Privilege Analysis in Oracle 12c A Quick Overview

Privilege Analysis is a new feature of Oracle 12c . This feature comes with Oracle DB Vault. Simple you have to buy Oracle DB Vault license to use Privilege Analysis. But, you do not need to enable Oracle DB Vault to use Privilege Analysis, Because  It comes with Oracle 12c Enterprise edition.

Privilege Analysis is used for identifying unused privileges and roles in the database. Discovering the set of unused roles and privileges is important to make the database more secure. By using Privilege Analysis, we can define the least number of privileges for users and roles.

The procedure for Privilege Analysis is simple;

The First  Step;

You have to create a privilege analysis with DBMS_PRIVILEGE_CAPTURE package .

In order to use privilege analysis; CAPTURE_ADMIN  must be granted to the user.

There are four types of privilege analyses which are defined by type parameter in the DBMS_PRIVILEGE_CAPTURE package.

type        =>  DBMS_PRIVILEGE_CAPTURE.g_database is used for creating a privilege analysis for the whole database

type       =>  DBMS_PRIVILEGE_CAPTURE.g_role  is used for creating a privilege analysis for a list of roles.

type  => DBMS_PRIVILEGE_CAPTURE.g_context  is defined by a logical expression with the  SYS_CONTEXT function.

Type=> DBMS_PRIVILEGE_CAPTURE.g_role_and_context; is defined by a list of rules and logical expression.

For Example; to create a privilege analysis for the whole database we use below command

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Full Database',
type => DBMS_PRIVILEGE_CAPTURE.g_database
);
/
PL/SQL procedure successfully completed.

In order to create a privilege analysis for a set of defined roles, we use the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Listed Roles',
type => DBMS_PRIVILEGE_CAPTURE.g_role,
roles => role_name_list('RoleName1', 'RoleName2') );
END;
/

PL/SQL procedure successfully completed.

In order to create a privilege analysis for USER01 user , we use the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Conditional',
type => DBMS_PRIVILEGE_CAPTURE.g_context,
condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''USER01'''
);
END;
/

In order to create a privilege analysis for USER01 when it uses DBA role we use the below command. By this way ; we can find for what reason USER01 uses DBA role. For example ; USER01 uses DBA role to only create  tables. In that case; we can only give create table privilege to USER01 instead of DBA role.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Role and Condition',
type => DBMS_PRIVILEGE_CAPTURE.g_role_and_context,
roles => role_name_list('DBA'),
condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''USER01'''
);                                                                                                                                                                      END;
/

PL/SQL procedure successfully completed.

We use the below command  to list the list of created privilege analyses.

COLUMN name FORMAT A15
COLUMN roles FORMAT A20
COLUMN context FORMAT A30

SQL> select name,type,roles,context FROM dba_priv_captures;

The Second  Step;

We start the privilege analysis with the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.enable_capture('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

 

The Third Step;

After waiting for a while; I can be one  week or  one moth.  We have  stop the privilege analysis with the below command. During that time Oracle keeps records for the privilege analysis.

BEGIN
DBMS_PRIVILEGE_CAPTURE.disable_capture('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

The Fourth Step;

We should generate result for the capture with the below command;

BEGIN
DBMS_PRIVILEGE_CAPTURE.generate_result('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

 

The Fifth Step;

Now we use the below views to work on our captured data.

DBA_PRIV_CAPTURES
DBA_USED_PRIVS
DBA_UNUSED_PRIVS
DBA_USED_OBJPRIVS
DBA_UNUSED_OBJPRIVS
DBA_USED_OBJPRIVS_PATH
DBA_UNUSED_OBJPRIVS_PATH
DBA_USED_SYSPRIVS
DBA_UNUSED_SYSPRIVS
DBA_USED_SYSPRIVS_PATH
DBA_UNUSED_SYSPRIVS_PATH
DBA_USED_PUBPRIVS
DBA_USED_USERPRIVS
DBA_UNUSED_USERPRIVS
DBA_USED_USERPRIVS_PATH
DBA_UNUSED_USERPRIVS_PATH

 

thanks for reading this note;

In the near future, I will give much more information about this subject.

Y. Anıl Akduygu

 

Advertisements

A video tutorial – How Disable Oracle Database Vault on Oracle 12c non-container Database

In this video ; you will see how to disable Oracle Database Vault on Oracle 12c non-container database; Let’s watch it

Notes for this video;

First Check Database properties and version

Column host_name format a10
Column name format a10
Column database_role format a15
Column open_mode format a10
Column  db_unique_name format a10

select  host_name, name,database_role, open_mode,  db_unique_name,cdb   from
v$database , v$instance;

select banner from v$version;

Check DB Vault

column parameter format a25
column value format a10

SELECT * FROM gV$OPTION WHERE PARAMETER in
( ‘Oracle Database Vault’);

To disable DB Vault

Connect DVOWNER

EXEC DBMS_MACADM.DISABLE_DV;

Restart Database

column parameter format a25
column value format a10

SELECT * FROM gV$OPTION WHERE PARAMETER in
( ‘Oracle Database Vault’);

To enable DB Vault

Connect DVOWNER

EXEC DBMS_MACADM.ENABLE_DV;

Restart Database

column parameter format a25
column value format a10

SELECT * FROM gV$OPTION WHERE PARAMETER in
( ‘Oracle Database Vault’);

 

Thanks for reading it

Anıl Akduygu

A video tutorial to show how you can register Oracle DB vault to Oracle 12c non-container database

I prepared a video tutorial for you to show registering DB vault to Oracle 12c non-container database, Let’s watch it.

 

I added all scripts and notes in this video here;

First Check Database properties and version

Column host_name format a10

Column name format a10

Column database_role format a15

Column open_mode format a10

Column  db_unique_name format a10

select  host_name, name,database_role, open_mode,  db_unique_name,cdb   from

v$database , v$instance;

select banner from v$version;

Check DB Vault and Oracle Label Security already installed

select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

Create user for DB Vault;   dvowner for DB vault management, dvacctmngr for user management

CREATE USER dvowner IDENTIFIED BY oracle

DEFAULT TABLESPACE USERS

QUOTA UNLIMITED ON USERS;

GRANT CREATE SESSION TO dvowner;

CREATE USER dvacctmngr IDENTIFIED BY oracle

DEFAULT TABLESPACE USERS

QUOTA UNLIMITED ON USERS;

GRANT CREATE SESSION TO dvacctmngr ;

 

Configure DB Vault

BEGIN

DVSYS.CONFIGURE_DV (

dvowner_uname => ‘dvowner’,

dvacctmgr_uname => ‘dvacctmngr’);

END;

/

Compile Invalid Objects

@?/rdbms/admin/utlrp.sql

Enable DB Vault

CONNECT dvowner

EXEC DBMS_MACADM.ENABLE_DV;

Restart Database

column parameter format a25

column value format a10

SELECT * FROM gV$OPTION WHERE PARAMETER in ( ‘Oracle Database Vault’,’Oracle Label Security’);

 

Oracle 12c New Security Features – 02 DBA_USERS new columns

One of the the security improvement  in Oracle 12c version is the new columns at DBA_USERS view.
These new added columns are very uesfull for security administrators.
At the below picture you can see the definition of DBA_USERS in Oracle 11g version

Capt02

And the definition of DBA_USERS in Oracle 12c version is given below.

Capt01As you see; four new colums are added. These are

PROXY_ONLY_CONNECT
COMMON
LAST_LOGIN
ORACLE_MAINTAINED

Now we work on these new columns

PROXY_ONLY_CONNECT

This column shows  you  whether a user can connect directly ( if it is value N ) or can only be   proxied (if it is value Y) by users.
Let’s query this column;

Capture

You can enable or disable this attribute of a user by alter user command

Capture.JPG

COMMON

This column shows whether the user  is a COMMON user.

COMMON users   are used in Multitenant databases which are introduced in Oracle 12c version. In another note ; I will explain multitenant databases in Oracle 12c version.

This column can have two values ; YES or NO

YES means this user is a COMMON user.

NO means this user is a local user.

