Using Oracle exploits or Auxilaries from Metasploit Framework at Kali

At this note I will show you how you can use Oracle auxiliaries from Metasploit Framework.Because of copyright issues ; Oracle client is not pre-installed  Kali  virtual machine and therefore Oracle auxiliaries and exploits can not  be used without Oracle Client installation .

For example try to use oraenum auxiliary ;

sf > use auxiliary/admin/oracle/oraenum
msf auxiliary(oraenum) > show options

Module options (auxiliary/admin/oracle/oraenum):

Name Current Setting Required Description
—- ————— ——– ———–
DBPASS TIGER yes The password to authenticate with.
DBUSER SCOTT yes The username to authenticate with.
RHOST yes The Oracle host.
RPORT 1521 yes The TNS port.
SID ORCL yes The sid to authenticate with.

msf auxiliary(oraenum) > set SID DB11G

msf auxiliary(oraenum) > set RHOST 192.200.11.9
RHOST => 192.200.11.9
msf auxiliary(oraenum) > run

[-] Failed to load the OCI library: cannot load such file — oci8
[-] Try ‘gem install ruby-oci8’
[*] Auxiliary module execution completed
msf auxiliary(oraenum) >

As you see you are failed to load the OCI library error.

Now we will install Oracle instant Client to Kali Linux machine and link it with metasploit Framework.

1 . Download Oracle Instant Client to Kali machine

First create necessary directories to install Oracle Instant Client.

root@kali:~# mkdir /opt/oracle
root@kali:~# cd /opt/oracle
root@kali:/opt/oracle#

Download Oracle Instant client to /opt/oracle directories from below link.

http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html

I use Kali linux x86-64.

1

 

you need to download  all these files to /opt/oracle directory.

  • instantclient-basic-linux-12.1.0.2.0.zip
  • instantclient-sqlplus-linux-12.1.0.2.0.zip
  • instantclient-sdk-linux-12.1.0.2.0.zip

 

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63364
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
root@kali:/opt/oracle#

 

2. Install Oracle Client

Unzip the downloaded files and then make symlink operation.

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# unzip instantclient-basic-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# unzip instantclient-sqlplus-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# unzip instantclient-sdk-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# cd instantclient_12_1
root@kali:/opt/oracle/instantclient_12_1#

symlink the shared library

root@kali:/opt/oracle/instantclient_12_1# ln libclntsh.so.12.1 libclntsh.so

root@kali:/opt/oracle/instantclient_12_1# ls -lh libclntsh.so
-rwxrwxr-x 2 root root 57M Jul 7 2014 libclntsh.so

and set Environment variables

export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1

Now the Oracle client is ready ; Just check it

root@kali:/opt/oracle/instantclient_12_1# sqlplus

SQL*Plus: Release 12.1.0.2.0 Production on Sat Aug 6 04:45:07 2016

Copyright (c) 1982, 2014, Oracle. All rights reserved.

Enter user-name:

As you see SQLplus is working. You are on the right way.

3. Download the ruby gem

Now  download and extract the gem source release:

root@kali:~# cd /opt/oracle

root@kali:/opt/oracle# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.1.8.zip
–2016-08-06 04:53:22– https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.1.8.zip
Resolving github.com (github.com)… 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.1.8 [following]
–2016-08-06 04:53:23– https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.1.8
Resolving codeload.github.com (codeload.github.com)… 192.30.253.121
Connecting to codeload.github.com (codeload.github.com)|192.30.253.121|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [application/zip]
Saving to: ‘ruby-oci8-2.1.8.zip’

ruby-oci8-2.1.8.zip [ <=> ] 295.28K 547KB/s in 0.5s

2016-08-06 04:53:24 (547 KB/s) – ‘ruby-oci8-2.1.8.zip’ saved [302365]

 

Now unzip ruby gem,

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63664
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zi

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63664
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zip

root@kali:/opt/oracle# unzip ruby-oci8-2.1.8.zip

inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_connection_pool.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_connstr.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_datetime.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_dbi.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_dbi_clob.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_encoding.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_error.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_metadata.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_object.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oci8.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oracle_version.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oradate.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oranumber.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_package_type.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_rowid.rb

root@kali:/opt/oracle# ls -lrt
total 63668
drwxr-xr-x 7 root root 4096 Apr 4 2015 ruby-oci8-ruby-oci8-2.1.8
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zip

root@kali:/opt/oracle# cd ruby-oci8-ruby-oci8-2.1.8/
root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8#

 

4. Install libgmp

Install libgmp (needed to build the gem) and set the path

root@kali:/opt/oracle# cd ruby-oci8-ruby-oci8-2.1.8/

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8#

Make an addition to PATH environment variable.

