Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Re: Open Source Database Auditing
From: toggmeister () vulnerabilityassessment co uk
Date: 11 May 2007 06:42:59 -0000

Hi all,
  OAT from Cqure.net was suggested as a tool that may help, the only trouble with testing against 10g with this is it 
simply will not work unless you physically supply the SID of the database you are testing against.

I have used this tool for quite a while now and even with manually supplying the SID with the -d option, most times I 
get a failed response.

Listener Security has been tightened from 10g and this tool, oscanner and getsids from cqure are more predominately 
useful for earlier versions of Oracle. (They are highly recommended for 9 - almost certainly gets me a valid username 
and password every time.) In addition the in-built accounts.default file only has about 120 Oracle usernames and 
passwords as default.  I have customised my version of this file to include the 600+ that are currently known which 
just needs to replace the in-built one.  It is available from:


A number of other tools exist, which are free to use and specifically work on 10g links at:


A fuller list of tools including commercial variants can be found at:


For background and exploit info check out Alex Kornbrust excellent site:


In depth white Papers and excellent, (albeit expensive tools), can be found at:


Hope this helps



This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]