[ mainpage :: register :: conference :: training :: the venue ]
[ capture the flag (CTF) :: hitb cinema :: lock picking village :: zone-h/hitb hacking challenge :: bzflag ]
[ call for papers (CFP) :: conference agenda :: sponsors :: press/media :: forum ]
[ conference kit (PDF) :: past conferences :: contact us ]

Conference Materials: http://conference.hitb.org/hitbsecconf2007kl/materials/

Official Photos: http://photos.hitb.org

TECH TRAINING 7 - Hacking and Hardening Oracle

Filed under: Main Page — Administrator @ 12:10 pm

Title: Hacking and Hardening Oracle
Trainers: Alexander Kornbrust (Founder, Red Database Security GmbH)
Capacity: 20 pax
Seats left: REGISTRATION CLOSED
Duration: 2 days
Cost: (per pax) MYR2899 (early bird) / MYR3299 (non early-bird)

Overview

This training is a crash course in Oracle security. The attendees will learn the latest techniques to do a pentest against Oracle databases (find vulnerabilities, unsecure configuration, passwords), analyze (custom) PL/SQL applications for vulnerabilities and how to harden Oracle databases. Common attacking techniques (Oracle rootkits and backdoors, Oracle Client attacks) and the appropriate countermeasures are also part of this training.

Day 1

* Introduction
* Oracle Basics (Oracle Architecture, Oracle Products, Oracle Features)
==> Exercise: connect to the database, use sqlplus, sqldeveloper
* Passwords
==> Exercise: Find passwords, crack Oracle database passwords
* SQL-Injection (Web, Database, C/S)
==> Exercise: Privilege Escalation via SQL Injection, Information Retrieval via SQL Injection
* Hacking mod_plsql
==> Exercise: Hack mod_plsql Apps
* Google Hacking for Oracle
==> Exercise: Find vulnerable websites with Google
* Hardening Oracle 10g R2

Day 2

* PL/SQL Programming Basics (Execute programs, read/write files)
==> Exercise: Create files, read files, execute programs, …
* PL/SQL-Source-Code Analysis
==> Exercise: Find Security bugs in PL/SQL code
* Oracle Client attacks
==> Exercise: modifying startup files, finding passwords, …
* IDS Evasion
==> Exercise: Bypass Snort and other Oracle IDS
* Oracle Rootkits & Backdoors
==> Install and detect RK
* Oracle Forensics
==> Excercise: Analysis Logfiles, Audit-log
* Oracle Capture-The-Flag

Requirements:

* Laptop with Windows, Linux or MacOS
* Oracle Instant Client (http://www.oracle.com/technology/software/tech/oci/instantclient/index.html)
* Oracle SQL Developer (http://www.oracle.com/technology/software/products/sql/index.html)
* Webbrowser

Note: The BackTrack 2 CD could be used. BT2 contains an Oracle Instant Client and some Oracle tools.

About Alexander

Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle Anti-hacker trainings and gave various presentations on security conferences like Black Hat, Defcon, Bluehat, IT Underground and Syscan. Alexander has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander reported over 320 security bugs in different Oracle products.



Event Organizer


Hack In The Box (M) Sdn. Bhd.

Supported & Endorsed By


Malaysian Communications and Multimedia Commission (MCMC)


Malaysian Administrative Modernisation & Management Planning Unit

Platinum Sponsors


Microsoft Corporation

Gold Sponsors


SCANIT ME LLC

Official Airline Partner


Internet Bandwidth Sponsor


Global Transit

CTF Sponsor


Scan Associates

CTF Prize Sponsor


Scan Associates

Sponsor for Zone-H/HITB Hacking Challenge


Ascendsys

HITB Cinema Sponsor


Avenuz Sdn. Bhd.

Official Creation Station


The Womb.com

Our Speakers are Supported By


F-Secure Corporation


Arbor Networks


Mediaservice.net


Bellua Asia Pacific


ERNW GmbH


Mozilla Corporation


Mu Security

Supporting Media:

Virus Bulletin

Virus Bulletin (VB)

InfoSec News

(ISN) InfoSec News

InfoSec News

XAKEP (Russia)

Insecure Magazine

PHRACK Magazine

Hakin9 Magazine

Supporting Organizations


Chaos Computer Club


ISECOM - Insititue for Security and Open Methodologies


ISACA


IT Underground


X-Focus China

Zone-H Defacement Mirror


Xatrix Security


Special Interest Group in Security & Information InteGrity Singapore


Syscan