Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/admin/oracle/oraenum.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::ORACLE89def initialize(info = {})10super(update_info(info,11'Name' => 'Oracle Database Enumeration',12'Description' => %q{13This module provides a simple way to scan an Oracle database server14for configuration parameters that may be useful during a penetration15test. Valid database credentials must be provided for this module to16run.17},18'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],19'License' => MSF_LICENSE20))2122end2324def run25return if not check_dependencies2627begin28# Get all values from v$parameter29query = 'select name,value from v$parameter'30vparm = {}31params = prepare_exec(query)32params.each do |l|33name,value = l.split(",")34vparm["#{name}"] = value35end36rescue => e37if e.to_s =~ /ORA-00942: table or view does not exist/38print_error("It appears you do not have sufficient rights to perform the check")39else40raise e41end42end4344print_status("Running Oracle Enumeration....")4546# Version Check47query = 'select * from v$version'48ver = prepare_exec(query)49print_status("The versions of the Components are:")50ver.each do |v|51print_status("\t#{v.chomp}")52report_note(53:host => datastore['RHOST'],54:proto => 'tcp',55:sname => 'oracle',56:port => datastore['RPORT'],57:type => 'ORA_ENUM',58:data => "Component Version: #{v.chomp}",59:update => :unique_data60)61end6263# Saving Major Release Number for other checks64majorrel = ver[0].scan(/Edition Release (\d*)./)6566#-------------------------------------------------------67# Audit Check68print_status("Auditing:")69begin70if vparm["audit_trail"] == "NONE"71print_status("\tDatabase Auditing is not enabled!")72report_note(73:host => datastore['RHOST'],74:proto => 'tcp',75:sname => 'oracle',76:port => datastore['RPORT'],77:type => 'ORA_ENUM',78:data => "Audit Trail: Disabled",79:update => :unique_data80)81else82print_status("\tDatabase Auditing is enabled!")83report_note(84:host => datastore['RHOST'],85:proto => 'tcp',86:sname => 'oracle',87:port => datastore['RPORT'],88:type => 'ORA_ENUM',89:data => "Audit Trail: Enabled",90:update => :unique_data91)92end9394if vparm["audit_sys_operations"] == "FALSE"95print_status("\tAuditing of SYS Operations is not enabled!")96report_note(97:host => datastore['RHOST'],98:proto => 'tcp',99:sname => 'oracle',100:port => datastore['RPORT'],101:type => 'ORA_ENUM',102:data => "Audit SYS Ops: Disabled",103:update => :unique_data104)105else106print_status("\tAuditing of SYS Operations is enabled!")107report_note(108:host => datastore['RHOST'],109:proto => 'tcp',110:sname => 'oracle',111:port => datastore['RPORT'],112:type => 'ORA_ENUM',113:data => "Audit SYS Ops: Enabled",114:update => :unique_data115)116end117118end119120#-------------------------------------------------------121# Security Settings122print_status("Security Settings:")123begin124125if vparm["sql92_security"] == "FALSE"126print_status("\tSQL92 Security restriction on SELECT is not Enabled")127report_note(128:host => datastore['RHOST'],129:proto => 'tcp',130:sname => 'oracle',131:port => datastore['RPORT'],132:type => 'ORA_ENUM',133:data => "SQL92: Disabled",134:update => :unique_data135)136else137print_status("\tSQL92 Security restriction on SELECT is Enabled")138report_note(139:host => datastore['RHOST'],140:proto => 'tcp',141:sname => 'oracle',142:port => datastore['RPORT'],143:type => 'ORA_ENUM',144:data => "SQL92: Enabled",145:update => :unique_data146)147end148149# check for encryption of logins on version before 10g150151if majorrel.join.to_i < 10152if vparm["dblink_encrypt_login"] == "FALSE"153print_status("\tLink Encryption for Logins is not Enabled")154report_note(155:host => datastore['RHOST'],156:proto => 'tcp',157:sname => 'oracle',158:port => datastore['RPORT'],159:type => 'ORA_ENUM',160:data => "Link Encryption: Disabled",161:update => :unique_data162)163else164print_status("\tLink Encryption for Logins is Enabled")165report_note(166:host => datastore['RHOST'],167:proto => 'tcp',168:sname => 'oracle',169:port => datastore['RPORT'],170:type => 'ORA_ENUM',171:data => "Link Encryption: Enabled",172:update => :unique_data173)174end175end176177print_status("\tUTL Directory Access is set to #{vparm["utl_file_dir"]}") if vparm["utl_file_dir"] != " "178report_note(179:host => datastore['RHOST'],180:proto => 'tcp',181:sname => 'oracle',182:port => datastore['RPORT'],183:type => 'ORA_ENUM',184:data => "UTL_DIR: #{ vparm["utl_file_dir"]}"185) if not vparm["utl_file_dir"]#.empty?186187print_status("\tAudit log is saved at #{vparm["audit_file_dest"]}")188report_note(189:host => datastore['RHOST'],190:proto => 'tcp',191:sname => 'oracle',192:port => datastore['RPORT'],193:type => 'ORA_ENUM',194:data => "Audit Log Location: #{ vparm["audit_file_dest"]}"195) if not vparm["audit_file_dest"]#.empty?196197end198199#-------------------------------------------------------200# Password Policy201print_status("Password Policy:")202begin203query = %Q|204SELECT limit205FROM dba_profiles206WHERE resource_name = 'PASSWORD_LOCK_TIME'207AND profile = 'DEFAULT'208|209lockout = prepare_exec(query)210print_status("\tCurrent Account Lockout Time is set to #{lockout[0].chomp}")211report_note(212:host => datastore['RHOST'],213:proto => 'tcp',214:sname => 'oracle',215:port => datastore['RPORT'],216:type => 'ORA_ENUM',217:data => "Account Lockout Time: #{lockout[0].chomp}",218:update => :unique_data219)220221rescue => e222if e.to_s =~ /ORA-00942: table or view does not exist/223print_error("It appears you do not have sufficient rights to perform the check")224else225raise e226end227end228229begin230query = %Q|231SELECT limit232FROM dba_profiles233WHERE resource_name = 'FAILED_LOGIN_ATTEMPTS'234AND profile = 'DEFAULT'235|236failed_logins = prepare_exec(query)237print_status("\tThe Number of Failed Logins before an account is locked is set to #{failed_logins[0].chomp}")238report_note(239:host => datastore['RHOST'],240:proto => 'tcp',241:sname => 'oracle',242:port => datastore['RPORT'],243:type => 'ORA_ENUM',244:data => "Account Fail Logins Permitted: #{failed_logins[0].chomp}",245:update => :unique_data246)247248rescue => e249if e.to_s =~ /ORA-00942: table or view does not exist/250print_error("It appears you do not have sufficient rights to perform the check")251else252raise e253end254end255256begin257query = %Q|258SELECT limit259FROM dba_profiles260WHERE resource_name = 'PASSWORD_GRACE_TIME'261AND profile = 'DEFAULT'262|263grace_time = prepare_exec(query)264print_status("\tThe Password Grace Time is set to #{grace_time[0].chomp}")265report_note(266:host => datastore['RHOST'],267:proto => 'tcp',268:sname => 'oracle',269:port => datastore['RPORT'],270:type => 'ORA_ENUM',271:data => "Account Password Grace Time: #{grace_time[0].chomp}",272:update => :unique_data273)274275rescue => e276if e.to_s =~ /ORA-00942: table or view does not exist/277print_error("It appears you do not have sufficient rights to perform the check")278else279raise e280end281end282283begin284query = %Q|285SELECT limit286FROM dba_profiles287WHERE resource_name = 'PASSWORD_LIFE_TIME'288AND profile = 'DEFAULT'289|290passlife_time = prepare_exec(query)291print_status("\tThe Lifetime of Passwords is set to #{passlife_time[0].chomp}")292report_note(293:host => datastore['RHOST'],294:proto => 'tcp',295:sname => 'oracle',296:port => datastore['RPORT'],297:type => 'ORA_ENUM',298:data => "Password Life Time: #{passlife_time[0].chomp}",299:update => :unique_data300)301302rescue => e303if e.to_s =~ /ORA-00942: table or view does not exist/304print_error("It appears you do not have sufficient rights to perform the check")305else306raise e307end308end309310begin311query = %Q|312SELECT limit313FROM dba_profiles314WHERE resource_name = 'PASSWORD_REUSE_TIME'315AND profile = 'DEFAULT'316|317passreuse = prepare_exec(query)318print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}")319report_note(320:host => datastore['RHOST'],321:proto => 'tcp',322:sname => 'oracle',323:port => datastore['RPORT'],324:type => 'ORA_ENUM',325:data => "Password Reuse Time: #{passreuse[0].chomp}",326:update => :unique_data327)328329rescue => e330if e.to_s =~ /ORA-00942: table or view does not exist/331print_error("It appears you do not have sufficient rights to perform the check")332else333raise e334end335end336337begin338query = %Q|339SELECT limit340FROM dba_profiles341WHERE resource_name = 'PASSWORD_REUSE_MAX'342AND profile = 'DEFAULT'343|344passreusemax = prepare_exec(query)345print_status("\tThe