unless the dba or Unix admin has changed the permissions.

    UNIX> ls -al oratab

    -rw-rw-r– 1oracle root 676 Jul 16 14:47 oratab

    This file gives a list of ORACLE_SID’s and ORACLE_HOME’s. If OFA naming conventions have been used then the version of Oracle can be gleaned as it is included in the directory path. The important part is the ORACLE_SID as this can be used to find if the database is running.

    The SQL* NET and NET 8 config files both on the server and on clients can be used to find details of databases running on both the server and within the organisation. Details of these are shown in SQL*NET and NET 8 Configuration.

    Checking out environment variables of a database user can give us some information. There should be at least the following set on a Unix / Linux system.

    • ORACLE_HOME – This is the location of the Oracle software.
    • ORACLE_SID – This is the name of the database you would like to access.
    • PATH – This is the standard PATH but should include a path to the oracle binaries.
    • LD_LIBRARY_PATH – This is the path for shared libraries and should include the path to the Oracle shared libraries.

    One other way to find which databases are accessible is to look at what is running on the server using the Unix ps command. There are two things that can be looked for here, either look for actual databases instances or look for processes running against those instances where the user has been careless and used the username and password on the command line.

    Here is an example to see what databases instances are running.

    UNIX> ps -ef | grep lgwr | grep -v grep | more

    oracle 654 1 0 10:37 ? 00:00:00 ora_lgwr_PENT

    This shows that there is one instance of Oracle running and the database SID is called PENT. Search for the string “lgwr” as that is the identification used for the Log Writer process. The Oracle RDBMS has a number of background processes that run all of the time and control the database and this is one of them. There are also a number of optional processes that can also run. All of these processes use and communicate through an area of shared memory called the SGA Shared Global Area.

    Details of the Oracle background processes, the SGA and the internal tables will be discussed in a paper available from Oracle Architecture soon.

    A useful exercise for hacking an Oracle database is to check users environments to see if any users have created environment variables with username and passwords in them.

    Another useful check is to see if anyone has started any scripts against the database with username and passwords passed on the command line. You can see this with the following ps command:

    UNIX> ps -ef | grep ora

    root 617 1 – 39 10:37 tty1 00:00:00 login — oracle
    root 618 1 – 39 10:37 tty2 00:00:00 login — oracle
    oracle 625 617 – 39 10:37 tty1 00:00:00 -bash
    oracle 650 1 – 39 10:37 ? 00:00:00 ora_pmon_PENT
    oracle 652 1 – 39 10:37 ? 00:00:00 ora_dbw0_PENT
    oracle 654 1 – 39 10:37 ? 00:00:00 ora_lgwr_PENT
    oracle 656 1 – 39 10:37 ? 00:00:00 ora_ckpt_PENT
    oracle 658 1 – 39 10:37 ? 00:00:00 ora_smon_PENT
    oracle 660 1 – 39 10:37 ? 00:00:00 ora_reco_PENT
    oracle 662 1 – 39 10:37 ? 00:00:00 ora_s000_PENT
    oracle 664 1 – 39 10:37 ? 00:00:00 ora_d000_PENT
    oracle 690 625 – 39 10:41 tty1 00:00:00 sqlplus system/manager @doit.sql
    oracle 691 690 – 39 10:41 ? 00:00:00 oraclePENT (DESCRIPTION=(
    oracle 692 618 – 29 10:41 tty2 00:00:00 -bash
    oracle 740 692 – 29 10:45 tty2 00:00:00 ps -ef
    oracle 741 692 – 29 10:45 tty2 00:00:00 grep ora

    It can be seen that someone has started a script as the oracle user SYSTEM and that the password is still the default one. This is a pretty silly example, but often it can be seen that SQL scripts run against Oracle databases with the username and password hard coded. Usually you need to write a shell script or cron job to check the process list every minute or so to find a script that is running, or to do some homework and find out when batch jobs are due to run.

    The obvious next step is to search the whole machine or specific directories for scripts that contain Oracle usernames and passwords. These could be in any type of script, Bourne, KSH, Perl, SQL or a binary. You can make a good guess by looking for the strings sqlplus or svrmgrl in whichever directories and files you wish.

    » Checkpwd – Oracle Database Password Audit Tools
Leave a Comment