# export PATH=/opt/metasploit/ruby/bin:$PATH

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# apt-get install libgmp-dev
Reading package lists… Done
Building dependency tree
Reading state information… Done
libgmp-dev is already the newest version (2:6.1.0+dfsg-2).
libgmp-dev set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

 

5. Build and install the gem

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# pwd
/opt/oracle/ruby-oci8-ruby-oci8-2.1.8

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# make
ruby -w setup.rb config
setup.rb:280: warning: assigned but unused variable – vname
setup.rb:280: warning: assigned but unused variable – desc
setup.rb:280: warning: assigned but unused variable – default2
—> lib
—> lib/oci8
<— lib/oci8
—> lib/dbd
<— lib/dbd
<— lib
—> ext
—> ext/oci8
/usr/bin/ruby2.2 /opt/oracle/ruby-oci8-ruby-oci8-2.1.8/ext/oci8/extconf.rb
checking for load library path…
LD_LIBRARY_PATH…
checking /opt/oracle/instantclient_12_1… yes
/opt/oracle/instantclient_12_1/libclntsh.so.12.1 looks like an instant client.
checking for cc… ok
checking for gcc… yes
checking for LP64… yes
checking for sys/types.h… yes
checking for ruby header… ok
checking for OCIInitialize() in oci.h… yes
checking for Oracle 8.1.0 API – start
checking for OCIEnvCreate()… yes
checking for OCILobClose()… yes
checking for OCILobCreateTemporary()… yes
checking for OCILobFreeTemporary()… yes
checking for OCILobGetChunkSize()… yes
checking for OCILobIsTemporary()… yes
checking for OCILobLocatorAssign()… yes
checking for OCILobOpen()… yes
checking for OCIMessageGet()… yes

…….

compiling object.c
compiling apiwrap.c
compiling encoding.c
compiling oranumber_util.c
compiling thread_util.c
compiling plthook_elf.c
compiling hook_funcs.c
linking shared-object oci8lib_220.so
make[1]: Leaving directory ‘/opt/oracle/ruby-oci8-ruby-oci8-2.1.8/ext/oci8’
<— ext/oci8
<— ext

And then make install

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# pwd
/opt/oracle/ruby-oci8-ruby-oci8-2.1.8
root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# make install
ruby -w setup.rb install
setup.rb:280: warning: assigned but unused variable – vname
setup.rb:280: warning: assigned but unused variable – desc
setup.rb:280: warning: assigned but unused variable – default2
—> lib
mkdir -p /usr/local/lib/site_ruby/2.2.0/
install oci8.rb /usr/local/lib/site_ruby/2.2.0/
—> lib/oci8
mkdir -p /usr/local/lib/site_ruby/2.2.0/oci8
install compat.rb /usr/local/lib/site_ruby/2.2.0/oci8
install encoding-init.rb /usr/local/lib/site_ruby/2.2.0/oci8
install object.rb /usr/local/lib/site_ruby/2.2.0/oci8
install bindtype.rb /usr/local/lib/site_ruby/2.2.0/oci8
install ocihandle.rb /usr/local/lib/site_ruby/2.2.0/oci8
install oracle_version.rb /usr/local/lib/site_ruby/2.2.0/oci8
install connection_pool.rb /usr/local/lib/site_ruby/2.2.0/oci8
install encoding.yml /usr/local/lib/site_ruby/2.2.0/oci8
install properties.rb /usr/local/lib/site_ruby/2.2.0/oci8
install datetime.rb /usr/local/lib/site_ruby/2.2.0/oci8
install cursor.rb /usr/local/lib/site_ruby/2.2.0/oci8
install oci8.rb /usr/local/lib/site_ruby/2.2.0/oci8
install metadata.rb /usr/local/lib/site_ruby/2.2.0/oci8
<— lib/oci8
—> lib/dbd
mkdir -p /usr/local/lib/site_ruby/2.2.0/dbd
install OCI8.rb /usr/local/lib/site_ruby/2.2.0/dbd
<— lib/dbd
<— lib
—> ext
—> ext/oci8
mkdir -p /usr/local/lib/x86_64-linux-gnu/site_ruby/.
install oci8lib_220.so /usr/local/lib/x86_64-linux-gnu/site_ruby/.
<— ext/oci8
<— ext