Maximum Number of Times a Password needs to be changed before it can be reused is set to #{passreusemax[0].chomp}")346report_note(347:host => datastore['RHOST'],348:proto => 'tcp',349:sname => 'oracle',350:port => datastore['RPORT'],351:type => 'ORA_ENUM',352:data => "Password Maximum Reuse Time: #{passreusemax[0].chomp}",353:update => :unique_data354)355print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}")356357rescue => e358if e.to_s =~ /ORA-00942: table or view does not exist/359print_error("It appears you do not have sufficient rights to perform the check")360else361raise e362end363end364365begin366query = %Q|367SELECT limit368FROM dba_profiles369WHERE resource_name = 'PASSWORD_VERIFY_FUNCTION'370AND profile = 'DEFAULT'371|372passrand = prepare_exec(query)373if passrand[0] =~ /NULL/374print_status("\tPassword Complexity is not checked")375report_note(376:host => datastore['RHOST'],377:proto => 'tcp',378:sname => 'oracle',379:port => datastore['RPORT'],380:type => 'ORA_ENUM',381:data => "Password Complexity is not being checked for new passwords",382:update => :unique_data383)384else385print_status("\tPassword Complexity is being checked")386report_note(387:host => datastore['RHOST'],388:proto => 'tcp',389:sname => 'oracle',390:port => datastore['RPORT'],391:type => 'ORA_ENUM',392:data => "Password Complexity is being checked for new passwords",393:update => :unique_data394)395end396397rescue => e398if e.to_s =~ /ORA-00942: table or view does not exist/399print_error("It appears you do not have sufficient rights to perform the check")400else401raise e402end403end404405#-------------------------------------------------------406407begin408409if majorrel.join.to_i < 11410411query = %Q|412SELECT name, password413FROM sys.user$414where password != 'null' and type# = 1 and astatus = 0415|416activeacc = prepare_exec(query)417print_status("Active Accounts on the System in format Username,Hash are:")418activeacc.each do |aa|419print_status("\t#{aa.chomp}")420report_note(421:host => datastore['RHOST'],422:proto => 'tcp',423:sname => 'oracle',424:port => datastore['RPORT'],425:type => 'ORA_ENUM',426:data => "Active Account #{aa.chomp}",427:update => :unique_data428)429end430else431query = %Q|432SELECT name, password, spare4433FROM sys.user$434where password != 'null' and type# = 1 and astatus = 0435|436activeacc = prepare_exec(query)437print_status("Active Accounts on the System in format Username,Password,Spare4 are:")438activeacc.each do |aa|439print_status("\t#{aa.chomp}")440report_note(441:host => datastore['RHOST'],442:proto => 'tcp',443:sname => 'oracle',444:port => datastore['RPORT'],445:type => 'ORA_ENUM',446:data => "Active Account #{aa.chomp}",447:update => :unique_data448)449end450end451452rescue => e453if e.to_s =~ /ORA-00942: table or view does not exist/454print_error("It appears you do not have sufficient rights to perform the check")455else456raise e457end458end459460begin461if majorrel.join.to_i < 11462query = %Q|463SELECT username, password464FROM dba_users465WHERE account_status = 'EXPIRED & LOCKED'466|467disabledacc = prepare_exec(query)468print_status("Expired or Locked Accounts on the System in format Username,Hash are:")469disabledacc.each do |da|470print_status("\t#{da.chomp}")471report_note(472:host => datastore['RHOST'],473:proto => 'tcp',474:sname => 'oracle',475:port => datastore['RPORT'],476:type => 'ORA_ENUM',477:data => "Disabled Account #{da.chomp}",478:update => :unique_data479)480end481else482query = %Q|483SELECT name, password, spare4484FROM sys.user$485where password != 'null' and type# = 1 and astatus = 8 or astatus = 9486|487disabledacc = prepare_exec(query)488print_status("Expired or Locked Accounts on the System in format Username,Password,Spare4 are:")489disabledacc.each do |da|490print_status("\t#{da.chomp}")491report_note(492:host => datastore['RHOST'],493:proto => 'tcp',494:sname => 'oracle',495:port => datastore['RPORT'],496:type => 'ORA_ENUM',497:data => "Disabled Account #{da.chomp}",498:update => :unique_data499)500end501end502503rescue => e504if e.to_s =~ /ORA-00942: table or view does not exist/505print_error("It appears you do not have sufficient rights to perform the check")506else507raise e508end509end510511begin512query = %Q|513SELECT grantee514FROM dba_role_privs515WHERE granted_role = 'DBA'516|517dbaacc = prepare_exec(query)518print_status("Accounts with DBA Privilege in format Username,Hash on the System are:")519dbaacc.each do |dba|520print_status("\t#{dba.chomp}")521report_note(522:host => datastore['RHOST'],523:proto => 'tcp',524:sname => 'oracle',525:port => datastore['RPORT'],526:type => 'ORA_ENUM',527:data => "Account with DBA Priv #{dba.chomp}",528:update => :unique_data529)530end531532rescue => e533if e.to_s =~ /ORA-00942: table or view does not exist/534print_error("It appears you do not have sufficient rights to perform the check")535else536raise e537end538end539540begin541query = %Q|542SELECT grantee543FROM dba_sys_privs544WHERE privilege = 'ALTER SYSTEM'545|546altersys = prepare_exec(query)547print_status("Accounts with Alter System Privilege on the System are:")548altersys.each do |as|549print_status("\t#{as.chomp}")550report_note(551:host => datastore['RHOST'],552:proto => 'tcp',553:sname => 'oracle',554:port => datastore['RPORT'],555:type => 'ORA_ENUM',556:data => "Account with ALTER SYSTEM Priv #{as.chomp}",557:update => :unique_data)558end559560rescue => e561if e.to_s =~ /ORA-00942: table or view does not exist/562print_error("It appears you do not have sufficient rights to perform the check")563else564raise e565end566end567568begin569query = %Q|570SELECT grantee571FROM dba_sys_privs572WHERE privilege = 'JAVA ADMIN'573|574javaacc = prepare_exec(query)575print_status("Accounts with JAVA ADMIN Privilege on the System are:")576javaacc.each do |j|577print_status("\t#{j.chomp}")578report_note(579:host => datastore['RHOST'],580:proto => 'tcp',581:sname => 'oracle',582:port => datastore['RPORT'],583:type => 'ORA_ENUM',584:data => "Account with JAVA ADMIN Priv #{j.chomp}",585:update => :unique_data586)587end588589rescue => e590if e.to_s =~ /ORA-00942: table or view does not exist/591print_error("It appears you do not have sufficient rights to perform the check")592else593raise e594end595end596597begin598query = %Q|599select grantee600from dba_sys_privs601where privilege = 'CREATE LIBRARY'602or privilege = 'CREATE ANY'603|604libpriv = prepare_exec(query)605print_status("Accounts that have CREATE LIBRARY Privilege on the System are:")606libpriv.each do |lp|607print_status("\t#{lp.chomp}")608report_note(609:host => datastore['RHOST'],610:proto => 'tcp',611:sname => 'oracle',612:port => datastore['RPORT'],613:type => 'ORA_ENUM',614:data => "Account with CREATE LIBRARY Priv #{lp.chomp}",615:update => :unique_data616)617end618619rescue => e620if e.to_s =~ /ORA-00942: table or view does not exist/621print_error("It appears you do not have sufficient rights to perform the check")622else623raise e624end625end626627#Default Password Check628begin629print_status("Default password check:")630if majorrel.join.to_i == 11631query = %Q|632SELECT * FROM dba_users_with_defpwd633|634defpwd = prepare_exec(query)635defpwd.each do |dp|636print_status("\tThe account #{dp.chomp} has a default password.")637report_note(638:host => datastore['RHOST'],639:proto => 'tcp',640:sname => 'oracle',641:port => datastore['RPORT'],642:type => 'ORA_ENUM',643:data => "Account with Default Password #{dp.chomp}",644:update => :unique_data645)646end647648else649query = %Q|650SELECT name, password651FROM sys.user$652where password != 'null' and type# = 1653|654ordfltpss = "#{File.join(Msf::Config.data_directory, "wordlists", "oracle_default_hashes.txt")}"655returnedstring = prepare_exec(query)656accts = {}657returnedstring.each do |record|658user,pass = record.split(",")659accts["#{pass.chomp}"] = user660end661::File.open(ordfltpss, "rb").each_line do |l|662accrcrd = l.split(",")663if accts.has_key?(accrcrd[2])664print_status("\tDefault pass for account #{accrcrd[0]} is #{accrcrd[1]} ")665report_note(666:host => datastore['RHOST'],667:proto => 'tcp',668:sname => 'oracle',669:port => datastore['RPORT'],670:type => 'ORA_ENUM',671:data => "Account with Default Password #{accrcrd[0]} is #{accrcrd[1]}",672:update => :unique_data673)674end675end676end677rescue => e678if e.to_s =~ /ORA-00942: table or view does not exist/679print_error("It appears you do not have sufficient rights to perform the check")680else681raise e682end683end684end685end686687688