using hydra for oracle

[mystic-d]

hey

I'm trying to use hydra for checking my DB that runs Oracle but it didn't work, and i don't know how to give the specific command of the SID of the DB.

i want to connect to ip xxx.xxx.xxx.xxx (this is the oracle listner ip) and do DB that his SID is "dbyyyy",

i was tried this :" hydra -l username -P wordlist.txt -vV xxx.xxx.xxx.xxx oracle-listener dbyyyy " but it didnt work..

i`ll be happy to get any assistance for this ...

thanks !

[sec_ware]

Hi

There is some misunderstanding, I think:

The oracle-listener module of hydra fires against the oracle-listener itself,
not an actual oracle instance (you can password-protect the oracle-listener).
It is my experience that the oracle-listener module does not work properly,
in particular with 10.2.0.1.*, and also not well with 9.2.*
(check the listener-log to understand what I mean)

If you want to use hydra against an oracle instance, I suggest the following set
of parameters:

Code:

>hydra -l system -P PASSWDLIST -v -m / -s 8080 192.168.1.100 http-get

where 192.168.1.100 is the server. It is assumed, however, that web-configuration
is available (per default in 10.2.* as well as in the express edition).

Cheers

[mystic-d]

i`ll explain myself again..
i want to do a dictinary "attack" against one of my DB that his SID is dbyyyy,
(for finnaly the connection (username and password) is chked for one DB and not for all the listner..
can i use this module (the oracle-listner module for hydra) ?
and if so , how can i do that ? (not in http..)
thanks again..

[sec_ware]

Hi

You made yourself perfectly understandeable. Probably, my answer wasn't.


In short and as far as I know:

No, you cannot use hydra to attack the database instance directly.

You can use hydra to attack
- the oracle listener ("oracle-listener") and
- the web-configuration interface ("http-get")


Cheers