Hacking and Securing Oracle Database

Course: Hacking and Securing Oracle Database
Course ID: SB1DHSO
Instructor: Sumit Siddharth (Sid)
CPE Credits: 7 CPE’s
Duration: 1 Day
Date: November 19th, 2009 (9 AM – 6 PM)
Who should attend?
• Oracle Database Server Administrators.
• Developers using Oracle Databases.
• Penetration Testers.
• Security Managers

Class Pre-requisite:
• Basic knowledge of Oracle database administration and PL/SQL language.
• Knowledge of penetration testing will be an advantage but is not essential.

Class Requirement:
• Students to carry their laptop with at least 2 GB of free space.
• Students should have Administrative access / privileges on the laptop for installing software.
• USB or Bootable CD / DVD Drive
• VMware Player
• Wireless enabled

Course Description:
This is a hands-on training one-day course, which will teach the audience the security problems related to Oracle. The training has a good mix of traditional as well as some latest cutting edge security issues related to Oracle. The audience will have access to an infrastructure with a number of oracle components deployed, and they will be encouraged to exploit/patch security vulnerabilities as they learn them.
1. TNS Listener Security Problems
2. Default Oracle accounts and privileges.
3. Obtaining and cracking password hashes in Oracle.
4. Enumerating/fingerprinting Oracle.
5. Introduction to Oracle Vulnerabilities
6. Buffer Overflows
7. SQL and PL/SQL Injection
8. Cursor Injection
9. Introduction to Cursor Snarfing and Lateral SQL Injection.
10. Exploiting vulnerabilities to become DBA (from 8i to 11g)
11. From DBA to OS code execution
12. Unwrapping Oracle's PL/SQL for vulnerabilities.
13. Advanced SQL Injection (Identification and Exploitation)
14. Hacking Oracle Application Servers.
15. Exploiting Oracle from Web.
16. Securing Oracle.