Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Penetration Testing: Re: Open Source Database Auditing

Re: Open Source Database Auditing

From: Marco Ivaldi <raptor_at_mediaservice.net>
Date: Fri, 11 May 2007 13:06:34 +0200 (ora solare Europa occidentale)

On Thu, 10 May 2007, holstein.robert_at_bls.gov wrote:

> Hey all.
>
> I'm looking for open source database vulnerability assessment and
> penetration testing tools. Tips and techniques, and any related
> documentation would also be helpful. This is specific to Oracle9i-10G,
> but I would welcome input for any other DB's as well.

First of all, here are some useful on-line resources:

- http://www.databasesecurity.com/
- http://www.ngssoftware.com/
- http://www.petefinnigan.com/
- http://www.red-database-security.com/
- http://www.pentest.co.uk/
- http://www.milw0rm.com/related.php?program=Oracle

Then a couple of _great_ books:

- The Database Hacker's Handbook by V.A.
- The Oracle Hacker's Handbook by David Litchfield

And, finally, the (free) tools of the trade:

- Scanners
         OAPScan.tar.gz
         OraSecurityChk.zip
         OracSec.v.1.4.zip
         SIDGuesser_win32_1_0_5.zip
         bfora.pl
         dbcool_audit.pl
         fileprobe.sh
         metacoretex-0.8.0.tar.gz
         oak.zip
         oat-binary-1.3.1.tgz
         oat-source-1.3.1.zip
         oraprobe.sh
         oscanner_bin_1_0_6.tgz
         oscanner_src_1_0_6.zip
         osp_accounts_public.zip
         secscan.html
- TNS Listener
         OracleTNSLSNR.exe
         WinSID.zip
         getsids-src-0.0.1.tar.gz
         getsids-win32bin-0.0.1.zip
         lsnrcheck.exe
         sidguess.zip
         tns-advisory.txt
         tnscmd-doc.html
         tnscmd.pl
         tnsprobe.sh
- Password Crackers
         bob-the-butcher-0.7.1.tar.gz
         hashattack-0.2.0.tgz
         orabf-v0.7.6.zip
         oracle_checkpwd_big.zip
         oracle_checkpwd_linux_static.tar.gz
         oracle_fmt.c
         oracletest.pl
         pass_cracker.zip
- Fuzzers
         oldfuzzer.py
         oldfuzzer.txt
- Miscellaneous
         ocispy8i-0.2.6.zip
         ocispy8i-0.2.8-i386-linux.tar.gz
         p6spy-install.zip
         toad.txt
- Misc. PL/SQL scripts from the aforementioned on-line resources

There's more around, but i believe this to be a good starting point
already;) For all the rest, as usual Google is your friend...

Cheers, 

-- 
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
Received on May 11 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]