Tools:

bullet

Database Security

bullet

DBVisualiser

bullet

MatriXay

bullet

     MS SQL Server

bullet

           forceSQL

bullet

           piggy

bullet

           SQLat

bullet

           SQLdict

bullet

           SQLlhf

bullet

           SQLPing

bullet

           SQLPing2

bullet

           SQLPoke

bullet

           SQLRecon

bullet

           SQLVer

bullet

Oracle

bullet

           breakable

bullet

           check password

bullet

           Default Passwords

bullet

           DNS/HTTP enumeration

bullet

           LSNR Check

bullet

           OAK

bullet

           Oracle Auditing Tool

bullet

           Oracle Client

bullet

           Oracle Security Check

bullet

           OracSec

bullet

           Oscanner

bullet

           Orabf

bullet

           Oracle TNSLSNR

bullet

           scuba

bullet

           Service Register

bullet

           SIDGuess

bullet

           sidguesser

bullet

           sqlinjector

bullet

           SQL Plus

bullet

           TCP Scan

bullet

           TNSCmd

bullet

           TNSVer

bullet

           Winsid

bullet

SQL Injection    

bullet

     Sybase

bullet

           NGS Squirrel for Sybase

 

Pen Testing Framework:

bullet

Pen Test Framework  (html)

bullet

    Source  (FreeMind .mm format)

bullet

    PDF       (zip format)

bullet

Framework Poster available

bullet

Pre-site Template (html)

bullet

Pre-site Template (pdf)

bullet

Report Template (html)

bullet

Report Template (pdf)

bullet

Compliance Testing

 

Information:

bullet

IT Threats

bullet

RSS Feed


 
       

 

orabf

 

Orabf is an extremely fast offline brute force/dictionary attack tool that can be used when the particular username and hash are known for an Oracle account.  Obviously the speed of the brute force attack slows down the longer the amount of characters that it is trying to brute force with but for short username/hash combinations it can be over a million tries per second. 

 

It is available from here.

 

Command Syntax

 

C:\orabf-v0.7.5>orabf [hash]:[username] [options]

Options:

-c     [num] complexity: a number in [1..6] or a filename
        - read words from stdin
        [file] read words from file
        1 numbers
        2 alpha
        3 alphanum
        4 standard oracle (alpha)(alpha,num,_,#,$)... (default)
        5 entire keyspace (' '..'~')
        6 custom (charset read from first line of file: charset.orabf)
-m [num] max pwd len: must be in the interval [1..14] (default: 14)
-n [num] min pwd len: must be in the interval [1..14] (default: 1)
-r resume: tries to resume a previous session

 

Example output:

 

 

In this case the in-built dictionary default.txt has been used to carry out a dictionary based attack.

 

 

In this case a brute force attack has been carried out specifying to orabf that it should start brute forcing with a password with a minimum length of 4 characters.

 

  © VulnerabilityAssessment.co.uk            Thursday May 17, 2007
hit counter
html hit counter