Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] oracle-brute

From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 5 Sep 2011 19:59:20 +0200

On Sep 5, 2011, at 7:10 PM, David Fifield wrote:


On Mon, Sep 05, 2011 at 10:15:49AM +0200, Patrik Karlsson wrote:

Hi all,

I've just committed an updated version of the oracle-brute script.
There are a few changes including the change to a connection pool and
better suited set of credentials to guess.



Instead of using the nmap user- and pass-lists it now defaults to a
list of common oracle credentials. I ended up creating a new list of
common credentials because I didn't wan't to spend more time trying to
figure out how to get some of the good ones properly licensed.



#!comment: This password file was created from the hashes in dfltpass.sql a
#!comment: script created by Oracle to scan databases for default credentials.


Is this dfltpass.sql the same as http://www.unicle.co.uk/prdb/scripts/dfltpass.html?

If so, that file says "Copyright (c) 2005, 2006, Oracle. All rights
reserved." so it might not be acceptable. Did you have to reverse the
hashes from that script?


I actually ran these hashes through John the ripper, so I'm not sure where that leaves us.



We might want to filter the file down anyways, because according to the
script the credentials come from "Database, iAS, OCS, EM, E-Business
Suite, PeopleSoft and JD Edwards." There are some credentials that look
specific to those organizations, like CARRIECONYERS/CARRIECONYERS,
DAVIDMORGAN/DAVIDMORGAN, and KELLYJONES/KELLYJONES. There are others
that might be people's initials. This is like how we filter out
"rockyou" from the RockYou password list because it's not suitable for
general password guessing.


Sounds reasonable, although I must admit that I myself won't be able to distinguish what belongs where.
Maybe we should start reasonably small with the most common ones e.g. sys/change_on_install, system/manager etc. and 
build from there?
Please advice on how to proceed with this. Should I remove the list for now?



David Fifield


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: