Recently, I was put to the task of running some audits on a raft of Oracle databases. Now, I’ll be the first to admit that I’m rusty in the database space. So, I looked high and low for some Oracle password crackers. The best one that I found was the commercial offering AppDetective. Mind you this is very expensive so, it’s a bit of a luxury item for a lot of infosec types. But, it can do Oracle and SQL. Next I started poking about looking for some other tools to audit SQL passwords and I came across this article by Kevin Beaver.
To get things rolling, you need to determine which systems are available to test. You may know your environment like the back of your hand, but it doesn’t hurt to ferret out servers you may have forgotten or those someone else connected to the network. You should at least run SQLPing2, but I highly recommend SQLRecon to find SQL instances you might not otherwise be able to discover.
He has screenshots and links to several good tools.
[tags]Databases, Password Crackers, Password Audits, SQL Database, Passwords, Password Tools[/tags]