TECH TRAINING 7 - Hacking and Hardening Oracle
Title: Hacking and Hardening Oracle
Trainers: Alexander Kornbrust (Founder, Red Database Security GmbH)
Capacity: 20 pax
Seats left: REGISTRATION CLOSED
Duration: 2 days
Cost: (per pax) MYR2899 (early bird) / MYR3299 (non early-bird)
Overview
This training is a crash course in Oracle security. The attendees will learn the latest techniques to do a pentest against Oracle databases (find vulnerabilities, unsecure configuration, passwords), analyze (custom) PL/SQL applications for vulnerabilities and how to harden Oracle databases. Common attacking techniques (Oracle rootkits and backdoors, Oracle Client attacks) and the appropriate countermeasures are also part of this training.
Day 1
* Introduction
* Oracle Basics (Oracle Architecture, Oracle Products, Oracle Features)
==> Exercise: connect to the database, use sqlplus, sqldeveloper
* Passwords
==> Exercise: Find passwords, crack Oracle database passwords
* SQL-Injection (Web, Database, C/S)
==> Exercise: Privilege Escalation via SQL Injection, Information Retrieval via SQL Injection
* Hacking mod_plsql
==> Exercise: Hack mod_plsql Apps
* Google Hacking for Oracle
==> Exercise: Find vulnerable websites with Google
* Hardening Oracle 10g R2
Day 2
* PL/SQL Programming Basics (Execute programs, read/write files)
==> Exercise: Create files, read files, execute programs, …
* PL/SQL-Source-Code Analysis
==> Exercise: Find Security bugs in PL/SQL code
* Oracle Client attacks
==> Exercise: modifying startup files, finding passwords, …
* IDS Evasion
==> Exercise: Bypass Snort and other Oracle IDS
* Oracle Rootkits & Backdoors
==> Install and detect RK
* Oracle Forensics
==> Excercise: Analysis Logfiles, Audit-log
* Oracle Capture-The-Flag
Requirements:
* Laptop with Windows, Linux or MacOS
* Oracle Instant Client (http://www.oracle.com/technology/software/tech/oci/instantclient/index.html)
* Oracle SQL Developer (http://www.oracle.com/technology/software/products/sql/index.html)
* Webbrowser
Note: The BackTrack 2 CD could be used. BT2 contains an Oracle Instant Client and some Oracle tools.
About Alexander
Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle Anti-hacker trainings and gave various presentations on security conferences like Black Hat, Defcon, Bluehat, IT Underground and Syscan. Alexander has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander reported over 320 security bugs in different Oracle products.
