Updating OpenDLP to support Oracle Databases for PCI DSS

Updating OpenDLP can support Oracle Databases for the PCI DSS process when looking for credit card numbers and passwords searching Windows or Unix file systems.

OpenDLP is an excellent tool for looking for credit card numbers as part of a PCI DSS scoping process, or looking for passwords and other sensitive data during a penetration test. It can search Windows and Unix file systems and databases. At the time of writing this blog entry, OpenDLP does not have support for Oracle, only MySQL and Microsoft SQL Server. If you want Oracle support in OpenDLP, please check the OpenDLP website first to see if it has been added (https://code.google.com/p/opendlp/), otherwise, read on!

I needed a tool to search Oracle databases for credit card numbers, which was part of helping a client with PCI DSS scoping. Additionally, providing the client with a good discovery tool would help them to comply with the annual requirement to verify the accuracy of the PCI DSS scope. OpenDLP is free and open source, and, while there are commercial tools out there, the client was looking at all options. OpenDLP is easy to get up and running if you download the VirtualBox VM, and it has a web interface.

Adding Oracle support required installing the Oracle Instant Client, installing DBD Oracle for Perl, and updating some of the OpenDLP Perl scripts. The updated OpenDLP files are available for download as a zip file (opendlp_0_4_4_oracle_update.zip).

This is a step by step guide to getting and updating OpenDLP.

Get the OpenDLP Virtual Machine

Download VirtualBox VM from OpenDLP (version 0.4.4)
https://code.google.com/p/opendlp/

Get the VM running and then check that the website is working at https://localhost/OpenDLP/index.html. To make it easier, I disabled the SSL certificate requirement in /etc/apache2/sites-available/default-ssl.

Install Oracle Instant Client

From root (“sudo su -“) update the existing packages and install three required packages:

apt-get update
apt-get upgrade
apt-get install libaio1 alien zip

Download the Oracle Instant Client RPMs for Linux x86 from Oracle. These need to be the basic and SDK (devel). SQL*Plus is for testing that the client works.
https://www.oracle.com/technetwork/topics/linuxsoft-082809.html

Then run alien with “–i” to generate and install debian packages from the RPMs:

alien –i oracle-instantclient11.2-basic-11.2.0.3.0-1.i386.rpm
alien –i oracle-instantclient11.2-devel-11.2.0.3.0-1.i386.rpm
alien –i oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.i386.rpm

Create the file “/etc/profiles.d/oracle.sh” with the Oracle environment variables:

export ORACLE_HOME=/usr/lib/oracle/11.2/client
export PATH=$PATH:$ORACLE_HOME/bin
export LD_LIBRARY_PATH=$ORACLE_HOME/lib

Open a new shell to set the environment variables, and test the Oracle Instant Client with SQL*Plus:

sqlplus username/password@host/instance

Install DBD Oracle for Perl

Run these commands to get the DBD Oracle source package:

perl -MCPAN -e shell
get DBD::Oracle
quit

Find the folder where DBD Oracle source is downloaded (e.g. /home/opendlp/.cpan/build/DBD-Oracle-1.44-BPFWro/), and run these commands to build it. The first command seems to create a shell that you have to exit.

perl Makefile.PL
make
make install

Test DBD Oracle with this script, if nothing shows then it has connected fine.

#!/usr/bin/perl
use DBI;
my $dbh = DBI->connect("dbi:Oracle://host/instance",'username','password');
$dbh->disconnect;

Update OpenDLP to Support Oracle

You need to download the updated Perl script files: opendlp_0_4_4_oracle_update.zip. Then extract them, make them executable, and move them to the correct directories:

chmod +x db.pl
chmod +x *.html
mv db.pl /var/www/OpenDLP/bin/
mv *.html /var/www/OpenDLP/web/bin/

You should now be able to search Oracle databases for credit cards and passwords. The target format for the scan is “///”, for example “//192.168.1.123/orcl”.


Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call