Files used for penetration tests
Penetration test policies use username and password information stored in a set of text files to assess databases.
For the Dictionary pen test policy, FortiDB allows you to select a password dictionary text file to use instead of the default dictionary.
In addition, if you are using the software version of FortiDB, you can customize the other pentest policy text files. The custom files allow you to specify the usernames and passwords to use in the test instead of testing all database usernames. These files are <dbtype>default.txt
and <dbtype>user.txt
, where <dbtype>
specifies the type of database using one of the following strings:
-
ora
for Oracle -
sql
for MS-SQL -
db2
for DB2 -
syb
for Sybase -
mysql
for MySQL
If you are using either the appliance or software version of FortiDB, you can use the Assessment properties to select an alternative password dictionary file. However, appliance version users cannot access or change the default dictionary.txt
, <dbtype>default.txt
and <dbtype>user.txt
files.
Policy name | File | Content evaluated |
---|---|---|
Default Password | <dbtype>default.txt |
All the username-password pairs in the file. The values in |
Dictionary | <dbtype>user.txt, dictionary.txt |
The pairing of each username in the Note: When FortiDB executes the pentest Dictionary policy, it automatically adds the domain name to the password list. |
Number Following Username | <dbtype>user.txt | The paring of usernames in the file with a password created by adding one or more numbers to the end of the username. |
Same as Username | <dbtype>user.txt | The pairing of usernames in the file with a password that is the same as the username. |
Username Following Number | <dbtype>user.txt | The pairing of usernames in the file with a password created by adding one or more number to the begining of the username. |
Username Reversed | <dbtype>user.txt | The pairing of usernames in the file with a password created by spelling the username backwords. |