Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/oracle/sid_enum.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::TNS

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Oracle TNS Listener SID Enumeration',

16
        'Description' => %q{

17
          This module simply queries the TNS listener for the Oracle SID.

18
          With Oracle 9.2.0.8 and above the listener will be protected and

19
          the SID will have to be bruteforced or guessed.

20
        },

21
        'Author' => [ 'CG', 'MC' ],

22
        'License' => MSF_LICENSE,

23
        'DisclosureDate' => '2009-01-07',

24
        'Notes' => {

25
          'Reliability' => UNKNOWN_RELIABILITY,

26
          'Stability' => UNKNOWN_STABILITY,

27
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

28
        }

29
      )

30
    )

31


32
    register_options(

33
      [

34
        Opt::RPORT(1521)

35
      ]

36
    )

37
  end

38


39
  def run_host(ip)

40
    begin

41
      connect

42


43
      pkt = tns_packet("(CONNECT_DATA=(COMMAND=STATUS))")

44


45
      sock.put(pkt)

46


47
      select(nil, nil, nil, 0.5)

48


49
      data = sock.get_once

50


51
      if (data and data =~ /ERROR_STACK/)

52
        print_error("TNS listener protected for #{ip}...")

53
      else

54
        if (not data)

55
          print_error("#{ip} Connection but no data")

56
        else

57
          sid = data.scan(/INSTANCE_NAME=([^\)]+)/)

58
          sid.uniq.each do |s|

59
            report_note(

60
              :host => ip,

61
              :port	=> rport,

62
              :type => "oracle_sid",

63
              :data => {

64
                :port => rport,

65
                :sid => s

66
              },

67
              :update	=> :unique_data

68
            )

69
            print_good("Identified SID for #{ip}:#{rport} #{s}")

70
          end

71
          service_name = data.scan(/SERVICE_NAME=([^\)]+)/)

72
          service_name.uniq.each do |s|

73
            report_note(

74
              :host => ip,

75
              :port	=> rport,

76
              :type => "oracle_service_name",

77
              :data => {

78
                :port => rport,

79
                :service_name => s

80
              },

81
              :update	=> :unique_data

82
            )

83
            print_status("Identified SERVICE_NAME for #{ip}:#{rport} #{s}")

84
          end

85
        end

86
      end

87
      disconnect

88
    rescue ::Rex::ConnectionError

89
    rescue ::Errno::EPIPE

90
    end

91
  end

92
end

93


94