Penetration Testing mailing list archives

RE: Pen Testing an Oracle Database

From: "Aaron C. Newman" <aaron () newman-family com>
Date: Thu, 4 Oct 2001 16:38:57 -0400

You can use the beta version of DbDetective. It is in the early stages of
development, but it does work. Download it from
http://www.appsecinc.com/products/.

It is a pen testing tools for Oracle - a small sample of what it does:
- locates databases on the network even if they are not on the default port
- determines the version of the database and listener service
- brute forces the listener password
- checks for default database passwords
- enumerates database account
- brute forces all database accounts found (including internal, sys as
sysdba, etc...)
- checks for known buffer overflows
- checks for known denial of service accounts

Any feedback on the product is appreciated.

Regards,
Aaron Newman
CTO/Founder
Application Security, Inc.
www.appsecinc.com
212-490-6022
-Protection Where It Counts-


-----Original Message-----
From: pen-test-return-1101-aaron=newman-family.com () securityfocus com
[mailto:pen-test-return-1101-aaron=newman-family.com () securityfocus com]O
n Behalf Of Jason binger
Sent: 03 October 2001 06:45
To: pen-test () securityfocus com
Subject: Pen Testing an Oracle Database


Does anyone have any command line equivalents of
osql.exe for passing queries to an Oracle Database?

Does anyone know of a decent brute force network
password cracker for Oracle.

Any other tools or techniques appreciated.

Jason


__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Pen Testing an Oracle Database Jason binger (Oct 04)
- RE: Pen Testing an Oracle Database Aaron C. Newman (Oct 04)
- RE: Pen Testing an Oracle Database Deniz CEVIK (Oct 05)