Let’s query this column

Capture

 

LAST_LOGIN

Last_login column is very useful column for database security administrator and it solves very important problem in Oracle 11g version. This column shows  the user’s last logon time. In Oracle 11g version we have create a logon trigger  and a special table to find and keep user’s last logon time. Now in Oracle 12c version you have nothing to do ; just you need the query this column to find the time of the users logon.

To query Last_login column  you use the below query. If the LAST_LOGIN column is null It means that this user has not been connected to the database yet.

Capture.JPG

ORACLE_MAINTAINED

This is another very important new column at Oracle 12c database.

If the value of this column is ‘Y’. It means that this  user was  created and could only managed by Oracle-supplied script ( Scripts are given by Oracle company) . You must not change  any properties of these users. This column is very important when running security control scripts.  At some security controls  you would like to exclude  Oracle pre-defined application users. In Oracle 11g version , you have to know these Oracle usernames (  for example DBSNMP, MDSYS,CTXSYS,OUTLN…) . In Oracle 11g version , if you want to exclude Oracle managed users  from your selection in any security control, you have to write a very big condition like below;

USERNAME NOT IN

(

‘ANONYMOUS’,’CTXSYS’,’DBSNMP’,’EXFSYS’,’LBACSYS’,’MDSYS’,’MGMT_VIEW’,’OLAPSYS’,

‘OWBSYS’,’ORDPLUGINS’,’ORDSYS’,’OUTLN’,’SI_INFORMTN_SCHEMA’,’SYS’,’SYSMAN’,

‘SYSTEM’,’TSMSYS’,’WK_TEST’,’WKSYS’,’WKPROXY’,’WMSYS’,’XDB’,’APEX_PUBLIC_USER’,

‘DIP’,’FLOWS_30000′,’FLOWS_FILES’,’MDDATA’,’ORACLE_OCM’,

‘SPATIAL_CSW_ADMIN_USR’,’SPATIAL_WFS_ADMIN_USR’,’XS$NULL’,

‘OWBSYS_AUDIT’,’ORDDATA’,’APEX_030200′,’APPQOSSYS’,’DVSYS’,’DVF’

)

But in Oracle 12c version you can add a condition like

ORACLE_MAINTAINED <> ‘Y’

to exclude Oracle  managed users.

Capture

I downloaded  all scripts which are given on this note  to  github

https://github.com/yusufanilakduygu/Wordpress-Posts/blob/master/DBA_USERS%20new%20columns

 

Have a good day.

Anıl

Oracle DB Vault New Features in Oracle 12c R1 – Part1 : Changes at DB Vault Installation

There are many changes at Oracle DB Vault in Oracle 12c version. At this note I will give you information about  the change at DB  Vault Installation .

  1. DB Vault Installation

At Oracle 11g version you need to  relink Oracle binary before installing Oracle DB Vault. You do not need this operation in Oracle 12c.

At Oracle 11g version you need to relink binary with chopt command like below

$ chopt enable lbac

$ chopt enable dv

And You do not need in Oracl 12c vesion

In order to install and configure DB Vault In Oracle 11g version, you have to use dbca. At Oracle 12c you only need dbca to install Oracle Label Security and Oracle DB vault component . You can use DVSYS.CONFIGURE_DV packet to configure DB vault. Actually still you can do this configuration with dbca but it is optional.

DB Vault component installation is made with this page in  dbca in Oracle 12c version.

Capture

And DB Vault configuration can be made by dbca but It is optional

Capture

This gives us flexibility ; During database installation DBAs can install Oracle DB Vault without making any configuration on it. After the DB Vault installation is completed, you can make DB Vault configuration as a security officer without DBA intervention.

The below  query shows that DB Vault component is installed. But It does not mean that It is enabled.

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

COMP_ID STATUS
—————————— ———–
DV VALID
OLS VALID

With DVSYS.CONFIGURE_DV; you can mention which user is DB Vault admin and which user database account manager.

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘dvowner’,
4 dvacctmgr_uname => ‘dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

This packet is new in Oracle 12c and It gives us flexibility to security officer to configure DB vault alone. After DB Vault component installation tou do not need to rebound the database bu you need to run utlrp.sql to compile all invalid objects.

 

 

 

 

 

Oracle 12c New Security Features – 01, Use READ Privilige for Inquiry Users.

