The Web Local
 

 

 

AppSentry Listener Security Check Tool (nee lsnrcheck.exe)

 

All those who have been using version 1 of the above tool are in for a nice treat.  The people at Integrigy have just upgraded it to a new sleek front-end with a lot of nice new features.  Gone are the problems of not working with Oracle 10g and above the new tool now works against all variants of Oracle all the way up to and including 11i.

 

Four checks are performed as before to try and determine:

 

TNS Listener Password set?

 

LSNRCTL> CHANGE_PASSWORD

Old password: difficult

new password: very_difficult

Reenter new password: very difficult

LSNRCTL> SET PASSWORD

password:very difficult

The command completed successfully

LSNRCTL> SAVE_CONFIG

The command completed successfully

 

Logging enabled?

 

lsnrctl> set log_status on

 

ADMIN_RESTRICTIONS enabled? 

 

ADMIN_RESTRICTIONS_LISTENER=ON in listener.ora

 

LOCAL_OS_AUTHENTICATION set for Oracle 10g.

 

Also, the tool also enumerates the databases (SIDs) for a Listener.  (Information that may be needed to enable the oat suite of tools to function correctly).  Lsnrcheck.exe is a stand-alone Windows 2000/XP executable that does not require installation nor any Oracle client software to be installed. It can also be run directly from USB/ bootable CD-ROM.

 

It is available from here.

 

Installation is carried out by simply downloading the executable from the website.


The screenshots demonstrate the new look and usage and results expected from the tool.
 

The first is the usual security check carried out against the TNS listener, inserting the ip address and listener port number, (default 1521) and simply select the perform Listener Security Check button:

 

 

The second is the notes that are provided by the application when it reports a security issue, including pertinent rectification advice and version disparities:

 

 

The third is a new way to enumerate SID's from remote databases:

 

 

The forth allows a query of an installed tnsnames.ora file (i.e. oracle config file that lists all the listeners and instances):

 

 

Overall, this is an excellent improvement and should prove extremely useful when carrying out a Penetration Test/ Vulnerability Assessment.

 

IT Security News:

 

Pen Testing Framework:

 

Latest Tool Reviews:

 

 

 

  
 

© VulnerabilityAssessment.co.uk 24 February 2008