Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 25 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » November 2004 » Patrik Karlsson releases OScanner - A new free Oracle security vulnerability scanner

[Previous entry: "Oracle passwords : A few not too well known facts"] [Next entry: "Post on ORACLE-L : Exploring Oracle November 2004 and REMOTE_OS_AUTHENT"]

Patrik Karlsson releases OScanner - A new free Oracle security vulnerability scanner

November 5th, 2004 by Pete

Post to del.icio.us   Post to Furl   Digg!

Today Patrik Karlsson has released a new tool on his web site cqure.net. Patrik's web site already has some great free security tools including two for Oracle, his Oracle toolkit and his database enumeration tool which can be used to find Oracle databases on your network. This new tool is a great addition to his free tools.

OScanner is an Oracle security assessment framework developed in Java. It has a plug-in based architecture and comes with a couple of plug-ins that already do the following:



  • Sid Enumeration

  • Passwords tests (common & dictionary)

  • Enumerate Oracle version

  • Enumerate account roles

  • Enumerate account priveleges

  • Enumerate account hashes

  • Enumerate audit information

  • Enumerate password policies

  • Enumerate database links




This is a very useful tool to start a security audit of an Oracle database with. The start of a sample session is shown here:




C:\petefinnigan.com\patrik_karlson\oscanner_release\oscanner_bin>scanner -s zuli
a -r pete.rep
Oracle Scanner 1.0.0 by patrik@cqure.net
--------------------------------------------------
[-] Checking host zulia
[-] Checking sid (sans) for common passwords
[-] Account CTXSYS/CTXSYS is locked
[-] Account DBSNMP/DBSNMP found
[-] Enumerating system accounts for SID (sans)
[-] Succesfully enumerated 145 accounts
[-] Account HR/HR is locked
[-] Account MDSYS/MDSYS is locked
[-] Account OE/OE is locked
[-] Account OLAPSYS/MANAGER is locked
[-] Account ORDPLUGINS/ORDPLUGINS is locked
[-] Account ORDSYS/ORDSYS is locked
[-] Account PM/PM is locked
[-] Account QS/QS is locked
{output snipped}




I have updated my tools page to add a link to this tool. Patrik has released the tool under a GPL license and hopefully he will release more plug-ins for it or maybe others will submit them, the source and a binary are available from Patriks site. The tool will certainly benefit from additional plug-ins should complete well with tools such as metacortex.

There are links to Patrik’s other tools on my tools page and of course on Patriks site.


November 2004
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930    

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!