I would like to start a new series to introduce Oracle 12c new security features.

I want to start with READ privilege first. This privilege solves many problems at Oracle security. Before Oracle 12c you can give SELECT privilege to a user to SELECT any table. But with this privilege the user not only SELECT any table but also she or he can LOCK the table with SELECT for UPDATE or direct LOCK TABLE statement . This is an unwanted situation for inquiry users; because any inquiry user with  SELECT privilege can lock your table and stop your application. For this reason administrators would create views and then would grant these views to  inquiry users. It was an long operation if you had more than hundred tables and It was difficult to manage all views and tables.

To solve this problem; Oracle introduced a new privilege – READ privilege. With this privilege you can give SELECT grant to a user. But the user can only SELECT the table and he cannot lock it anymore.This enhancement is very important for inquiry users.

I will show you with examples.

Let’s start with Oracle 11g

SQL> connect scott/oracle

Connected.
SQL> grant SELECT on EMP to USER01;

Grant succeeded.

SQL> connect USER01/oracle

Connected.

SQL> select empno,ename from scott.emp;

EMPNO ENAME
———- ———-
7369 SMITH
7499 ALLEN
7521 WARD
7566 JONES
7654 MARTIN
7698 BLAKE
7782 CLARK
7788 SCOTT
7839 KING
7844 TURNER
7876 ADAMS
7900 JAMES
7902 FORD
7934 MILLER

14 rows selected.

And now the tricky point

SQL> select * from scott.emp for update of ename;

EMPNO ENAME JOB MGR HIREDATE SAL COMM
———- ———- ——— ———- ——— ———- ———-
DEPTNO
———-
7369 SMITH CLERK 7902 17-DEC-80 800
20

7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300

……

And now nobody at the database can update this table till USER01 commit the transaction.

Try it. Connect with Scott user at the same time

sqlplus scott/oracle

SQL> update emp set ename=’XXX’;

This statement hangs forever till USER01 commits its transaction. Simply a SELECT statement hangs you your database and your application. This is unwanted sitiuation

You can lock the EMP table with Lock table command  with USERB01 as well.

SQL> Lock table scott.emp in exclusive mode;

Table(s) Locked.

Therefore At Oracle 11g It is very dangerous to give SELECT grant table on any tables to a inquiry user. Instead , you should create views and then you should grant these views to inquiry users.

Let’s look at Oracle 12c version now.

SQL> connect appuser/oracle;
Connected.
SQL> grant READ on test to appuser03;

Grant succeeded.

SQL> connect appuser03/oracle
Connected.
SQL> select * from appuser.test;

X
———-
1
2
3

SQL> lock table appuser.test in exclusive mode;
lock table appuser.test in exclusive mode
*
ERROR at line 1:
ORA-01031: insufficient privileges

As you see; you cannot lock with READ privilege

And then check for Select for Update command;
SQL> select * from appuser.test for update of x;
select * from appuser.test for update of x
*
ERROR at line 1:
ORA-01031: insufficient privileges

Simply; After upgrade your database to Oracle 12c, recheck the privileges of  inquiry users

and use READ privileges for them.

 

Anıl Akduygu

 

 

 

 

Using Oracle exploits or Auxilaries from Metasploit Framework at Kali

At this note I will show you how you can use Oracle auxiliaries from Metasploit Framework.Because of copyright issues ; Oracle client is not pre-installed  Kali  virtual machine and therefore Oracle auxiliaries and exploits can not  be used without Oracle Client installation .

For example try to use oraenum auxiliary ;

sf > use auxiliary/admin/oracle/oraenum
msf auxiliary(oraenum) > show options

Module options (auxiliary/admin/oracle/oraenum):

Name Current Setting Required Description
—- ————— ——– ———–
DBPASS TIGER yes The password to authenticate with.
DBUSER SCOTT yes The username to authenticate with.
RHOST yes The Oracle host.
RPORT 1521 yes The TNS port.
SID ORCL yes The sid to authenticate with.

msf auxiliary(oraenum) > set SID DB11G

msf auxiliary(oraenum) > set RHOST 192.200.11.9
RHOST => 192.200.11.9
msf auxiliary(oraenum) > run

[-] Failed to load the OCI library: cannot load such file — oci8
[-] Try ‘gem install ruby-oci8’
[*] Auxiliary module execution completed
msf auxiliary(oraenum) >

As you see you are failed to load the OCI library error.

