Penetration Testing mailing list archives
Re: database server audit tools
From: Christian Martorella <laramies2k () yahoo com ar>
Date: Wed, 14 Sep 2005 23:47:57 +0200
Hi all, i would like to inform that we are forking the Metacoretex project, to create an updated and improved version. We started a week ago, and we are working on the first version. The project name is Metacoretex-NG, and the objetive is to create an updated open source vulnerability and assessment framework for databases:
Some of the areas we are working: -Updated plugin collection -Html export of reports -Improved Interface -Pen test mode -More databases (db2,postgresql) -Automatic host discovery -Better documentation Everyone who wants to join us, is welcome! Contact us: laramies2k () yahoo com ar vdiaz () edge-security com mllovet () edge-security com Soon in: http://metacoretex-ng.sourceforge.net Christian Martorella Evans, Arian wrote:
Hello Paavan, suggestions and comments inline to Mr. Martin's email: ***Commercial*** -Appsecinc's AppDetective for (insert DB), has a "pen test mode", sort of a brute-force, table-reader type thing; lots of config options here -NGS Squirrel for (insert DB), mostly a vuln scanner, very fast, cost effective -Both Impact and CANVAS have DB exploits, though their focus is not DB auditing. ISS's DB scanner is dead. ***Open-Source/Freeware*** Metacoretex looked like it had promise, but both plug-in and framework development appears dead now: http://www.metacoretex.com Metasploit and the Securityforest Exploittree both have DB exploit code. Metasploit gives you control over payload, but does not have many DB exploits. Pete Finnigan also keeps a nice list of tools, though many are gone/dead/no longer in active dev: http://www.petefinnigan.com/tools.htm ***Books*** The Database Hacker's Handbook is another good resource. http://www.amazon.com/exec/obidos/tg/detail/-/0764578014/qid=1126556735/sr=8-1/ref=pd_bbs_1/102-613477 4-4798546?v=glance&s=books&n=507846-----Original Message-----From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Some loose tools:- ATK (free)This is a sort of like Impact, CANVAS, Metasploit, or ExploitTree, but old and irrelevant for DBs- Acunetix Web Scanner (free but exists a trial version)??? This thing was pretty limited last time I looked at it, and had no database audit capabilities.- AbsintheFormerly SQLSqueal, this is a nice SQL injection testing tool. SPI Dynamics also makes a SQL injection testing tool.-----Message d'origine-----De : paavan shah [mailto:paavan.shah () gmail com] Envoyé : vendredi 9 septembre 2005 07:57À : pen-test () securityfocus com Objet : database server audit tools hello friends...can anyone please suggest me good and easily configurable audit tools for mysql,oracle and sql server?please send me also some links to harden my database serverfrom attacks..regards, Pavan Shah. ---------------------------------------------------------------HtH, Arian J. Evans ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
___________________________________________________________ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: SAM user dump, (continued)
- Re: SAM user dump Iván Arce (Sep 22)
- Re: SAM user dump Stephan (Sep 24)
- RE: SAM user dump Roni Bachar (Sep 18)
- Re: SAM user dump frank boldewin (Sep 18)
- RE: SAM user dump dave kleiman (Sep 18)
- RE: database server audit tools Hugo Vinicius Garcia Razera (Sep 14)
- RE: database server audit tools Bénoni MARTIN (Sep 12)
- Re: database server audit tools Steve.Cummings (Sep 12)
- RE: database server audit tools Security Focus (Sep 14)
- RE: database server audit tools Evans, Arian (Sep 14)
- Re: database server audit tools Christian Martorella (Sep 14)
- Re: Re: database server audit tools rohytbelani (Sep 14)
- RE: database server audit tools Marcos Marrero (Sep 14)
- Re: Re: database server audit tools jay.tomas () infosecguru com (Sep 14)
- RE: database server audit tools Craig Wright (Sep 14)
- RE: database server audit tools Michael Gargiullo (Sep 15)