Some time in 2008, we developed a framework for automating Oracle penetration tests. The framework was called OAP, which stood for Oracle Attack and Penetration. However, due to the lack of updates and development the framework quickly became obsolete.
2011, the project has been completely rewritten from scratch and this time in Java. The new version of OAP resolves many of the problems with the previous version and introduces threading, new features and an improved GUI.
The framework modules cover the following functionality:
- An Oracle client for crafting manual queries.
- An enumeration module for enumerating the Oracle SID.
- A threaded bruteforcer for checking for default credentials, SIDs or bruteforcing valid username/password combinations.
- An extensible exploit kit written using beanshell.
- A file system module for interacting with the host file system.
- OAPShell – an interactive command shell for executing commands on the host.
Check out OAP in action.
We are currently looking for beta testers, if this is something you may be interested in, please drop us an e-mail at research [at] mdsec [dot] co.uk.