Now we will install Oracle instant Client to Kali Linux machine and link it with metasploit Framework.

1 . Download Oracle Instant Client to Kali machine

First create necessary directories to install Oracle Instant Client.

root@kali:~# mkdir /opt/oracle
root@kali:~# cd /opt/oracle
root@kali:/opt/oracle#

Download Oracle Instant client to /opt/oracle directories from below link.

http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html

I use Kali linux x86-64.

1

 

you need to download  all these files to /opt/oracle directory.

  • instantclient-basic-linux-12.1.0.2.0.zip
  • instantclient-sqlplus-linux-12.1.0.2.0.zip
  • instantclient-sdk-linux-12.1.0.2.0.zip

 

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63364
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
root@kali:/opt/oracle#

 

2. Install Oracle Client

Unzip the downloaded files and then make symlink operation.

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# unzip instantclient-basic-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# unzip instantclient-sqlplus-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# unzip instantclient-sdk-linux.x64-12.1.0.2.0.zip

root@kali:/opt/oracle# cd instantclient_12_1
root@kali:/opt/oracle/instantclient_12_1#

symlink the shared library

root@kali:/opt/oracle/instantclient_12_1# ln libclntsh.so.12.1 libclntsh.so

root@kali:/opt/oracle/instantclient_12_1# ls -lh libclntsh.so
-rwxrwxr-x 2 root root 57M Jul 7 2014 libclntsh.so

and set Environment variables

export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1

Now the Oracle client is ready ; Just check it

root@kali:/opt/oracle/instantclient_12_1# sqlplus

SQL*Plus: Release 12.1.0.2.0 Production on Sat Aug 6 04:45:07 2016

Copyright (c) 1982, 2014, Oracle. All rights reserved.

Enter user-name:

As you see SQLplus is working. You are on the right way.

3. Download the ruby gem

Now  download and extract the gem source release:

root@kali:~# cd /opt/oracle

root@kali:/opt/oracle# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.1.8.zip
–2016-08-06 04:53:22– https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.1.8.zip
Resolving github.com (github.com)… 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.1.8 [following]
–2016-08-06 04:53:23– https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.1.8
Resolving codeload.github.com (codeload.github.com)… 192.30.253.121
Connecting to codeload.github.com (codeload.github.com)|192.30.253.121|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [application/zip]
Saving to: ‘ruby-oci8-2.1.8.zip’

ruby-oci8-2.1.8.zip [ <=> ] 295.28K 547KB/s in 0.5s

2016-08-06 04:53:24 (547 KB/s) – ‘ruby-oci8-2.1.8.zip’ saved [302365]

 

Now unzip ruby gem,

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63664
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zi

root@kali:/opt/oracle# pwd
/opt/oracle
root@kali:/opt/oracle# ls -lrt
total 63664
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zip

root@kali:/opt/oracle# unzip ruby-oci8-2.1.8.zip

inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_connection_pool.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_connstr.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_datetime.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_dbi.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_dbi_clob.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_encoding.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_error.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_metadata.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_object.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oci8.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oracle_version.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oradate.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_oranumber.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_package_type.rb
inflating: ruby-oci8-ruby-oci8-2.1.8/test/test_rowid.rb

root@kali:/opt/oracle# ls -lrt
total 63668
drwxr-xr-x 7 root root 4096 Apr 4 2015 ruby-oci8-ruby-oci8-2.1.8
-rwxr-x— 1 root root 667174 Aug 6 04:36 instantclient-sdk-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 63352239 Aug 6 04:36 instantclient-basic-linux.x64-12.1.0.2.0.zip
-rwxr-x— 1 root root 861284 Aug 6 04:36 instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
drwxr-xr-x 3 root root 4096 Aug 6 04:41 instantclient_12_1
-rw-r–r– 1 root root 302365 Aug 6 04:53 ruby-oci8-2.1.8.zip

root@kali:/opt/oracle# cd ruby-oci8-ruby-oci8-2.1.8/
root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8#

 

4. Install libgmp

Install libgmp (needed to build the gem) and set the path

root@kali:/opt/oracle# cd ruby-oci8-ruby-oci8-2.1.8/

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8#

Make an addition to PATH environment variable.

