Re: Script suggestion - oracle

[Richard Miles <richard.k.miles () googlemail com>]

Hi Dhiru

With the latest patch (attached) output is improved,
> ✗ ./nmap --script oracle-brute-stealth -p 1521 --script-args
>
> oracle-brute-stealth.sid=ORCL,userdb=/home/user/userdb,passdb=/home/user/passdb
> 192.168.2.253
>
> Starting Nmap 6.02 ( http://nmap.org ) at 2012-10-06 16:03 IST
> Nmap scan report for 192.168.2.253
> Host is up (0.00027s latency).
> PORT     STATE SERVICE
> 1521/tcp open  oracle
> | oracle-brute-stealth:
> |   Accounts
> |
> sys:$o5logon$022BE241D8412D17171EB9740F3E2EF8087D39AEAEA547721A3860148EE28420B37F329CE80E9B62A4E9586A2BF1715F*5B624C20405D6C0FCCC3
> - Hashed valid or invalid credentials
> |
> test:$o5logon$3DD61959DB37F02CE0F60F64FE0DCBEB27FD2F357E7F4E5789F37999399FD0562D4126F360FF58DF349142B2F2ABA36E*72C21891D052649660F2
> - Hashed valid or invalid credentials
> |   Statistics
> |_    Performed 4 guesses in 1 seconds, average tps: 4
>
> Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

What is the difference of the value returned at "Accounts" and "Hashed
valid or invalid credentials"?

I was curious, what about if you try your script for example with 250 users
and the database contains only 3. Will the script return the O5LOGON hashes
for all of them? Or just for the valid ones? If just for the valid ones,
how do you identify it?

My understanding is that remote user enumeration is just possible in old
versions of Oracle and not recent ones like 11G. Am I, wrong?

Thanks and again, congrats for your great script.


> --
> Cheers,
> Dhiru
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/