The following scripts and tools are available for free download. These scripts and tools are not warrented, we do not guarantee that they are error free or that they will work in your environment. Whilst every effort has been taken to ensure that these scripts are error free, we are not responsible for any use to which they are put or any results or damage relating to their use.
BluetoothBTScanner for XP
BTScanner for XP is a Bluetooth environment auditing tool for Microsoft Windows XP, implemented using the bluecove libraries (an open source implementation of the JSR-82 Bluetooth API for Java).
Requirements : Windows XP Service Pack 2 with a Microsoft Windows supported Bluetooth driver. This will not work with the WIDCOMM Bluetooth stack.
md5: 74ab74991540743e702ed2390694a522 btscanner_1_0_0.zip
btscanner 2.1 contains minor bugfixes over 2.0, specifically related to
the use of multiple dongles when scanning.
md5: 587ec5847647d432eac1704b260af020 btscanner-2.1.tar.bz2
Previous versions of btscanner can be found in the archive page.
Web Application SecurityButterFly Web Application Security Project
The ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities and how they are created during the development process. The environment also includes examples demonstrating how such vulnerabilities are mitigated.
There are two versions of the Butterfly application: the insecure version containing web and PHP vulnerabilities; and the secure version, which tries to mitigate vulnerabilities found in the insecure version.
The project documentation identifies the vulnerabilities in the insecure version of the application. It presents possible attack scenarios for the vulnerabilities within the application, and describes possible mitigation methods which will solve most of the security problems found.
Butterfly is implemented using a chroot environment consisting of Apache 2.2.x, PHP (5.2.5 with Suhosin Patch and 5.1.1) and Mysql 5.0.xx. The software is distributed as a deployable archive.
md5: 4b311d5a2acd6a3a8f6bede70580317f butterfly_linux_1.0.tar.gz
md5: 03dc4c52e908159bbccb91091697cc1f butterfly_freebsd_1.0.tar.gz
The Oracle database provides the functionality to enforce password complexity rules by allowing the administrator to write a custom PL/SQL function to verify the password. Although Oracle provides a sample function that they encourage their customers to develop to meet their internal (or in-house) verification requirements, many sites do not use this functionality. This is either because they do not have the in-house expertise or the relevant resources are unavailable.
The Pentest password verification function is designed for use with the PROFILE resource parameter PASSWORD_VERIFY_FUNCTION. It is intended as an alternative to the Oracle supplied VERIFY_FUNCTION (created by the UTLPWDMG.SQL script). It is designed to be easily customisable by someone with little or no PL/SQL experience. It performs most of the checks required by the majority of sites and is configured by setting the values of a set of constants at the beginning of the function.
The PENTEST_PASSWORD_VERIFY function performs the following tests:-
* Check password does not contain the username
* Check password does not contain the username in reverse
* Check password is not similar to the username (soundex)
* Check password is not similar to the previous password (soundex)
* Check password length
* Check password does not contain a forbidden word
* Check password is not similar to a forbidden word (soundex)
* Include database name as a forbidden word
* Include host name as a forbidden word
* Include the current month as a forbidden word
* Check number of alphabetic characters
* Check number of upper characters
* Check number of numeric characters
* Check number of punctuation characters
* Check number of standard oracle punctuation characters (i.e. "_", "#" and "$")
* Check number of non-standard oracle punctuation characters
* Check number of times a single character is used within the password
* Check number of different characters used from previous password
* Check number of different characters within the password
NOTE: This function is only compatible with Oracle10g and onwards.
In addition to the Pentest password verification script provided above various other scripts have been written by our consultants either as part of on-site Oracle engagements or research projects. These scripts have at times proved invaluable and timesaving and are provided individually in the following page for your information and appropriate usage. Alternatively, all the scripts can be downloaded in a single file by clicking here.
Penetration Testing as a service has grown into a business in its own right, providing numerous corporations with a valuable weapon in their growing arsenal of security counter measures. Pentest Limited was set up in June 2001 to provide specialist security services to businesses across the UK, North America and Europe.
Pentest Limited offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these databases.