# export PATH=/opt/metasploit/ruby/bin:$PATH

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# apt-get install libgmp-dev
Reading package lists… Done
Building dependency tree
Reading state information… Done
libgmp-dev is already the newest version (2:6.1.0+dfsg-2).
libgmp-dev set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

 

5. Build and install the gem

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# pwd
/opt/oracle/ruby-oci8-ruby-oci8-2.1.8

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# make
ruby -w setup.rb config
setup.rb:280: warning: assigned but unused variable – vname
setup.rb:280: warning: assigned but unused variable – desc
setup.rb:280: warning: assigned but unused variable – default2
—> lib
—> lib/oci8
<— lib/oci8
—> lib/dbd
<— lib/dbd
<— lib
—> ext
—> ext/oci8
/usr/bin/ruby2.2 /opt/oracle/ruby-oci8-ruby-oci8-2.1.8/ext/oci8/extconf.rb
checking for load library path…
LD_LIBRARY_PATH…
checking /opt/oracle/instantclient_12_1… yes
/opt/oracle/instantclient_12_1/libclntsh.so.12.1 looks like an instant client.
checking for cc… ok
checking for gcc… yes
checking for LP64… yes
checking for sys/types.h… yes
checking for ruby header… ok
checking for OCIInitialize() in oci.h… yes
checking for Oracle 8.1.0 API – start
checking for OCIEnvCreate()… yes
checking for OCILobClose()… yes
checking for OCILobCreateTemporary()… yes
checking for OCILobFreeTemporary()… yes
checking for OCILobGetChunkSize()… yes
checking for OCILobIsTemporary()… yes
checking for OCILobLocatorAssign()… yes
checking for OCILobOpen()… yes
checking for OCIMessageGet()… yes

…….

compiling object.c
compiling apiwrap.c
compiling encoding.c
compiling oranumber_util.c
compiling thread_util.c
compiling plthook_elf.c
compiling hook_funcs.c
linking shared-object oci8lib_220.so
make[1]: Leaving directory ‘/opt/oracle/ruby-oci8-ruby-oci8-2.1.8/ext/oci8’
<— ext/oci8
<— ext

And then make install

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# pwd
/opt/oracle/ruby-oci8-ruby-oci8-2.1.8
root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# make install
ruby -w setup.rb install
setup.rb:280: warning: assigned but unused variable – vname
setup.rb:280: warning: assigned but unused variable – desc
setup.rb:280: warning: assigned but unused variable – default2
—> lib
mkdir -p /usr/local/lib/site_ruby/2.2.0/
install oci8.rb /usr/local/lib/site_ruby/2.2.0/
—> lib/oci8
mkdir -p /usr/local/lib/site_ruby/2.2.0/oci8
install compat.rb /usr/local/lib/site_ruby/2.2.0/oci8
install encoding-init.rb /usr/local/lib/site_ruby/2.2.0/oci8
install object.rb /usr/local/lib/site_ruby/2.2.0/oci8
install bindtype.rb /usr/local/lib/site_ruby/2.2.0/oci8
install ocihandle.rb /usr/local/lib/site_ruby/2.2.0/oci8
install oracle_version.rb /usr/local/lib/site_ruby/2.2.0/oci8
install connection_pool.rb /usr/local/lib/site_ruby/2.2.0/oci8
install encoding.yml /usr/local/lib/site_ruby/2.2.0/oci8
install properties.rb /usr/local/lib/site_ruby/2.2.0/oci8
install datetime.rb /usr/local/lib/site_ruby/2.2.0/oci8
install cursor.rb /usr/local/lib/site_ruby/2.2.0/oci8
install oci8.rb /usr/local/lib/site_ruby/2.2.0/oci8
install metadata.rb /usr/local/lib/site_ruby/2.2.0/oci8
<— lib/oci8
—> lib/dbd
mkdir -p /usr/local/lib/site_ruby/2.2.0/dbd
install OCI8.rb /usr/local/lib/site_ruby/2.2.0/dbd
<— lib/dbd
<— lib
—> ext
—> ext/oci8
mkdir -p /usr/local/lib/x86_64-linux-gnu/site_ruby/.
install oci8lib_220.so /usr/local/lib/x86_64-linux-gnu/site_ruby/.
<— ext/oci8
<— ext

