Re: Interesting Hack

• From: Seth Miller <sethmiller.sm@xxxxxxxxx>
• To: "McPeak, Matt" <vxsmimmcp@xxxxxxxxxx>
• Date: Thu, 10 Jul 2014 14:24:11 -0500

It depends on the length and complexity of the password used. Any
combination of eight characters or less is sitting in a rainbow table you
can download right now and is already cracked. Longer passwords without
sufficient complexity will be cracked as well.

If you think you have outwitted a hacker by using l33t to come up with
"70rchw00d", you deserve to be hacked. #BrokenRecord

Seth



On Thu, Jul 10, 2014 at 2:03 PM, McPeak, Matt <vxsmimmcp@xxxxxxxxxx> wrote:

>  The article casually mentions cracking the password hash to get the
> system password.  I didn’t know it was that easy!
>
>
>
>
>
>
>
> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Bobby Curtis
> *Sent:* Thursday, July 10, 2014 1:17 PM
> *To:* sethmiller.sm@xxxxxxxxx
> *Cc:* oracle@xxxxxxxxxxx; Oracle-L
> *Subject:* Re: Interesting Hack
>
>
>
> Seth,
>
>
>
> Not harsh at all.
>
>
>
> I thought it was an interesting hack as well.  I think the point of this
> hack example was to highlight what not to do; but we are all human and
> don’t listen half the time.
>
>
>
> Bobby
>
>
>
>
>
> On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm@xxxxxxxxx> wrote:
>
>
>
>    That is interesting except DBSNMP does not have a default password.
>
> If your application is not using bind variables (which would prevent this
> simple sql injection) and you are dumb enough to set your privileged DBSNMP
> account password to DBSNMP, you deserve to be hacked.
>
> Am I being too harsh?
>
> Seth
>
>
>
> On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle@xxxxxxxxxxx> wrote:
>
> Granted the database security was crap to begin with but I did not know
> the escape to shell trick.
>
>
> http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-link-privilege-for-fun-and-profit/
>
> Dave
>
> --
> Dave Morgan
> Senior Consultant, 1001111 Alberta Limited
> dave.morgan@xxxxxxxxxxx
> 403 399 2442
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
>
>

• Follow-Ups:
  • RE: Interesting Hack
    • From: McPeak, Matt

• References:
  • Interesting Hack
    • From: Dave Morgan
  • Re: Interesting Hack
    • From: Seth Miller
  • Re: Interesting Hack
    • From: Bobby Curtis
  • RE: Interesting Hack
    • From: McPeak, Matt

Other related posts:

• » Interesting Hack- Dave Morgan
• » Re: Interesting Hack- Seth Miller
• » Re: Interesting Hack- Bobby Curtis
• » RE: Interesting Hack- McPeak, Matt
• » Re: Interesting Hack - Seth Miller
• » RE: Interesting Hack- McPeak, Matt
• » Re: Interesting Hack- Seth Miller
• » Re: Interesting Hack- De DBA
• » Re: Interesting Hack- Seth Miller
• » Re: Interesting Hack- De DBA
• » Re: Interesting Hack- Seth Miller
• » RE: Interesting Hack- MacGregor, Ian A.
• » RE: Interesting Hack- Rich Jesse
• » RE: Interesting Hack- Jack Applewhite
• » Re: Interesting Hack- Jeremy Schneider

1. Home
2. oracle-l
3. Archive
4. 07-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---