Re: Open Source Database Auditing

From: Marco Ivaldi (raptor@mediaservice.net)
Date: Fri May 11 2007 - 07:06:34 EDT

• Next message: Danett song: "Re: dumping hashes on box w/ Norton AV"
• Previous message: toggmeister@vulnerabilityassessment.co.uk: "Re: Re: Open Source Database Auditing"
• In reply to: holstein.robert@bls.gov: "Open Source Database Auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thu, 10 May 2007, holstein.robert@bls.gov wrote:

> Hey all.
>
> I'm looking for open source database vulnerability assessment and
> penetration testing tools. Tips and techniques, and any related
> documentation would also be helpful. This is specific to Oracle9i-10G,
> but I would welcome input for any other DB's as well.

First of all, here are some useful on-line resources:

- http://www.databasesecurity.com/
- http://www.ngssoftware.com/
- http://www.petefinnigan.com/
- http://www.red-database-security.com/
- http://www.pentest.co.uk/
- http://www.milw0rm.com/related.php?program=Oracle

Then a couple of _great_ books:

- The Database Hacker's Handbook by V.A.
- The Oracle Hacker's Handbook by David Litchfield

And, finally, the (free) tools of the trade:

- Scanners
         OAPScan.tar.gz
         OraSecurityChk.zip
         OracSec.v.1.4.zip
         SIDGuesser_win32_1_0_5.zip
         bfora.pl
         dbcool_audit.pl
         fileprobe.sh
         metacoretex-0.8.0.tar.gz
         oak.zip
         oat-binary-1.3.1.tgz
         oat-source-1.3.1.zip
         oraprobe.sh
         oscanner_bin_1_0_6.tgz
         oscanner_src_1_0_6.zip
         osp_accounts_public.zip
         secscan.html
- TNS Listener
         OracleTNSLSNR.exe
         WinSID.zip
         getsids-src-0.0.1.tar.gz
         getsids-win32bin-0.0.1.zip
         lsnrcheck.exe
         sidguess.zip
         tns-advisory.txt
         tnscmd-doc.html
         tnscmd.pl
         tnsprobe.sh
- Password Crackers
         bob-the-butcher-0.7.1.tar.gz
         hashattack-0.2.0.tgz
         orabf-v0.7.6.zip
         oracle_checkpwd_big.zip
         oracle_checkpwd_linux_static.tar.gz
         oracle_fmt.c
         oracletest.pl
         pass_cracker.zip
- Fuzzers
         oldfuzzer.py
         oldfuzzer.txt
- Miscellaneous
         ocispy8i-0.2.6.zip
         ocispy8i-0.2.8-i386-linux.tar.gz
         p6spy-install.zip
         toad.txt
- Misc. PL/SQL scripts from the aforementioned on-line resources

There's more around, but i believe this to be a good starting point
already;) For all the rest, as usual Google is your friend...

Cheers,

-- 
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------

• Next message: Danett song: "Re: dumping hashes on box w/ Norton AV"
• Previous message: toggmeister@vulnerabilityassessment.co.uk: "Re: Re: Open Source Database Auditing"
• In reply to: holstein.robert@bls.gov: "Open Source Database Auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT