From: toggmeister@vulnerabilityassessment.co.uk
Date: Fri May 11 2007 - 02:42:59 EDT
I have used this tool for quite a while now and even with manually supplying the SID with the -d option, most times I get a failed response.
Listener Security has been tightened from 10g and this tool, oscanner and getsids from cqure are more predominately useful for earlier versions of Oracle. (They are highly recommended for 9 - almost certainly gets me a valid username and password every time.) In addition the in-built accounts.default file only has about 120 Oracle usernames and passwords as default. I have customised my version of this file to include the 600+ that are currently known which just needs to replace the in-built one. It is available from:
http://www.vulnerabilityassessment.co.uk/accounts.default
A number of other tools exist, which are free to use and specifically work on 10g links at:
http://www.vulnerabilityassessment.co.uk/oracle.htm
A fuller list of tools including commercial variants can be found at:
http://www.petefinnigan.com/tools.htm
For background and exploit info check out Alex Kornbrust excellent site:
http://www.red-database-security.com/
In depth white Papers and excellent, (albeit expensive tools), can be found at:
Hope this helps
Rgds.
Kev
http://www.vulnerabilityassessment.co.uk
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT