Path: blob/master/modules/auxiliary/admin/oracle/oraenum.rb
19812 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::ORACLE89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Oracle Database Enumeration',14'Description' => %q{15This module provides a simple way to scan an Oracle database server16for configuration parameters that may be useful during a penetration17test. Valid database credentials must be provided for this module to18run.19},20'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],21'License' => MSF_LICENSE,22'Notes' => {23'Stability' => [CRASH_SAFE],24'SideEffects' => [IOC_IN_LOGS],25'Reliability' => []26}27)28)29end3031def report_ora_enum_note(note_data)32report_note(33host: datastore['RHOST'],34proto: 'tcp',35sname: 'oracle',36port: datastore['RPORT'],37type: 'ORA_ENUM',38data: note_data,39update: :unique_data40)41end4243# rubocop:disable Metrics/MethodLength44def run45return if !check_dependencies4647begin48# Get all values from v$parameter49query = 'select name,value from v$parameter'50vparm = {}51params = prepare_exec(query)52params.each do |l|53name, value = l.split(',')54vparm[name.to_s] = value55end56rescue StandardError => e57if e.to_s =~ /ORA-00942: table or view does not exist/58print_error('It appears you do not have sufficient rights to perform the check')59else60raise e61end62end6364print_status('Running Oracle Enumeration....')6566# Version Check67query = 'select * from v$version'68ver = prepare_exec(query)69print_status('The versions of the Components are:')70ver.each do |v|71print_status("\t#{v.chomp}")72report_ora_enum_note(73{ :component_version => v.chomp }74)75end7677# Saving Major Release Number for other checks78majorrel = ver[0].scan(/Edition Release (\d*)./)7980#-------------------------------------------------------81# Audit Check82print_status('Auditing:')83begin84if vparm['audit_trail'] == 'NONE'85print_status("\tDatabase Auditing is not enabled!")86report_ora_enum_note(87{ :audit_trail => 'Disabled' }88)89else90print_status("\tDatabase Auditing is enabled!")91report_ora_enum_note(92{ :audit_trail => 'Enabled' }93)94end9596if vparm['audit_sys_operations'] == 'FALSE'97print_status("\tAuditing of SYS Operations is not enabled!")98report_ora_enum_note(99{ :audit_sys_ops => 'Disabled' }100)101else102print_status("\tAuditing of SYS Operations is enabled!")103report_ora_enum_note(104{ :audit_sys_ops => 'Enabled' }105)106end107end108109#-------------------------------------------------------110# Security Settings111print_status('Security Settings:')112begin113if vparm['sql92_security'] == 'FALSE'114print_status("\tSQL92 Security restriction on SELECT is not Enabled")115report_ora_enum_note(116'SQL92: Disabled'117)118else119print_status("\tSQL92 Security restriction on SELECT is Enabled")120report_ora_enum_note(121'SQL92: Enabled'122)123end124125# check for encryption of logins on version before 10g126127if majorrel.join.to_i < 10128if vparm['dblink_encrypt_login'] == 'FALSE'129print_status("\tLink Encryption for Logins is not Enabled")130report_ora_enum_note(131'Link Encryption: Disabled'132)133else134print_status("\tLink Encryption for Logins is Enabled")135report_ora_enum_note(136'Link Encryption: Enabled'137)138end139end140141print_status("\tUTL Directory Access is set to #{vparm['utl_file_dir']}") if vparm['utl_file_dir'] != ' '142if !vparm['utl_file_dir']143report_ora_enum_note(144"UTL_DIR: #{vparm['utl_file_dir']}"145)146end147148print_status("\tAudit log is saved at #{vparm['audit_file_dest']}")149if !vparm['audit_file_dest']150report_ora_enum_note(151"Audit Log Location: #{vparm['audit_file_dest']}"152)153end154end155156#-------------------------------------------------------157# Password Policy158print_status('Password Policy:')159begin160query = %(161SELECT limit162FROM dba_profiles163WHERE resource_name = 'PASSWORD_LOCK_TIME'164AND profile = 'DEFAULT'165)166lockout = prepare_exec(query)167print_status("\tCurrent Account Lockout Time is set to #{lockout[0].chomp}")168report_ora_enum_note(169"Account Lockout Time: #{lockout[0].chomp}"170)171rescue StandardError => e172if e.to_s =~ /ORA-00942: table or view does not exist/173print_error('It appears you do not have sufficient rights to perform the check')174else175raise e176end177end178179begin180query = %(181SELECT limit182FROM dba_profiles183WHERE resource_name = 'FAILED_LOGIN_ATTEMPTS'184AND profile = 'DEFAULT'185)186failed_logins = prepare_exec(query)187print_status("\tThe Number of Failed Logins before an account is locked is set to #{failed_logins[0].chomp}")188report_ora_enum_note(189"Account Fail Logins Permitted: #{failed_logins[0].chomp}"190)191rescue StandardError => e192if e.to_s =~ /ORA-00942: table or view does not exist/193print_error('It appears you do not have sufficient rights to perform the check')194else195raise e196end197end198199begin200query = %(201SELECT limit202FROM dba_profiles203WHERE resource_name = 'PASSWORD_GRACE_TIME'204AND profile = 'DEFAULT'205)206grace_time = prepare_exec(query)207print_status("\tThe Password Grace Time is set to #{grace_time[0].chomp}")208report_ora_enum_note(209"Account Password Grace Time: #{grace_time[0].chomp}"210)211rescue StandardError => e212if e.to_s =~ /ORA-00942: table or view does not exist/213print_error('It appears you do not have sufficient rights to perform the check')214else215raise e216end217end218219begin220query = %(221SELECT limit222FROM dba_profiles223WHERE resource_name = 'PASSWORD_LIFE_TIME'224AND profile = 'DEFAULT'225)226passlife_time = prepare_exec(query)227print_status("\tThe Lifetime of Passwords is set to #{passlife_time[0].chomp}")228report_ora_enum_note(229"Password Life Time: #{passlife_time[0].chomp}"230)231rescue StandardError => e232if e.to_s =~ /ORA-00942: table or view does not exist/233print_error('It appears you do not have sufficient rights to perform the check')234else235raise e236end237end238239begin240query = %(241SELECT limit242FROM dba_profiles243WHERE resource_name = 'PASSWORD_REUSE_TIME'244AND profile = 'DEFAULT'245)246passreuse = prepare_exec(query)247print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}")248report_ora_enum_note(249"Password Reuse Time: #{passreuse[0].chomp}"250)251rescue StandardError => e252if e.to_s =~ /ORA-00942: table or view does not exist/253print_error('It appears you do not have sufficient rights to perform the check')254else255raise e256end257end258259begin260query = %(261SELECT limit262FROM dba_profiles263WHERE resource_name = 'PASSWORD_REUSE_MAX'264AND profile = 'DEFAULT'265)266passreusemax = prepare_exec(query)267print_status("\tThe Maximum Number of Times a Password needs to be changed before it can be reused is set to #{passreusemax[0].chomp}")268report_ora_enum_note(269"Password Maximum Reuse Time: #{passreusemax[0].chomp}"270)271print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}")272rescue StandardError => e273if e.to_s =~ /ORA-00942: table or view does not exist/274print_error('It appears you do not have sufficient rights to perform the check')275else276raise e277end278end279280begin281query = %(282SELECT limit283FROM dba_profiles284WHERE resource_name = 'PASSWORD_VERIFY_FUNCTION'285AND profile = 'DEFAULT'286)287passrand = prepare_exec(query)288if passrand[0] =~ /NULL/289print_status("\tPassword Complexity is not checked")290report_ora_enum_note(291'Password Complexity is not being checked for new passwords'292)293else294print_status("\tPassword Complexity is being checked")295report_ora_enum_note(296'Password Complexity is being checked for new passwords'297)298end299rescue StandardError => e300if e.to_s =~ /ORA-00942: table or view does not exist/301print_error('It appears you do not have sufficient rights to perform the check')302else303raise e304end305end306307#-------------------------------------------------------308309begin310if majorrel.join.to_i < 11311312query = %(313SELECT name, password314FROM sys.user$315where password != 'null' and type# = 1 and astatus = 0316)317activeacc = prepare_exec(query)318print_status('Active Accounts on the System in format Username,Hash are:')319else320query = %(321SELECT name, password, spare4322FROM sys.user$323where password != 'null' and type# = 1 and astatus = 0324)325activeacc = prepare_exec(query)326print_status('Active Accounts on the System in format Username,Password,Spare4 are:')327end328activeacc.each do |aa|329print_status("\t#{aa.chomp}")330report_ora_enum_note(331"Active Account #{aa.chomp}"332)333end334rescue StandardError => e335if e.to_s =~ /ORA-00942: table or view does not exist/336print_error('It appears you do not have sufficient rights to perform the check')337else338raise e339end340end341342begin343if majorrel.join.to_i < 11344query = %(345SELECT username, password346FROM dba_users347WHERE account_status = 'EXPIRED & LOCKED'348)349disabledacc = prepare_exec(query)350print_status('Expired or Locked Accounts on the System in format Username,Hash are:')351else352query = %(353SELECT name, password, spare4354FROM sys.user$355where password != 'null' and type# = 1 and astatus = 8 or astatus = 9356)357disabledacc = prepare_exec(query)358print_status('Expired or Locked Accounts on the System in format Username,Password,Spare4 are:')359end360disabledacc.each do |da|361print_status("\t#{da.chomp}")362report_ora_enum_note(363"Disabled Account #{da.chomp}"364)365end366rescue StandardError => e367if e.to_s =~ /ORA-00942: table or view does not exist/368print_error('It appears you do not have sufficient rights to perform the check')369else370raise e371end372end373374begin375query = %(376SELECT grantee377FROM dba_role_privs378WHERE granted_role = 'DBA'379)380dbaacc = prepare_exec(query)381print_status('Accounts with DBA Privilege in format Username,Hash on the System are:')382dbaacc.each do |dba|383print_status("\t#{dba.chomp}")384report_ora_enum_note(385"Account with DBA Priv #{dba.chomp}"386)387end388rescue StandardError => e389if e.to_s =~ /ORA-00942: table or view does not exist/390print_error('It appears you do not have sufficient rights to perform the check')391else392raise e393end394end395396begin397query = %(398SELECT grantee399FROM dba_sys_privs400WHERE privilege = 'ALTER SYSTEM'401)402altersys = prepare_exec(query)403print_status('Accounts with Alter System Privilege on the System are:')404altersys.each do |as|405print_status("\t#{as.chomp}")406report_ora_enum_note(407"Account with ALTER SYSTEM Priv #{as.chomp}"408)409end410rescue StandardError => e411if e.to_s =~ /ORA-00942: table or view does not exist/412print_error('It appears you do not have sufficient rights to perform the check')413else414raise e415end416end417418begin419query = %(420SELECT grantee421FROM dba_sys_privs422WHERE privilege = 'JAVA ADMIN'423)424javaacc = prepare_exec(query)425print_status('Accounts with JAVA ADMIN Privilege on the System are:')426javaacc.each do |j|427print_status("\t#{j.chomp}")428report_ora_enum_note(429"Account with JAVA ADMIN Priv #{j.chomp}"430)431end432rescue StandardError => e433if e.to_s =~ /ORA-00942: table or view does not exist/434print_error('It appears you do not have sufficient rights to perform the check')435else436raise e437end438end439440begin441query = %(442select grantee443from dba_sys_privs444where privilege = 'CREATE LIBRARY'445or privilege = 'CREATE ANY'446)447libpriv = prepare_exec(query)448print_status('Accounts that have CREATE LIBRARY Privilege on the System are:')449libpriv.each do |lp|450print_status("\t#{lp.chomp}")451report_ora_enum_note(452"Account with CREATE LIBRARY Priv #{lp.chomp}"453)454end455rescue StandardError => e456if e.to_s =~ /ORA-00942: table or view does not exist/457print_error('It appears you do not have sufficient rights to perform the check')458else459raise e460end461end462463# Default Password Check464begin465print_status('Default password check:')466if majorrel.join.to_i == 11467query = %(468SELECT * FROM dba_users_with_defpwd469)470defpwd = prepare_exec(query)471defpwd.each do |dp|472print_status("\tThe account #{dp.chomp} has a default password.")473report_ora_enum_note(474"Account with Default Password #{dp.chomp}"475)476end477478else479query = %(480SELECT name, password481FROM sys.user$482where password != 'null' and type# = 1483)484ordfltpss = File.join(Msf::Config.data_directory, 'wordlists', 'oracle_default_hashes.txt').to_s485returnedstring = prepare_exec(query)486accts = {}487returnedstring.each do |record|488user, pass = record.split(',')489accts[pass.chomp.to_s] = user490end491::File.open(ordfltpss, 'rb').each_line do |l|492accrcrd = l.split(',')493next unless accts.key?(accrcrd[2])494495print_status("\tDefault pass for account #{accrcrd[0]} is #{accrcrd[1]} ")496report_ora_enum_note(497"Account with Default Password #{accrcrd[0]} is #{accrcrd[1]}"498)499end500end501rescue StandardError => e502if e.to_s =~ /ORA-00942: table or view does not exist/503print_error('It appears you do not have sufficient rights to perform the check')504else505raise e506end507end508end509# rubocop:enable Metrics/MethodLength510end511512513