Now Try Oracle Auxiliary one more time

root@kali:/opt/oracle/ruby-oci8-ruby-oci8-2.1.8# msfconsole

msf > use auxiliary/admin/oracle/oraenum
msf auxiliary(oraenum) > set SID DB11G
SID => DB11G
msf auxiliary(oraenum) > set RHOST 192.200.11.9
RHOST => 192.200.11.9
msf auxiliary(oraenum) > run

[*] Running Oracle Enumeration….
[*] The versions of the Components are:
[*] Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 – 64bit Production
[*] PL/SQL Release 11.2.0.4.0 – Production
[*] CORE 11.2.0.4.0 Production
[*] TNS for Linux: Version 11.2.0.4.0 – Production
[*] NLSRTL Version 11.2.0.4.0 – Production
[*] Auditing:
[*] Database Auditing is enabled!
[*] Auditing of SYS Operations is not enabled!
[*] Security Settings:
[*] SQL92 Security restriction on SELECT is not Enabled
[*] UTL Directory Access is set to
[*] Audit log is saved at /u01/app/oracle/admin/DB11G/adump
[*] Password Policy:
[*] Current Account Lockout Time is set to 1
[*] The Number of Failed Logins before an account is locked is set to 10
[*] The Password Grace Time is set to 7
[*] The Lifetime of Passwords is set to 180
[*] The Number of Times a Password can be reused is set to UNLIMITED
[*] The Maximum Number of Times a Password needs to be changed before it can be reused is set to UNLIMITED
[*] The Number of Times a Password can be reused is set to UNLIMITED
[*] Password Complexity is not checked
[*] Active Accounts on the System in format Username,Password,Spare4 are:
[*] SYS,8A8F025737A9097A,S:4F2AD836742BF4940F8635AF7A23A693069E17C38FB4EB2AAEAF55EA7F07
[*] SYSTEM,2D594E86F93B17A1,S:9AAE92874C63DBC5C43CBC2A37E0C98EAEA902912442EB11BB10070F4102
[*] SCOTT,F894844C34402B67,S:046017C46BF9B45D20FE1F7746FF2346B1185F3F38CCAF3BA5526385828B
[*] USER001,98AD9BF0E3417534,S:D0C57D9B1BB122E8D3B532DFFDB8F65D02DECD724C7A0D2A98AAC28045DF
[*] Expired or Locked Accounts on the System in format Username,Password,Spare4 are:
[*] OUTLN,4A3BA55E08595C81,S:9D0352F4707B0EEF41811E091AF4731E609EDFDD80ABD412B06B2A257529
[*] DIP,CE4A36B8E06CA59C,S:ADE7608F962BD12FE8A6564AA3E96EDA88FB9F2F11B79DCAE28AB902380C
[*] ORACLE_OCM,5A2E026A9157958C,S:E9F3700D7530A6F79F0C5A635B50BCB76F8C18D99D2B9331CEA52B8796A1
[*] DBSNMP,E066D214D5421CCC,S:3F2E9D45692FBD03D26B4EFC38A5461E8713636BB0F768500938D10EC563
[*] APPQOSSYS,519D632B7EE7F63A,S:5E6B6A62DE6FEF350B2C972B1B46126333BF4C37057D8EEF7FDF45ABA6C3
[*] WMSYS,7C9BA362F8314299,S:55E4A57548366A8A27A9CAA4CFE3877D645EDC790B699F809CB4B7C2493D
[*] XS$NULL,,S:000000000000000000000000000000000000000000000000000000000000
[*] EXFSYS,33C758A8E388DEE5,S:36D11106A9E7FBC3289C7683EA8

 

As you see It works

Do not forget to put all of these to .bashrc file

export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1export PATH=/opt/metasploit/ruby/bin:$PATH