Wednesday, October 2, 2013

Database Server Vulnerability Scanner / Penetration Testing Toolkit

Scuba :

             Scuba is a free tool that scans leading enterprise databases for security vulnerabilities and configuration flaws, including patch levels. Reports deliver actionable information to quickly reduce risk, and regular vulnerability updates ensure that Scuba keeps pace with new threats.


Use Scuba to:
  • Automate vulnerability discovery
  • Secure infrastructure and measure compliance
  • Prioritize risk and focus remediation resources
  • Safely test enterprise class databases


    Download Link : https://www.imperva.com/lg/lgw.asp?pid=213  


 Safe3SI :

              is one of the most powerful and easy usage penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database,to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

 Download Link : http://sourceforge.net/projects/safe3si/files/


DBPwAudit :

                 is a Java tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory. Configuration is performed in two files, the aliases.conf file is used to map drivers to aliases and the rules.conf tells the application how to handle error messages from the scan.




McAfee Vulnerability Manager :

                             for Databases automatically discovers databases on your network, determines if the latest patches have been applied, and tests for common weaknesses such as weak passwords, default accounts, and other common threats. Vulnerability Manager for Databases conducts more than 4,700 vulnerability checks against leading database systems, including Oracle, SQL Server, DB2, and MySQL.







AppDetectivePro :

                          is a database scanner that empowers professionals to scan databases for vulnerabilities, configuration issues, weak passwords, missing patches, access control concerns, and other issues that can lead to user privilege escalation. As complex as databases are, AppDetectivePro provides a cost-effective solution to provide the following:







SQLdict :

         is a dictionary attack tool for SQL Server. SQLdict is a basic single ip brute-force MS SQL Server password utility that can carry out a dictionary attack against a named SQL account.



        The use of this tool is simple you just specify the IP address you are attacking, the user account you are up against and then load an appropriate wordlist to try via the Load Password File button






Oscanner : 

                is an Oracle assessment framework developed in Java. It has a plugin-based architecture and comes with a couple of plugins that currently do:

- Sid Enumeration
- Passwords tests (common & dictionary)
- Enumerate Oracle version
- Enumerate account roles
- Enumerate account privileges
- Enumerate account hashes
- Enumerate audit information
- Enumerate password policies
- Enumerate database links

Download Link :

Version 1.0.6 source oscanner_src_1_0_6.zip
Version 1.0.6 binary oscanner_bin_1_0_6.zip





Oracle Auditing Tool :

                                 Exploits some of the known vulnerabilities of Oracle. Includes SID Enumeration, Passwords tests [common/ dictionary]. Supports attachment of malformed shell codes with TCP packets for crashing the remote server or gain DBA privileges on it.

 Download Link : http://sourceforge.net/projects/oracleauditor/files/latest/download

 


Secure Oracle Auditor :

                                   is an Oracle auditing and Oracle security vulnerability assessment software which is capable of scanning multiple Oracle database servers. This Oracle security software provides Oracle audit tools, Oracle password tools, database scanner software and Oracle security tools for penetration testing.  Secure Oracle Auditor™ identifies the database security threats in Oracle database that contains significant and precious information which is essential for the organization's success.






Secure SQL Auditor (SQA) :

                                        is a SQL security software that conducts database server security auditing & includes vulnerability assessment tools for SQL database server. It is a network based SQL security assessment tool capable of scanning multiple database servers. Secure SQL Auditor™ performs the massive task of identifying vulnerabilities and threats present in MS SQL database server. It helps administrators in closing loopholes which provide direct access to SQL database servers and lead to monetary, reputational and informational losses.