RE: Pen Testing an Oracle Database

From: Aaron C. Newman (aaron@newman-family.com)
Date: Thu Oct 04 2001 - 13:38:57 PDT

Next message: Esmerelda Fruitenschlein: "Accessing registry through command line"

Previous message: Alfred Huger: "Dead Threads and close to dead moderation.."
In reply to: Jason binger: "Pen Testing an Oracle Database"
Next in thread: Deniz CEVIK: "RE: Pen Testing an Oracle Database"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You can use the beta version of DbDetective. It is in the early stages of
development, but it does work. Download it from
http://www.appsecinc.com/products/.

It is a pen testing tools for Oracle - a small sample of what it does:
- locates databases on the network even if they are not on the default port
- determines the version of the database and listener service
- brute forces the listener password
- checks for default database passwords
- enumerates database account
- brute forces all database accounts found (including internal, sys as
sysdba, etc...)
- checks for known buffer overflows
- checks for known denial of service accounts

Any feedback on the product is appreciated.

Regards,
Aaron Newman
CTO/Founder
Application Security, Inc.
www.appsecinc.com
212-490-6022
-Protection Where It Counts-


-----Original Message-----
From: pen-test-return-1101-aaron=newman-family.comat_private
[mailto:pen-test-return-1101-aaron=newman-family.comat_private]O
n Behalf Of Jason binger
Sent: 03 October 2001 06:45
To: pen-testat_private
Subject: Pen Testing an Oracle Database


Does anyone have any command line equivalents of
osql.exe for passing queries to an Oracle Database?

Does anyone know of a decent brute force network
password cracker for Oracle.

Any other tools or techniques appreciated.

Jason


__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Esmerelda Fruitenschlein: "Accessing registry through command line"
Previous message: Alfred Huger: "Dead Threads and close to dead moderation.."
In reply to: Jason binger: "Pen Testing an Oracle Database"
Next in thread: Deniz CEVIK: "RE: Pen Testing an Oracle Database"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 14:56:47 PDT