Vulnerability assessment (VA) policies : Penetration tests : Files used for penetration tests
 
Files used for penetration tests
Penetration test policies use username and password information stored in a set of text files to assess databases.
For the Dictionary pen test policy, FortiDB allows you to select a password dictionary text file to use instead of the default dictionary.
In addition, if you are using the software version of FortiDB, you can customize the other pentest policy text files. The custom files allow you to specify the usernames and passwords to use in the test instead of testing all database usernames. These files are <dbtype>default.txt and <dbtype>user.txt, where <dbtype> specifies the type of database using one of the following strings:
ora for Oracle
sql for MS-SQL
db2 for DB2
syb for Sybase
mysql for MySQL
If you are using either the appliance or software version of FortiDB, you can use the Assessment properties to select an alternative password dictionary file. However, appliance version users cannot access or change the default dictionary.txt, <dbtype>default.txt and <dbtype>user.txt files.
Policy name
File
Content evaluated
Default Password
<dbtype>default.txt
All the username-password pairs in the file.
The values in <dbtype>default.txt represent system accounts that ship with a RDBMS and their default passwords. For example, for Oracle, SYS, SYSTEM, and SCOTT, and for Microsoft SQL, SA.
Dictionary
<dbtype>user.txt, dictionary.txt
The pairing of each username in the <dbtype>user.txt file with every password in dictionary.txt file.
Note: When FortiDB executes the pentest Dictionary policy, it automatically adds the domain name to the password list.
Number Following Username
<dbtype>user.txt
The paring of usernames in the file with a password created by adding one or more numbers to the end of the username.
Same as Username
<dbtype>user.txt
The pairing of usernames in the file with a password that is the same as the username.
Username Following Number
<dbtype>user.txt
The pairing of usernames in the file with a password created by adding one or more number to the begining of the username.
Username Reversed
<dbtype>user.txt
The pairing of usernames in the file with a password created by spelling the username backwords.
See also
Configuring and running penetration test assessments