Penetration Testing mailing list archives

Re: Open Source Database Auditing

From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 11 May 2007 13:06:34 +0200 (ora solare Europa occidentale)

On Thu, 10 May 2007, holstein.robert () bls gov wrote:

Hey all.
I'm looking for open source database vulnerability assessment andpenetration testing tools. Tips and techniques, and any relateddocumentation would also be helpful. This is specific to Oracle9i-10G,but I would welcome input for any other DB's as well.


First of all, here are some useful on-line resources:

- http://www.databasesecurity.com/
- http://www.ngssoftware.com/
- http://www.petefinnigan.com/
- http://www.red-database-security.com/
- http://www.pentest.co.uk/
- http://www.milw0rm.com/related.php?program=Oracle

Then a couple of _great_ books:

- The Database Hacker's Handbook by V.A.
- The Oracle Hacker's Handbook by David Litchfield

And, finally, the (free) tools of the trade:

- Scanners
        OAPScan.tar.gz
        OraSecurityChk.zip
        OracSec.v.1.4.zip
        SIDGuesser_win32_1_0_5.zip
        bfora.pl
        dbcool_audit.pl
        fileprobe.sh
        metacoretex-0.8.0.tar.gz
        oak.zip
        oat-binary-1.3.1.tgz
        oat-source-1.3.1.zip
        oraprobe.sh
        oscanner_bin_1_0_6.tgz
        oscanner_src_1_0_6.zip
        osp_accounts_public.zip
        secscan.html
- TNS Listener
        OracleTNSLSNR.exe
        WinSID.zip
        getsids-src-0.0.1.tar.gz
        getsids-win32bin-0.0.1.zip
        lsnrcheck.exe
        sidguess.zip
        tns-advisory.txt
        tnscmd-doc.html
        tnscmd.pl
        tnsprobe.sh
- Password Crackers
        bob-the-butcher-0.7.1.tar.gz
        hashattack-0.2.0.tgz
        orabf-v0.7.6.zip
        oracle_checkpwd_big.zip
        oracle_checkpwd_linux_static.tar.gz
        oracle_fmt.c
        oracletest.pl
        pass_cracker.zip
- Fuzzers
        oldfuzzer.py
        oldfuzzer.txt
- Miscellaneous
        ocispy8i-0.2.6.zip
        ocispy8i-0.2.8-i386-linux.tar.gz
        p6spy-install.zip
        toad.txt
- Misc. PL/SQL scripts from the aforementioned on-line resources

There's more around, but i believe this to be a good starting pointalready;) For all the rest, as usual Google is your friend...


Cheers,

--
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Current thread:

Open Source Database Auditing holstein . robert (May 10)
- Re: Open Source Database Auditing SD List (May 10)
- Re: Open Source Database Auditing James Patterson (May 10)
  - Re: Open Source Database Auditing SD List (May 11)
- Re: Open Source Database Auditing Clint P. Garrison MBA, CISSP, QSA (May 10)
- Re: Open Source Database Auditing Joxean Koret (May 10)
- Re: Open Source Database Auditing Marco Ivaldi (May 11)
- <Possible follow-ups>
- Re: Re: Open Source Database Auditing toggmeister (May 11)