Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 









Ten Stages of a Network Attack

Oracle Forensics tips by Paul Wright

This Chapter is a tutorial on IT Security with references paid to Oracle.

The motives of attackers are commonly political, intellectual challenge, commercial gain perhaps via a competitor, and also internal career progression. Whatever the motives, there are patterns in the historical pattern of attacks that enable us to make a model of what attacks look like.

10 stage Generic attack process in a nutshell (in chronological order)

1.      Reconnaissance

2.      Network mapping

3.      Port scanning and banner grabbing a host

4.      Vulnerability identification

5.      Exploitation

6.      Privilege escalation

7.      Rootkit installation

8.      Hiding tracks

9.      Monitoring

10.  Using unauthorized privilege gained for benefit

Of course in a single incident the exact order and number of stages may be changed but this is a good framework to work with.

Now drilling down into the 10 stage list we see more detail about each stage in this generic attack process.

1.    Reconnaissance to find out about the target before attack.

Reconnaissance would be done anonymously so not to tip off the victim. Tor is an encrypted channel for anonymous web browsing . Alternatively an attacker could bounce between multiple Internet proxies such as .

2.    Network mapping of a subnet.

  • nmap is the defacto network mapping tool.

  • Paketo keiretsu enables faster scanning of large networks by separating the send and receive functionality of the scanner.

3.    Port scanning of an individual host

  • Nmap again as well as amap . Nmap, by default, works by using port number to identify the application running so for instance if the Oracle Listener is on port 1522 then nmap will present this port as being rna-lm as per the IANA default port assignments. . By using the additional ?sV switch of nmap it will correctly identify many applications by their banner.

4.    Banner grabbing a host to identify the actual service being ran and vulnerability     identification from the version gained from the banner. This will allow identification  of likely vulnerabilities.

 5.  Exploitation of a software flaw to gain unauthorized access.

These software exploits often consist of buffer overflows due to incorrect bounds checking of input variables. Another exploit common to Oracle is SQL Injection into Web Front end, Forms and PLSQL packages which can result in privilege escalation. These will be looked at it in greater detail later on in the book.

 6.  Cracking passwords and user names is basically the process of taking an encrypted password and then decrypting it or guessing it correctly by attempting many times until the correct password is gained.

7.   Rootkit installation enables covert access at a later date and generally involves the installation of software by the attacker to hide their presence after they have gained privileged access to the target server.

  • which has links to AFX and hacker-defender rootkits for example.

  • The concept of root kits has been transferred to databases as will be discussed.

8.   Hiding tracks to clear up evidence involves deletion of logs and tools as well as resetting timestamps.

  • Change timestamps to show that files have not been changed using  timestamps for instance

  • Secure deletion of files so that recycle bin or forensic data recovery cannot bring the attackers tools back after they have deleted them. Oracle now has a Recycle bin which uses the PURGE keyword to empty or avoid it. We will look in detail at this command.

9.    Monitoring the system over time which typically requires a covert channel.

  • Loki sends shell commands over ICMP

  • Time based covert channels also exist.

10. Using unauthorized privilege for benefit

  • Credit card numbers and Social security IDs form a saleable resource to a commercially minded hacker.

  • An attacker might blackmail a bank if they were able to gain customers data.

  • A competitor may seek advantage in hiring a hacker to subvert another company or spy upon them to gain their intellectual property or list of customers.

  • Internally an employee may seek advantage over an internal competitor by taking an unauthorized action that disadvantages their adversary e.g. causing a mistake to occur and making it look like their adversary did it.

Lists always come in groups of 10 but the 11th stage in this case should be ?getting caught?, which is the responsibility of the reader once this book is finished. This person will collect all the evidence and attempt to deduce the knowable information from an incident with the aim of identifying the culprit and recovering any losses legally if necessary.

Further detail on general computer security in general can be found in a book which has been made available free of charge by the Author who is Professor Ross Anderson of Cambridge University.


This is an excerpt from the book "Oracle Forensics: Oracle Security Best Practices", by Paul M. Wright, the father of Oracle Forensics.



Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster


Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational