metasploit-framework/modules/auxiliary/admin/oracle/sid_brute.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Auxiliary::Report
	include Msf::Exploit::Remote::TNS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ORACLE SID Brute Forcer.',
			'Description'    => %q{
				This module simply attempts to discover the protected SID.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
                        'References'     =>
				[
					[ 'URL', 'https://www.metasploit.com/users/mc' ],
					[ 'URL' , 'http://www.red-database-security.com/scripts/sid.txt' ],
				],
			'DisclosureDate' => 'Jan 7 2009'))

                        register_options( 
                                [
                                        Opt::RPORT(1521),
					OptString.new('SLEEP', [ false,   'Sleep() amount between each request.', '1']),
					OptString.new('SIDFILE', [ false, 'The file that contains a list of sids.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),
                                ], self.class)

	end

	def run

		s    = datastore['SLEEP']
		list = datastore['SIDFILE']

		print_status("Starting brute force on #{rhost}, using sids from #{list}...")
		
		fd = File.open(list).each do |sid|
	
		login = "(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=MSF)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{rhost})(PORT=#{rport})))"

		pkt = tns_packet(login)

		begin
			connect
		rescue => e
			print_error("#{e}")
			disconnect
			return
		end

		sock.put(pkt)

		sleep(s.to_i)

		res = sock.get_once(-1,3)

		disconnect

		 	if ( res and res =~ /ERROR_STACK/ )
				''
			else
				report_auth_info(:host => rhost, :proto => 'tns', :port => rport, :type => 'bruteforced_sid', :data => "#{sid.strip}")
				print_status("Found SID '#{sid.strip!}' for host #{rhost}.")
			end
		end

		print_status("Done with brute force...")
		fd.close

	end
end
added auxiliary module sid_brute.rb and sid.txt wordlist. git-svn-id: file:///home/svn/framework3/trunk@6807 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 00:03:50 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Auxiliary::Report`
			`include Msf::Exploit::Remote::TNS`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'ORACLE SID Brute Forcer.',`
			`'Description' => %q{`
			`This module simply attempts to discover the protected SID.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'URL', 'https://www.metasploit.com/users/mc' ],`
			`[ 'URL' , 'http://www.red-database-security.com/scripts/sid.txt' ],`
			`],`
			`'DisclosureDate' => 'Jan 7 2009'))`

			`register_options(`
			`[`
			`Opt::RPORT(1521),`
			`OptString.new('SLEEP', [ false, 'Sleep() amount between each request.', '1']),`
			`OptString.new('SIDFILE', [ false, 'The file that contains a list of sids.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),`
			`], self.class)`

			`end`

			`def run`

			`s = datastore['SLEEP']`
			`list = datastore['SIDFILE']`

			`print_status("Starting brute force on #{rhost}, using sids from #{list}...")`

			`fd = File.open(list).each do \|sid\|`

			`login = "(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=MSF)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{rhost})(PORT=#{rport})))"`

			`pkt = tns_packet(login)`

			`begin`
			`connect`
			`rescue => e`
			`print_error("#{e}")`
			`disconnect`
			`return`
			`end`

			`sock.put(pkt)`

			`sleep(s.to_i)`

			`res = sock.get_once(-1,3)`

			`disconnect`

			`if ( res and res =~ /ERROR_STACK/ )`
			`''`
			`else`
updated to use report_auth_info() since the sid is needed to authenticate. git-svn-id: file:///home/svn/framework3/trunk@9049 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-11 13:56:56 +00:00			`report_auth_info(:host => rhost, :proto => 'tns', :port => rport, :type => 'bruteforced_sid', :data => "#{sid.strip}")`
added auxiliary module sid_brute.rb and sid.txt wordlist. git-svn-id: file:///home/svn/framework3/trunk@6807 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 00:03:50 +00:00			`print_status("Found SID '#{sid.strip!}' for host #{rhost}.")`
			`end`
			`end`

			`print_status("Done with brute force...")`
			`fd.close`

			`end`
			`end`