This topic describes how to configure and run Penetration Testing against target databases you specify.
Pen Test-related System Properties:
Property | Purpose | Possible Values and Default Values |
---|---|---|
Enable Pen Test |
When set to true, the Pen Test capability is enabled. When set to false, which is the default, the Pen Test capability is disabled. |
true or false. The default value is false. |
Enable Pen Test For All Users in Database (Standalone only) |
When set to false, FortiDB uses the user names in <dbtype>user.txt, where dbtype represents the target-database type and is one of these strings:
|
true or false. The default value is true. |
Pen Test Method |
The Login method actually logins in to your target databases. Caution:Be careful when using this method. Since its login attempts may be unsuccessful, it can result in preventing any, even approved, users from logging in to your target database. The Hash-based method is a safer, offline approach, but is available for only Oracle and MS SQL target databases. (A 'hash' is the value obtained after encrypting a clear-text string.) With the Hybrid method, FortiDB attempts the best available method. If the hash-based method is available, as will be the case with Oracle and MS-SQL targets, FortiDB uses it. |
|
Pen Test Password Dictionary | A file containing the passwords to be checked when executing the Dictionary Penetration test. The Browse button allows you to select your dictionary file. You need to select the Save button to complete your selection. | “Built-in Dictionary” indicates that the default
dictionary is being used. “User Dictionary” indicates that you have
uploaded your own dictionary file. The filename of the dictionary
you upload will not appear here.
Note:When you restore the default dictionary by checking the checkbox, and selecting Restore Default(s) and then Save, your dictionary file will be deleted from the system. |
Policy Name | File Used | Evaluate Content |
---|---|---|
Default Password | <dbtype>default.txt | All the username/password pairs in the file. |
Username Reversed | <dbtype>user.txt | The pairing of usernames in the file with those same user names reversed as passwords. |
Same as Username | <dbtype>user.txt | The pairing of usernames in the file with those same usernames as passwords. |
Username Following Number | <dbtype>user.txt | The pairing of usernames in the file with those same usernames followed by one or more numbers as passwords. |
Number Following Username | <dbtype>user.txt | The paring of usernames with those same usernames preceding one or more numbers as the passwords. |
Dictionary | <dbtype>user.txt, dictionary.txt | The pairing of username in the <dbtype>user.txt file with every password in dictionary.txt file. |
Filename | Content |
---|---|
<dbtype>default.txt | A list of user name and password pairs that will be used for Default Password policy. |
<dbtype>user.txt | A list of system or user accounts. The user names in this file will be used for all policies except for Default Password policy. |
dictionary.txt | A list of passwords to use for Pen Test Dictionary
policy. You can use your dictionary file by setting the Pen Test
Password Dictionary property in the Assessment tab of the System
Configuration page.
Note: When FortiDB
executes the Pen Test Dictionary policy, the domain name
automatically added in the password list. |
![]() FortiDB 5.0.0 Handbook 1st Edition , July 11 2013 © Copyright 2013 Fortinet Inc. All rights reserved. Latest documentation: http://docs.fortinet.com/fdb.html |