DBPwAudit – Database Password Auditing Tool

By Cyb3rw0rM -


DBPwAudit is a Java database password auditing tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory.

Configuration is performed in two files, the aliases.conf file is used to map drivers to aliases and the rules.conf tells the application how to handle error messages from the scan.


The tool has been tested and known to work with:

– Microsoft SQL Server 2000/2005
– Oracle 8/9/10/11
– IBM DB2 Universal Database


The tool is pre-configured for these drivers but does not ship with them, due to licensing issues. The links below can be used to find some of the drivers. They should all be copied to the jdbc directory.

Links to JDBC Drivers:

– Microsoft SQL Server 2005
– Microsoft SQL Server 2000
– Oracle


root@Cyb3rw0rM:~# dbpwaudit
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options]

-s – Server name or address.
-p – Port of database server/instance.
-d – Database/Instance name to audit.
-D – The alias of the driver to use (-L for aliases)
-U – File containing usernames to guess.
-P – File containing passwords to guess.
-L – List driver aliases.

Scan the SQL server (-s, using the specified database (-d testdb) and driver (-D MySQL) using the root username (-U root) and password dictionary (-P /usr/share/wordlists/nmap.lst):

root@Cyb3rw0rM:~# dbpwaudit -s -d testdb -D MySQL -U root -P /usr/share/wordlists/nmap.lst