Nmap Development mailing list archives
Re: Script suggestion - oracle
From: Martin Holst Swende <martin () swende se>
Date: Thu, 04 Oct 2012 09:48:43 +0200
On 09/30/2012 05:46 AM, Dhiru Kholia wrote:
On Sat, Sep 29, 2012 at 10:40 PM, David Fifield <david () bamsoftware com> wrote:On Fri, Sep 28, 2012 at 10:59:14AM +0200, Martin Holst Swende wrote:I took a look at this http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol Then checked tns.lua. Patrik has implemented TNS far enough it seems, there is implementation support for enumerating users and getting the salt (auth["AUTH_VFR_DATA"] ) and session key. As I interpret the info given above and in the comments on http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular ), it seems like the session key is encrypted with SHA1(salt+pw), and it is possible to determine whether the decryption is correct or not, and thereby determine what the password is. More info about this will probably be released soon, would be solid script to add to NSE. Since enumeration is already implemented, a script could just get all users and their passwords in one go. That's pretty awesome.I have authored JtR and Ettercap plug-ins to exploit the cryptographic flaw in Oracle Database authentication protocol. See http://www.openwall.com/lists/john-users/2012/09/29/2 s ✗ ../run/john -fo:o5logon -t Benchmarking: Oracle O5LOGON protocol [32/64]... DONE Raw: 748982 c/s real, 754370 c/s virtual This is ~2.5X faster than Marcel's tool (http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol). oracle-brute.nse script is failing for me. I have sent an email to Patrik (along with .pcap files) to debug the issue. Once this is sorted out, I will try to figure out how do to stealth attack against Oracle databases.
I'd suggest that the we just modify the oracle-enum-users to dump out the salt and auth_vfr_data in a format which can be consumed by john, instead of actually adding password cracking. That is the same approach as in http-domino-enum-users, where the script output tells the user what jtr --format to use for the hashes. /Martin _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Script suggestion - oracle Martin Holst Swende (Oct 04)
- Re: Script suggestion - oracle David Fifield (Oct 04)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 04)
- Re: Script suggestion - oracle Richard Miles (Oct 04)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 04)
- <Possible follow-ups>
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Patrik Karlsson (Oct 06)
- Re: Script suggestion - oracle Richard Miles (Oct 10)
- Re: Script suggestion - oracle Abuse 007 (Oct 10)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Richard Miles (Oct 10)
- Re: Script suggestion - oracle David Fifield (Oct 04)
- Re: Script suggestion - oracle Richard Miles (Oct 10)