Control Points After DB Vault Installation to Oracle 12c Database

Capture

After DB vault installation to Oracle12c database you should check some important points. At this note I will give some explanations about these post-operations .

If you want to learn DB vault Installation ; Please look at DB Vault Installation post

1. Check Invalid objects one more time;

Normally System Objects would be made valid with this script

@?/rdbms/admin/utlrp.sql

But you should check application objects as well. Because some application objects can not be valid for some reasons. You should report all these changes.

As you know before DB Vault installation we created a table to hold all invalid objects at the database ( the name of this table a_dba_objects). Now take one more sample for invalid object to compare it before image.

SQL> create table b_dba_objects as select owner,object_name,object_type from dba_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

Table created.

Now compare two tables after and before tables;

SQL> select * from a_dba_objects minus select * from b_dba_objects
2 ;

no rows selected

Difference should be null as you expected; If there are some changes you should try to solve it. Maybe one more compilation is required.

2. Check Oracle Components 

After DB vaults installation there can be changes at some Oracle component status.Take a copy of dba_registry view  and control the status of each components.

SQL> create table b_dba_registry as select * from dba_registry;

Table created.

SQL> column comp_name format a50
SQL> column status format a10
SQL> select comp_name, status from dba_registry;

COMP_NAME STATUS
————————————————– ———-
Oracle Database Vault VALID
Oracle Application Express VALID
Oracle Label Security VALID
Spatial VALID
Oracle Multimedia VALID
Oracle Text VALID
Oracle Workspace Manager VALID
Oracle XML Database VALID
Oracle Database Catalog Views VALID
Oracle Database Packages and Types VALID
JServer JAVA Virtual Machine VALID
Oracle XDK VALID
Oracle Database Java Packages VALID
OLAP Analytic Workspace VALID
Oracle OLAP API VALID
Oracle Real Application Clusters OPTION OFF

16 rows selected.

3. Make a copy of views about privileges

This is required operation; Maybe for somehow some privileges may change during installation and this causes some problems at your applications. At the same time you should copy all Oracle parameters into a table.

SQL> create table b_dba_network_acls as select * FROM cdb_network_acls;

Table created.

SQL> create table b_dba_network_acl_privileges as select * from cdb_network_acl_privileges;

Table created.

SQL> create table b_gv$parameter as select * from gv$parameter ;

Table created.

SQL> create table b_dba_tab_privs as Select * from dba_tab_privs;

Table created.

SQL> create table b_dba_sys_privs as Select * from dba_sys_privs;

Table created.
SQL> create table b_dba_role_privs as Select * from dba_role_privs;

Table created.

 

4. Re-grant all privileges which are revoked during DB Vault Installation

During DB vault installation Oracle revoke some system and objects privileges from some roles and Public. This situation can create problems at your application. Therefore If you want to re-grant all these privileges you can use below script.

connect sys as sysdba

Grant EXECUTE on SYS.DBMS_FILE_TRANSFER to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_D to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_LOGREP_DICT to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_SESSION to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.UTL_FILE to PUBLIC ;
Grant BECOME USER to DBA ;
Grant CREATE ANY JOB to DBA ;
Grant CREATE EXTERNAL JOB to DBA ;
Grant DEQUEUE ANY QUEUE to DBA ;
Grant ENQUEUE ANY QUEUE to DBA ;
Grant EXECUTE ANY CLASS to DBA ;
Grant EXECUTE ANY PROGRAM to DBA ;
Grant MANAGE ANY QUEUE to DBA ;
Grant MANAGE SCHEDULER to DBA ;
Grant SELECT ANY TRANSACTION to DBA ;
Grant BECOME USER to IMP_FULL_DATABASE ;
Grant MANAGE ANY QUEUE to IMP_FULL_DATABASE ;
Grant CREATE ANY JOB to SCHEDULER_ADMIN ;
Grant CREATE EXTERNAL JOB to SCHEDULER_ADMIN ;
Grant EXECUTE ANY CLASS to SCHEDULER_ADMIN ;
Grant EXECUTE ANY PROGRAM to SCHEDULER_ADMIN ;
Grant MANAGE SCHEDULER to SCHEDULER_ADMIN ;

5. Disable Default Realms and Command Rules

After DB Vault installation some pre-defined Realms and Command rules is created by Oracle. If this is your first installation you want to disable some Realms and Command Rules. Beacause these pre-defined Realms and Command rules can create some problems at your application. This control point completely depends on your application. But I will give you below script to disable all Realms and Command Rules . After some time you can enable these rules step bye step by checking your application .

connect dvowner

select * from dvsys.DBA_DV_REALM ;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Database Vault’,
description => ‘Defines the realm for the Oracle Database Vault schemas – DVSYS, DVF and LBACSYS where Database Vault access control configuration and roles are contained.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Database Vault Account Management’,
description => ‘Defines the realm for administrators who create and manage database accounts and profiles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Enterprise Manager’,
description => ‘Defines the Enterprise Manager monitoring and management realm.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Schema Protection Realm’,
description => ‘Defines the realm for the Oracle Default schemas.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Component Protection Realm’,
description => ‘Defines the realm to protect default components of the Oracle database.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
commit;
select * from dvsys.DBA_DV_COMMAND_RULE;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER USER’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CHANGE PASSWORD’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

commit;

select * from dvsys.DBA_DV_REALM ;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Database Vault’,
description => ‘Defines the realm for the Oracle Database Vault schemas – DVSYS, DVF and LBACSYS where Database Vault access control configuration and roles are contained.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Database Vault Account Management’,
description => ‘Defines the realm for administrators who create and manage database accounts and profiles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Enterprise Manager’,
description => ‘Defines the Enterprise Manager monitoring and management realm.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Schema Protection Realm’,
description => ‘Defines the realm for the Oracle Default schemas.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Component Protection Realm’,
description => ‘Defines the realm to protect default components of the Oracle database.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

select * from dvsys.DBA_DV_COMMAND_RULE;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER USER’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CHANGE PASSWORD’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

commit;

 

6. Make Recyclebin On

After DB vault installation Oracle makes recyclebin off for some security reason. If you want you can make it on  again. You can use below script.

Connect dvowner

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

Connect sys as sysdba

alter system set recyclebin=on scope=spfile;

startup force;

You can make ALTER SYSTEM Command Rule enable again

Connect dvowner

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘Y’);
commit;
END;
/

 

 

 

 

Advertisements

Installing DB Vault to an Oracle 12c non-Container Database

Capture

At this note I will show you how you can install DB Vault to Oracle 12c non-container database. For Oracle 12c container databases  I will write another post.

First Let me introduce the environment;

Host : Oracle 7 Linux virtual  machine on Oracle VM Virtual Box

DB : Oracle 12c 12.1.0.2.0 non-container database.

At Oracle  12c Oracle Label Security and DB vault options are already linked with Oracle binary. But sometimes DBAs do not install these options during DB creation. At this time you should install this options and then you can register DB vault.

0. Check Oracle Label Security and DB Vault Options are installed

To check Oracle Label security And DB Vault use below SQL;

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

no rows selected

IF “no rows selected” returns from the SQL ; It means you should install Oracle Label Security and Oracle DB Vault.

IF ORACLE LABEL SECURITY and DB VAULT IS NOT INSTALLED  Please follow below notes to complete DB vault installation

https://yusufanilakduygu.wordpress.com/2016/08/21/adding-oracle-label-security-and-db-vault-options-to-oracle-12c-database/

 

Otherwise ; Just register Oracle DB Vault .  Follow this note ; and finish the installation.

1.Check DB vault if already registered

SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security FALSE
Oracle Database Vault FALSE

SQL>

 

As you see DB vault  has not been registered yet. After registering DB vault the value column will be TRUE

2. Take  backup of  some tables and views.

Before  DB vault registration;  Some privileges from DBA role, IMP_FULL_DATABASE role and  SCHEDULER_ADMIN role are revoked. At the same time some critical privileges are revoked as well. Therefore We should take a copy of some tables about privileges . I advice you should backup these with CREATE TABLE command.

 

I took the copy of the tables at SYSTEM user.

SQL> connect system
Enter password:
Connected.
SQL> create table a_dba_network_acls as select * FROM cdb_network_acls;

Table created.

SQL> create table a_dba_network_acl_privileges as select * from cdb_network_acl_privileges;

Table created.

SQL> create table a_gv$parameter as select * from gv$parameter ;

Table created.

SQL> create table a_dba_tab_privs as Select * from dba_tab_privs;

Table created.

SQL> create table a_dba_sys_privs as Select * from dba_sys_privs;

Table created.

SQL> create table a_dba_role_privs as Select * from dba_role_privs;

Table created.

SQL> create table a_dba_objects as select owner,object_name,object_type from dba_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

Table created.

SQL> create table a_dba_registry as select * from dba_registry;

Table created.

SQL>

3. Create DB Vault owner and User Administrator users

At DB Vault registration you should create one user to administer DB vault and one user to manage Oracle users at the database. These two users are required for the separation of duties.

SQL> connect sys as sysdba
Enter password:
Connected.
SQL> CREATE USER dvowner IDENTIFIED BY oracle
2 DEFAULT TABLESPACE USERS
3 QUOTA UNLIMITED ON USERS;

User created.

SQL> GRANT CREATE SESSION TO dvowner;

Grant succeeded.

SQL> CREATE USER dvacctmngr IDENTIFIED BY oracle
2 DEFAULT TABLESPACE USERS
3 QUOTA UNLIMITED ON USERS;

User created.

SQL> GRANT CREATE SESSION TO dvowner;

Grant succeeded.

SQL>

 

4. Configure DB Vault

Now we can start to register DB Vault by configuring it. Afterwards we will compile all invalid objects at the database

connect sys as sysdba
Enter password:
Connected.

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘dvowner’,
4 dvacctmgr_uname => ‘dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

SQL> @?/rdbms/admin/utlrp.sql

.

.

…Database user “SYS”, database schema “APEX_040200”, user# “98” 21:39:56
…Compiled 0 out of 3014 objects considered, 0 failed compilation 21:39:56
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 21:39:56
…Completed key object existence check 21:39:57
…Setting DBMS Registry 21:39:57
…Setting DBMS Registry Complete 21:39:57
…Exiting validate 21:39:57

PL/SQL procedure successfully completed.

5. Enable DB Vault

SQL> CONNECT dvowner
Enter password:
Connected.
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete.

6. Startup the Database and the installation is finished

SQL> connect sys as sysdba
Enter password:
Connected.
SQL> startup force
ORACLE instance started.

Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 666895552 bytes
Database Buffers 301989888 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.

SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security TRUE
Oracle Database Vault TRUE

As you see DB Vault Vault is ready for use. At the next note I will show you what you can do after installation of DB Vault.

 

 

 

 

 

Hacking Windows XP with msfvenom

venom-02

msfvenom is a program which generates shellcodes to penetrate any machines. At this note I will show you how you can penetrate into  windows XP with shellcodes which are produced by msfvenom.

Before msfvenom  ; msfpayload and msfencode programs were used. But now msfpayload and msfencode are obsolete and they are not supported . Therefore we should use msfvenom.

At the examples I will use two machines ; one of it is Kali  and the other machine is Windows XP. I will produce shellcodes at Kali machine and I will send it to Windows XP machine ( you can use any social enginnering methods ). But at the example simple I will move it with ftp or any other means. Because the aim of the note is to show you all penetration process. An important note is during  the penetration client-side antivirus program should be disabled . There are many ways to bypass antivirus programs but this not the scope of this note.

First ; look at the options of the msfvenom program.

venom-01

As you can see tehere many options at msfvenom program.

Now create shellcode with a simplest  method.

venom11

If you look at the command line you will see some parameters. The most important parameter is the LHOST parameter. This parameter show the IP address of Kali machines. When someone else starts this program at Windows XP machine; this shellcode will try to connect to Kali machine ( 192.200.11.5 ). But before the shellcode connects to Kali machine , we should start a listener program which waits for connetions from shellcodes. We will start a listener with metasploit framework ( msfconsole )

Now our shell code is ready ; and you can send it any computer with social engineering. Imagine that we send it with email and the e-mail reader will start it by anymeans.

Now we will start a listener to penetrate into Windows XP machine by msfconsole. First start msfconsole

venom-02

msfconsole is a centralized console for metasploits.

set up our listener in msfconsole and wait for a back connection. And then use reverse_tcp payload to start listener.

venom-03

Now the listener is waiting for shellcode to penetrate into Windows XP machine ( in which our shellcode stays)

Now start the x.exe at Windows XP by double-clicking it.

venom-04.

Go back to Kali and you will see back-connection is established and meterpeter is started. Now we are connected to Windows XP machine.

venom-05

Afterwords we are in Windows XP machine and we can successfully control the remote penetrated machine.

After penetrating you are in post-exploitation phase and I will deeply show this phase in a different note.

venom-06.JPG

Anıl Akduygu

 

 

 

 

 

Oracle Security checks with nmap

Capture.JPGIntroduction

Nmap is open -source utility to discover and check network security. Normally nmap is developed for network security. Many  externel scripts were added to nmap to check databases, web servers and other systems at IT infrastructure.

At this note; I will present nmap scripts which are developed to check Oracle databases. I will explain all details  with samples. For this note; I used two virtual machines ; one of it as you expected is Kali the other machine is Oracle Linux which runs Oracle 11g database.

Start with guessing Oracle SID

Guess Oracle SID

oracle-sid-brute script guesses Oracle instance/SID names.

/usr/share/nmap/nselib/data/oracle-sids file includes some Oracle SIDs . By this list nmap makes brute force to find Oracle SIDs

Capture

 

Now try to find Oracle-SID at localhost7  with nmap oracle-sid-brute script.

———————————————————–

nmap –script=oracle-sid-brute -p 1521-1900 localhost7

Not shown: 359 filtered ports
PORT STATE SERVICE
1521/tcp open oracle
| oracle-sid-brute:
|_ DB2TEST
1522/tcp open rna-lm
1523/tcp open cichild-lm
1530/tcp open unknown
1545/tcp open vistium-share
1555/tcp open unknown
1556/tcp open veritas_pbx
1557/tcp open unknown
1560/tcp open asci-val
1563/tcp open unknown
1575/tcp open unknown
1585/tcp open unknown
1591/tcp open unknown
1621/tcp open unknown
1681/tcp open unknown
1731/tcp open unknown
1733/tcp open unknown
1831/tcp open unknown
1890/tcp open unknown
1898/tcp open unknown
1899/tcp open unknown

——————————————————————-

Gotcha we found it DB2TEST. If you have your own Oracle -SID list at /path/sidfile you can use it like this.

nmap –script=oracle-sid-brute –script-args=oraclesids=/path/sidfile -p 1521-1800 <hostname>

Now we will try to guess Oracle usernames and passwords.

Password guess Brute Force

oracle-brute script checks common Oracle usernames and passwords. The list of common Oracle username and passwords can be found at /usr/share/nmap/nselib/data/oracle-default-accounts.lst file.

———————————————————–

nmap -p1521 –script oracle-brute –script-args oracle-brute.sid=DB11G 192.200.11.9

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-07-02 10:19 EDT
Nmap scan report for 192.200.11.9
Host is up (0.0010s latency).
PORT STATE SERVICE
1521/tcp open oracle
| oracle-brute:
| Accounts:
| DIP:DIP – Account is locked
| XDB:CHANGE_ON_INSTALL – Account is locked
|_ Statistics: Performed 695 guesses in 13 seconds, average tps: 53

Nmap done: 1 IP address (1 host up) scanned in 30.89 second

————————————————————–

As you see two users are found but they are locked. Our database passed this test. But If the administrators had forgotten these common usernames this script would help us to find these usernames.

If you have some special usernames and passwords list at a special  path; you can use below command

nmap -sV –script oracle-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>

 

To quit after finding one valid account, use the argument brute.firstOnly:
nmap -sV –script oracle-brute –script-args brute.firstOnly <target>

To set a different timeout limit, use the argument unpwd.timelimit. To run it
indefinitely, set it to 0:

nmap -sV –script oracle-brute –script-args unpwdb.timelimit=0 <target>$ nmap -sV –script oracle-brute –script-args unpwdb.timelimit=60m <target>

Brute modes

user: For each user listed in userdb, every password in passdb will be tried
nmap –script oracle-brute –script-args brute.mode=user <target>

pass: For each password listed in passdb, every user in userdb will be tried
nmap –script oracle-brute –script-args brute.mode=pass <target>

For Oracle tns poison attack you can read my another article

https://yusufanilakduygu.wordpress.com/2016/06/12/oracle-tns-poison-attack/

Now this is the end of this note.

I hope this note will give you a new perspective for Oracle Database security.

Anıl Akduygu