Even though I have barely touched oscanner for the last couple of years quite a few apparently still use it as a basic scanner against Oracle. Some have complained a bit about the annoying XML reporting format. Some have complained even more, mostly about the hassle of getting any of the discovered users, passwords and version information out of the report.

Therefore, four years after the initial release, I am releasing two small utilities. One that extracts a semicolon separated list of the hostname, instance, username and password from a given report file. The other tool simply prints the hostname and the first line from version banner retrieved from the database.

Installation is simple. Download the zip file to the oscanner installation directory an unzip it. The new tools take a single argument, the oscanner logfile:

java cqure.repeng.ExtractVersion oscanner_localhost_report.xml
java cqure.repeng.ExtractPasswords oscanner_localhost_report.xml

The tools are available here and have had very little testing, so don’t expect to much

Unfortunately I couldn’t make Vegas this year. According to friends and the slides I have been going through it looked as if there were quite a few really good and interesting talks this year at both Blackhat and Defcon.

I will be attending the first Swedish based Sec-t security conference here in Stockholm which I think might actually turn out really well. It will be held between the 11th and 12th of September.

I will be speaking at the last slot on Friday about what administrators can do in order to reduce the impact of web application vulnerabilities ie. system and application hardening.

More information regarding the event is available at the official web site http://www.sec-t.org/

My presentation from the Swedish OWASP meeting the other day is now online.
I spoke about SQL injection (again), efficient UNION exploitation, OOB channels and DNS-tunneling in MSSql, Oracle and MySQL.

The presentation, DNS-server tool and a minimal cheat sheet can be found here.
I had a great time and enjoyed meeting friends, colleagues and listening to the other speaches.

I made some minor adjustments and bugfixes to the 0.7 release and released 0.8. MSSQLScan should now support a graceous shutdown when doing a ctrl-break and not skip hosts when running out of sockets.

Get it here.

I have released a new tool that can be used to verify password quality against several database engines. Make sure to check it out here.