From: Marco Ivaldi (raptor@mediaservice.net)
Date: Fri May 11 2007 - 07:06:34 EDT
On Thu, 10 May 2007, holstein.robert@bls.gov wrote:
> Hey all.
>
> I'm looking for open source database vulnerability assessment and
> penetration testing tools. Tips and techniques, and any related
> documentation would also be helpful. This is specific to Oracle9i-10G,
> but I would welcome input for any other DB's as well.
First of all, here are some useful on-line resources:
- http://www.databasesecurity.com/
- http://www.ngssoftware.com/
- http://www.petefinnigan.com/
- http://www.red-database-security.com/
- http://www.pentest.co.uk/
- http://www.milw0rm.com/related.php?program=Oracle
Then a couple of _great_ books:
- The Database Hacker's Handbook by V.A.
- The Oracle Hacker's Handbook by David Litchfield
And, finally, the (free) tools of the trade:
- Scanners
OAPScan.tar.gz
OraSecurityChk.zip
OracSec.v.1.4.zip
SIDGuesser_win32_1_0_5.zip
bfora.pl
dbcool_audit.pl
fileprobe.sh
metacoretex-0.8.0.tar.gz
oak.zip
oat-binary-1.3.1.tgz
oat-source-1.3.1.zip
oraprobe.sh
oscanner_bin_1_0_6.tgz
oscanner_src_1_0_6.zip
osp_accounts_public.zip
secscan.html
- TNS Listener
OracleTNSLSNR.exe
WinSID.zip
getsids-src-0.0.1.tar.gz
getsids-win32bin-0.0.1.zip
lsnrcheck.exe
sidguess.zip
tns-advisory.txt
tnscmd-doc.html
tnscmd.pl
tnsprobe.sh
- Password Crackers
bob-the-butcher-0.7.1.tar.gz
hashattack-0.2.0.tgz
orabf-v0.7.6.zip
oracle_checkpwd_big.zip
oracle_checkpwd_linux_static.tar.gz
oracle_fmt.c
oracletest.pl
pass_cracker.zip
- Fuzzers
oldfuzzer.py
oldfuzzer.txt
- Miscellaneous
ocispy8i-0.2.6.zip
ocispy8i-0.2.8-i386-linux.tar.gz
p6spy-install.zip
toad.txt
- Misc. PL/SQL scripts from the aforementioned on-line resources
There's more around, but i believe this to be a good starting point
already;) For all the rest, as usual Google is your friend...
Cheers,
-- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT