Re: Script suggestion - oracle

[David Fifield <david () bamsoftware com>]

On Fri, Sep 28, 2012 at 10:59:14AM +0200, Martin Holst Swende wrote:
> I took a look at this
> http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol   
>
> Then checked tns.lua. Patrik has implemented TNS far enough it seems,
> there is implementation support for enumerating users and getting the
> salt (auth["AUTH_VFR_DATA"] ) and session key.
>
> As I interpret the info given above and in the comments on
> http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
> ), it seems like the session key is encrypted with SHA1(salt+pw), and it
> is possible to determine whether the decryption is correct or not, and
> thereby determine what the password is.
>
> More info about this will probably be released soon, would be solid
> script to add to NSE. Since enumeration is already implemented, a script
> could just get all users and their passwords in one go. That's pretty
> awesome.

I made a script ideas entry for it.

https://secwiki.org/w/Nmap/Script_Ideas#oracle-dump-hashes

oracle-dump-hashes might not be the best name. I was thinking the script
could just dump the keys or hashes or whatever, and an offline tool (or
postrule script) could crack them.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/