El Penetration Testing suele involucrar diversas áreas, entre ellas podemos destacar las bases de datos. En este post les mostraré las _no_tan_ conocidas herramientas para realizar PenTesting de bases de datos Oracle.
OScanner: Oscanner is an Oracle assessment framework developed in Java. It has a plugin-based architecture and comes with a couple of plugins that currently do:
- Sid Enumeration
- Passwords tests (common & dictionary)
- Enumerate Oracle version
- Enumerate account roles
- Enumerate account privileges
- Enumerate account hashes
- Enumerate audit information
- Enumerate password policies
- Enumerate database links
The results are given in a graphical java tree.
Oracle Auditing Tools (OAT): The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers.
DBPwAudit: DBPwAudit is a Java tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory. Configuration is performed in two files, the aliases.conf file is used to map drivers to aliases and the rules.conf tells the application how to handle error messages from the scan.
SidGuesser: Guesses sids/instances against an Oracle database according to a predefined dictionary file.
Links de interes:
Saturday, January 10