[dbsec] Re: prevent remote user enumeration?

  • From: Zed Qyves <zqyves.spamtrap@xxxxxxxxx>
  • To: dbsec@xxxxxxxxxxxxx
  • Date: Thu, 8 Apr 2010 13:11:04 +0300


From what I saw about the ora-userenum.exe:
1) it is part of the Oracle Assessment Kit collection of tools for auditing
oracle databases
2) it does not need credentials to connect to the db, hence the removal of
select from all_users regarding public didn't do you any good
3) it is run as   ora-userenum <host> <port> <sid> <userlistfile>. the last
param is a file containing a list of users to check for their existence.
Going through the source it is apparent that it initiates a login sequence
to the db with each of those users and depending on some tns packet
properties it receives back from the database server it deduces whether it
is a valid username or not.

You can have a copy of OAK (including source code) from

Basically there is nothing you can do about it at the db level other than to
make sure that you don't give your users usernames that exist in this file
:) .

Best regards,


Other related posts: