OScanner is an Oracle security assessment framework developed in Java. It has a plug-in based architecture and comes with a couple of plug-ins that already do the following:
- Sid Enumeration
- Passwords tests (common & dictionary)
- Enumerate Oracle version
- Enumerate account roles
- Enumerate account priveleges
- Enumerate account hashes
- Enumerate audit information
- Enumerate password policies
- Enumerate database links
This is a very useful tool to start a security audit of an Oracle database with. The start of a sample session is shown here:
C:\petefinnigan.com\patrik_karlson\oscanner_release\oscanner_bin>scanner -s zuli
a -r pete.rep
Oracle Scanner 1.0.0 by patrik@cqure.net
--------------------------------------------------
[-] Checking host zulia
[-] Checking sid (sans) for common passwords
[-] Account CTXSYS/CTXSYS is locked
[-] Account DBSNMP/DBSNMP found
[-] Enumerating system accounts for SID (sans)
[-] Succesfully enumerated 145 accounts
[-] Account HR/HR is locked
[-] Account MDSYS/MDSYS is locked
[-] Account OE/OE is locked
[-] Account OLAPSYS/MANAGER is locked
[-] Account ORDPLUGINS/ORDPLUGINS is locked
[-] Account ORDSYS/ORDSYS is locked
[-] Account PM/PM is locked
[-] Account QS/QS is locked
{output snipped}
I have updated my tools page to add a link to this tool. Patrik has released the tool under a GPL license and hopefully he will release more plug-ins for it or maybe others will submit them, the source and a binary are available from Patriks site. The tool will certainly benefit from additional plug-ins should complete well with tools such as metacortex.
There are links to Patrik’s other tools on my tools page and of course on Patriks site.
