[ mainpage :: register :: conference :: training :: the venue ]
[ capture the flag (CTF) :: hitb cinema :: lock picking village :: zone-h/hitb hacking challenge :: bzflag ]
[ call for papers (CFP) :: conference agenda :: sponsors :: press/media :: forum ]
[ conference kit (PDF) :: past conferences :: contact us ]

Conference Materials: http://conference.hitb.org/hitbsecconf2007kl/materials/

Official Photos: http://photos.hitb.org

TECH TRAINING 7 - Hacking and Hardening Oracle

Filed under: Main Page — Administrator @ 12:10 pm

Title: Hacking and Hardening Oracle
Trainers: Alexander Kornbrust (Founder, Red Database Security GmbH)
Capacity: 20 pax
Duration: 2 days
Cost: (per pax) MYR2899 (early bird) / MYR3299 (non early-bird)


This training is a crash course in Oracle security. The attendees will learn the latest techniques to do a pentest against Oracle databases (find vulnerabilities, unsecure configuration, passwords), analyze (custom) PL/SQL applications for vulnerabilities and how to harden Oracle databases. Common attacking techniques (Oracle rootkits and backdoors, Oracle Client attacks) and the appropriate countermeasures are also part of this training.

Day 1

* Introduction
* Oracle Basics (Oracle Architecture, Oracle Products, Oracle Features)
==> Exercise: connect to the database, use sqlplus, sqldeveloper
* Passwords
==> Exercise: Find passwords, crack Oracle database passwords
* SQL-Injection (Web, Database, C/S)
==> Exercise: Privilege Escalation via SQL Injection, Information Retrieval via SQL Injection
* Hacking mod_plsql
==> Exercise: Hack mod_plsql Apps
* Google Hacking for Oracle
==> Exercise: Find vulnerable websites with Google
* Hardening Oracle 10g R2

Day 2

* PL/SQL Programming Basics (Execute programs, read/write files)
==> Exercise: Create files, read files, execute programs, …
* PL/SQL-Source-Code Analysis
==> Exercise: Find Security bugs in PL/SQL code
* Oracle Client attacks
==> Exercise: modifying startup files, finding passwords, …
* IDS Evasion
==> Exercise: Bypass Snort and other Oracle IDS
* Oracle Rootkits & Backdoors
==> Install and detect RK
* Oracle Forensics
==> Excercise: Analysis Logfiles, Audit-log
* Oracle Capture-The-Flag


* Laptop with Windows, Linux or MacOS
* Oracle Instant Client (http://www.oracle.com/technology/software/tech/oci/instantclient/index.html)
* Oracle SQL Developer (http://www.oracle.com/technology/software/products/sql/index.html)
* Webbrowser

Note: The BackTrack 2 CD could be used. BT2 contains an Oracle Instant Client and some Oracle tools.

About Alexander

Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle Anti-hacker trainings and gave various presentations on security conferences like Black Hat, Defcon, Bluehat, IT Underground and Syscan. Alexander has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander reported over 320 security bugs in different Oracle products.

Event Organizer

Hack In The Box (M) Sdn. Bhd.

Supported & Endorsed By

Malaysian Communications and Multimedia Commission (MCMC)

Malaysian Administrative Modernisation & Management Planning Unit

Platinum Sponsors

Microsoft Corporation

Gold Sponsors


Official Airline Partner

Internet Bandwidth Sponsor

Global Transit

CTF Sponsor

Scan Associates

CTF Prize Sponsor

Scan Associates

Sponsor for Zone-H/HITB Hacking Challenge


HITB Cinema Sponsor

Avenuz Sdn. Bhd.

Official Creation Station

The Womb.com

Our Speakers are Supported By

F-Secure Corporation

Arbor Networks


Bellua Asia Pacific


Mozilla Corporation

Mu Security

Supporting Media:

Virus Bulletin

Virus Bulletin (VB)

InfoSec News

(ISN) InfoSec News

InfoSec News

XAKEP (Russia)

Insecure Magazine

PHRACK Magazine

Hakin9 Magazine

Supporting Organizations

Chaos Computer Club

ISECOM - Insititue for Security and Open Methodologies


IT Underground

X-Focus China

Zone-H Defacement Mirror

Xatrix Security

Special Interest Group in Security & Information InteGrity Singapore