The Web Local
 

 

 

SIDGuess

 

To connect to the backend Oracle database you need to know the Oracle Instance Name (SID), this was not a problem before Oracle 10g as the listener could be directly queried and the SID very easily enumerated.  Oracle 10g came along and changed his with added protection for the listener in-built.

Attempts to manually guess the SID are therefore greeted with the following error "ORA-12505: TNS:listener does not currently know of SID given in connect descriptor. 

 

Alexander Kornbrust from RedBase Security came up with a dictionary based SID enumerator.  It is similar to the sidguesser tool released by Patrik at cqure.net. 

 

The advantage of this tool is that it is almost twice as fast as this version. Sidguess checks 190 SIDs per second. This allows you to check every 4 character SID in approx 3 hours and 5 character SIDS in approx 4 days.  (Obviously the most important thing for this tool is the dictionary you have defined in the first place).

 

It is available from here.
 

Installation:

 

Extract the executable.

You must ensure that you have the following dll on the testing machine: -oci.dll otherwise the tool will not work.  This can be obtained from a number of sources (Google is a good start)  A copy of it is here.
 

Execution:

 

C:\Documents and Settings\hacker\Desktop>sidguess
 

Usage: repscan param_name1=param_value1 param_nameN=param_valueN
 

The following parameters are supported:

  • host=<host_name> - the name or ip address of the computer running

  • DB port=<port> - port for connection

  • sidfile=<file_name> - file with the SID names to use broot=generate SIDs instead of using SID list file
     

Minor Note:- You will notice by pressing return the following help is displayed which alludes to a totally different tool (also offered by Red-Base) , hopefully this will be altered in the next iteration.

 

Expected output:


C:\Documents and Settings\hacker\Desktop>sidguess.exe host=190.100.100.1 port=1521 sidfile=sid.txt
 

SID=TEST

 

The Tool correctly brute-forced the SID of the 10g database I tested it on.  The tool is easy to use and comes from a reliable company which also offers a good deal of Oracle exploit code (and training if you require it).

 

Note: - The testing XP SP2 machine had Oracle Client 9.2 installed and the use of the tool produced an sqlnet.log file listing a number of bad connections.

 

IT Security News:

 

Pen Testing Framework:

 

Latest Tool Reviews:

 

 

 

  
 

© VulnerabilityAssessment.co.uk 24 February 2008