Now Try Oracle Auxiliary one more time

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# msfconsole

msf > use auxiliary/admin/oracle/oraenum
msf auxiliary(oraenum) > set SID DB11G
SID => DB11G
msf auxiliary(oraenum) > set RHOST 192.200.11.9
RHOST => 192.200.11.9
msf auxiliary(oraenum) > run

[*] Running Oracle Enumeration….
[*] The versions of the Components are:
[*] Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 – 64bit Production
[*] PL/SQL Release 11.2.0.4.0 – Production
[*] CORE 11.2.0.4.0 Production
[*] TNS for Linux: Version 11.2.0.4.0 – Production
[*] NLSRTL Version 11.2.0.4.0 – Production
[*] Auditing:
[*] Database Auditing is enabled!
[*] Auditing of SYS Operations is not enabled!
[*] Security Settings:
[*] SQL92 Security restriction on SELECT is not Enabled
[*] UTL Directory Access is set to
[*] Audit log is saved at /u01/app/oracle/admin/DB11G/adump
[*] Password Policy:
[*] Current Account Lockout Time is set to 1
[*] The Number of Failed Logins before an account is locked is set to 10
[*] The Password Grace Time is set to 7
[*] The Lifetime of Passwords is set to 180
[*] The Number of Times a Password can be reused is set to UNLIMITED
[*] The Maximum Number of Times a Password needs to be changed before it can be reused is set to UNLIMITED
[*] The Number of Times a Password can be reused is set to UNLIMITED
[*] Password Complexity is not checked
[*] Active Accounts on the System in format Username,Password,Spare4 are:
[*] SYS,8A8F025737A9097A,S:4F2AD836742BF4940F8635AF7A23A693069E17C38FB4EB2AAEAF55EA7F07
[*] SYSTEM,2D594E86F93B17A1,S:9AAE92874C63DBC5C43CBC2A37E0C98EAEA902912442EB11BB10070F4102
[*] SCOTT,F894844C34402B67,S:046017C46BF9B45D20FE1F7746FF2346B1185F3F38CCAF3BA5526385828B
[*] USER001,98AD9BF0E3417534,S:D0C57D9B1BB122E8D3B532DFFDB8F65D02DECD724C7A0D2A98AAC28045DF
[*] Expired or Locked Accounts on the System in format Username,Password,Spare4 are:
[*] OUTLN,4A3BA55E08595C81,S:9D0352F4707B0EEF41811E091AF4731E609EDFDD80ABD412B06B2A257529
[*] DIP,CE4A36B8E06CA59C,S:ADE7608F962BD12FE8A6564AA3E96EDA88FB9F2F11B79DCAE28AB902380C
[*] ORACLE_OCM,5A2E026A9157958C,S:E9F3700D7530A6F79F0C5A635B50BCB76F8C18D99D2B9331CEA52B8796A1
[*] DBSNMP,E066D214D5421CCC,S:3F2E9D45692FBD03D26B4EFC38A5461E8713636BB0F768500938D10EC563
[*] APPQOSSYS,519D632B7EE7F63A,S:5E6B6A62DE6FEF350B2C972B1B46126333BF4C37057D8EEF7FDF45ABA6C3
[*] WMSYS,7C9BA362F8314299,S:55E4A57548366A8A27A9CAA4CFE3877D645EDC790B699F809CB4B7C2493D
[*] XS$NULL,,S:000000000000000000000000000000000000000000000000000000000000
[*] EXFSYS,33C758A8E388DEE5,S:36D11106A9E7FBC3289C7683EA8

 

As you see It works

Do not forget to put all of these to .bashrc file

export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1export PATH=/opt/metasploit/ruby/bin:$PATH

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s