Re: database server audit tools

From: Christian Martorella (laramies2k_at_yahoo.com.ar)
Date: 09/14/05

  • Next message: Craig Wright: "RE: Whitespace in passwords" 
    Date: Wed, 14 Sep 2005 23:47:57 +0200
To: "Evans, Arian" <Arian.Evans@fishnetsecurity.com>

    Hi all, i would like to inform that we are forking the Metacoretex
    project, to create an updated and improved version.
    We started a week ago, and we are working on the first version. The
    project name is Metacoretex-NG, and the objetive is to
    create an updated open source vulnerability and assessment framework for
    databases:

    Some of the areas we are working:

    -Updated plugin collection
    -Html export of reports
    -Improved Interface
    -Pen test mode
    -More databases (db2,postgresql)
    -Automatic host discovery
    -Better documentation

    Everyone who wants to join us, is welcome!

    Contact us: laramies2k@yahoo.com.ar
                            vdiaz@edge-security.com
                            mllovet@edge-security.com

    Soon in: http://metacoretex-ng.sourceforge.net

    Christian Martorella

    Evans, Arian wrote:

    >Hello Paavan, suggestions and comments inline to Mr. Martin's email:
    >
    >
    >***Commercial***
    >
    >-Appsecinc's AppDetective for (insert DB), has a "pen test mode", sort of a brute-force, table-reader
    >type thing; lots of config options here
    >
    >-NGS Squirrel for (insert DB), mostly a vuln scanner, very fast, cost effective
    >
    >-Both Impact and CANVAS have DB exploits, though their focus is not DB auditing.
    >
    >ISS's DB scanner is dead.
    >
    >
    >***Open-Source/Freeware***
    >
    >Metacoretex looked like it had promise, but both plug-in and framework development appears dead now:
    >http://www.metacoretex.com
    >
    >Metasploit and the Securityforest Exploittree both have DB exploit code. Metasploit gives you control
    >over payload, but does not have many DB exploits.
    >
    >Pete Finnigan also keeps a nice list of tools, though many are gone/dead/no longer in active dev:
    >
    >http://www.petefinnigan.com/tools.htm
    >
    >
    >***Books***
    >
    >The Database Hacker's Handbook is another good resource.
    >http://www.amazon.com/exec/obidos/tg/detail/-/0764578014/qid=1126556735/sr=8-1/ref=pd_bbs_1/102-613477
    >4-4798546?v=glance&s=books&n=507846
    >
    >
    >
    >
    >>-----Original Message-----
    >>From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
    >>Some loose tools:
    >>- ATK (free)
    >>
    >>
    >
    >This is a sort of like Impact, CANVAS, Metasploit, or ExploitTree, but old and irrelevant for DBs
    >
    >
    >
    >>- Acunetix Web Scanner (free but exists a trial version)
    >>
    >>
    >
    >??? This thing was pretty limited last time I looked at it, and had no database audit capabilities.
    >
    >
    >
    >>- Absinthe
    >>
    >>
    >
    >Formerly SQLSqueal, this is a nice SQL injection testing tool. SPI Dynamics also makes a
    >SQL injection testing tool.
    >
    >
    >
    >>-----Message d'origine-----
    >>De : paavan shah [mailto:paavan.shah@gmail.com]
    >>Envoyé : vendredi 9 septembre 2005 07:57
    >>À : pen-test@securityfocus.com
    >>Objet : database server audit tools
    >>
    >>hello friends...
    >>
    >>can anyone please suggest me good and easily configurable
    >>audit tools for mysql,oracle and sql server?
    >>
    >>please send me also some links to harden my database server
    >>
    >>
    >>from attacks..
    >
    >
    >>regards,
    >>Pavan Shah.
    >>
    >>---------------------------------------------------------------
    >>
    >>
    >
    >HtH,
    >
    >Arian J. Evans
    >
    >
    >
    >
    >
    >
    >
    >
    >------------------------------------------------------------------------------
    >Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    >Hackers are concentrating their efforts on attacking applications on your
    >website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    >login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    >futile against web application hacking. Check your website for vulnerabilities
    >to SQL injection, Cross site scripting and other web attacks before hackers do!
    >Download Trial at:
    >
    >http://www.securityfocus.com/sponsor/pen-test_050831
    >-------------------------------------------------------------------------------
    >
    >
    >
    >

            

            
                    
    ___________________________________________________________
    1GB gratis, Antivirus y Antispam
    Correo Yahoo!, el mejor correo web del mundo
    http://correo.yahoo.com.ar

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------

  • Next message: Craig Wright: "RE: Whitespace in passwords"