perfstat/perfstat, OScanner reveals them all

Unfortunately, creating database accounts like “create user test identified by test” is common practice. Leaving default accounts with default passwords open is as common too. OScanner reveals those weak points mercilessly.

Oracle Scanner 1.0.6 by patrik@cqure.net
————————————————–
[-] Checking host 120.23.45.104
[-] Checking sid (t432) for common passwords
[x] Got IO Exception
[-] Checking sid (t433) for common passwords
[-] Account DBSNMP/DBSNMP found
[-] Enumerating system accounts for SID (t433)
[-] Succesfully enumerated 22 accounts
[-] Account MDSYS/MDSYS is locked
[-] Account ORDPLUGINS/ORDPLUGINS is locked
[-] Account ORDSYS/ORDSYS is locked
[-] Account OUTLN/OUTLN found
[-] Account PERFSTAT/PERFSTAT found
[-] Checking sid (t434) for common passwords
[-] Account DBSNMP/DBSNMP found
[-] Enumerating system accounts for SID (t434)
[-] Succesfully enumerated 122 accounts
[-] Account MDSYS/MDSYS is locked
[-] Account ORDPLUGINS/ORDPLUGINS is locked
[-] Account ORDSYS/ORDSYS is locked
[-] Account OUTLN/OUTLN found
[-] Account PERFSTAT/PERFSTAT found
…
(This output is not from a real database, its faked

OScanner can be downloaded here. Installation is easy: unzip it. Since it is written in java it can be run on a variety of platforms. Using OScanner is as easy as installing it:

C:\Programme\oscanner> scanner.bat -s 192.168.2.3
Oracle Scanner 1.0.6 by patrik@cqure.net
————————————————–
[-] Checking host 192.168.2.3
…

OScanner saves its reports in xml files. The xml files can be displayed as a tree by OScanner Report Viewer:

C:\Programme\oscanner> reportviewer.exe oscanner_192_168_2_3_report.xml

I don’t like the viewer. I use OScanner like this:

C:\Programme\oscanner> scanner.bat -s 192.168.2.3 > out.txt

Oscanner is a great little tool, but documentation is poor, actually there is no documentation at all.