The following scripts and tools are available for free download. These scripts and tools are not warrented, we do not guarantee that they are error free or that they will work in your environment. Whilst every effort has been taken to ensure that these scripts are error free, we are not responsible for any use to which they are put or any results or damage relating to their use.


BTScanner for XP

BTScanner for XP is a Bluetooth environment auditing tool for Microsoft Windows XP, implemented using the bluecove libraries (an open source implementation of the JSR-82 Bluetooth API for Java).

Requirements : Windows XP Service Pack 2 with a Microsoft Windows supported Bluetooth driver. This will not work with the WIDCOMM Bluetooth stack.

md5: 74ab74991540743e702ed2390694a522

btscanner 2.1

btscanner 2.1 contains minor bugfixes over 2.0, specifically related to the use of multiple dongles when scanning.

md5: 587ec5847647d432eac1704b260af020 btscanner-2.1.tar.bz2

Previous versions of btscanner can be found in the archive page.

Web Application Security

ButterFly Web Application Security Project

The ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities and how they are created during the development process. The environment also includes examples demonstrating how such vulnerabilities are mitigated.

There are two versions of the Butterfly application: the insecure version containing web and PHP vulnerabilities; and the secure version, which tries to mitigate vulnerabilities found in the insecure version.

The project documentation identifies the vulnerabilities in the insecure version of the application. It presents possible attack scenarios for the vulnerabilities within the application, and describes possible mitigation methods which will solve most of the security problems found.

Butterfly is implemented using a chroot environment consisting of Apache 2.2.x, PHP (5.2.5 with Suhosin Patch and 5.1.1) and Mysql 5.0.xx. The software is distributed as a deployable archive.

md5: 4b311d5a2acd6a3a8f6bede70580317f butterfly_linux_1.0.tar.gz
md5: 03dc4c52e908159bbccb91091697cc1f butterfly_freebsd_1.0.tar.gz



The Oracle database provides the functionality to enforce password complexity rules by allowing the administrator to write a custom PL/SQL function to verify the password. Although Oracle provides a sample function that they encourage their customers to develop to meet their internal (or in-house) verification requirements, many sites do not use this functionality. This is either because they do not have the in-house expertise or the relevant resources are unavailable.

The Pentest password verification function is designed for use with the PROFILE resource parameter PASSWORD_VERIFY_FUNCTION. It is intended as an alternative to the Oracle supplied VERIFY_FUNCTION (created by the UTLPWDMG.SQL script). It is designed to be easily customisable by someone with little or no PL/SQL experience. It performs most of the checks required by the majority of sites and is configured by setting the values of a set of constants at the beginning of the function.

The PENTEST_PASSWORD_VERIFY function performs the following tests:-

* Check password does not contain the username
* Check password does not contain the username in reverse
* Check password is not similar to the username (soundex)
* Check password is not similar to the previous password (soundex)
* Check password length
* Check password does not contain a forbidden word
* Check password is not similar to a forbidden word (soundex)
* Include database name as a forbidden word
* Include host name as a forbidden word
* Include the current month as a forbidden word
* Check number of alphabetic characters
* Check number of upper characters
* Check number of numeric characters
* Check number of punctuation characters
* Check number of standard oracle punctuation characters (i.e. "_", "#" and "$")
* Check number of non-standard oracle punctuation characters
* Check number of times a single character is used within the password
* Check number of different characters used from previous password
* Check number of different characters within the password

NOTE: This function is only compatible with Oracle10g and onwards.

In addition to the Pentest password verification script provided above various other scripts have been written by our consultants either as part of on-site Oracle engagements or research projects. These scripts have at times proved invaluable and timesaving and are provided individually in the following page for your information and appropriate usage. Alternatively, all the scripts can be downloaded in a single file by clicking here.

arrow moreWhite Papers

Security Services

Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.

read more arrow more

Database Services

Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

read more arrow more

© Copyright Pentest Limited 2001 - 2017 All Rights Reserved. Privacy statement