oracle-enum-users doesn’t work on Nmap 6.25

Currently I’m working on a hacking demo for the Planboard Symposium. The sessions will be on May 28th in Utrecht. The language of the sessions will be Dutch. I can’t say that the preparations go entirely smoothly. It’s when working on these demo’s that I really know I’m not a real hacker. I encountered the following temporary showstoppers on my way to do this demo:

  1. I couldn’t download Oracle 11.1.0.6 or 7 anymore. OTN does no longer provide these versions (and I deleted it from my harddisk, because who’s working with 11.1 anymore?) Fortunately an old collegue had a whole library of old and new Oracle RDMBS versions for most operating systems. I’m not sure he want’s to be named for that 🙂 But I can see where he is going with this. Such a library can be an asset on times like these.
  2. I created a VM with the latest VMWare Player, but that VM didn’t work on the VMWare Server 2 setup on the laptop I lended. I lended a laptop, because I can’t run these hackers tools on my employer’s laptop (as you would expect from a bank). And at home I’m somewhat old-fashioned in that I have a powerful desktop. The people from Planboard graciously lended me their laptop and allowed me to install VMWare Player. Because: VMWare Server 2 (=depricated version) and VMWare Player 5 – they don’t mix. I might have seen it coming.
  3. When running Nmap, I couldn’t get any results. After I while I realized the Linux firewall was still on. So that’s what they’re for 🙂  A lot of Oracle on Linux VM guides tell you to turn off the firewall, so I don’t think I’m cheating much here.
  4. And then I tried the oracle-enum-users Nmap script from Patrik Karlsson.

I still had example commands from my old “Hack Je Eigen Database” (Hack Your Own Database) course. Everything worked in 2011/2012 with a then most recent version. Now I installed Nmap 6.25, which is the latest version now. I tried the oracle-sid-brute script and that worked beautifully after the firewall snafu.

Then I tried oracle-enum-users with this command:

nmap -d --script oracle-enum-users --script-args oracle-enum-users.sid=HACKME,userdb=D:\temp\orausers.txt -p 1521 <IP>

And I got this:

NSE: Starting oracle-enum-users against <IP>:1521.
Initiating NSE at 21:36
NSE: oracle-enum-users against <IP>:1521 threw an error!
D:\Program Files (x86)\Nmap/nselib/tns.lua:1319: attempt to index field 'socket' (a nil value)
stack traceback:
D:\Program Files (x86)\Nmap/nselib/tns.lua:1319: in function 'sendTNSPacket'
D:\Program Files (x86)\Nmap/nselib/tns.lua:1401: in function 'exchTNSPacket'
D:\Program Files (x86)\Nmap/scripts\oracle-enum-users.nse:64: in function 'checkAccount'
D:\Program Files (x86)\Nmap/scripts\oracle-enum-users.nse:119: in function <D:\Program Files (x86)\Nmap/scripts\oracle-enum-users.nse:99>
(...tail calls...)

Completed NSE at 21:36, 0.05s elapsed

I tried every possible way to run the script (even though the command I used was tried and tested), but to no avail. I decided that the only way to get it running might be to use the version I had used back during the course I had done. I had to guess what version that was, because I downloaded Nmap from the website everytime. But I remembered it was Nmap 5, not 6.

So I installed version 5.51. And lo and behold:

Initiating NSE at 23:07
NSE: Finished oracle-enum-users against <IP>:1521.
Completed NSE at 23:07, 16.53s elapsed
Nmap scan report for <IP>
Host is up, received arp-response (0.00s latency).
Scanned at 2013-05-25 23:07:09 West-Europa (zomertijd) for 28s
PORT     STATE SERVICE REASON
1521/tcp open  oracle  syn-ack
| oracle-enum-users:
|   DBSNMP is a valid user account
|   DIP is a valid user account
|   EXFSYS is a valid user account
|   MDSYS is a valid user account
|   ORDPLUGINS is a valid user account
|   ORDSYS is a valid user account
|   OUTLN is a valid user account
|   SI_INFORMTN_SCHEMA is a valid user account
|   SYS is a valid user account
|   SYSTEM is a valid user account
|   WMSYS is a valid user account
|_  XDB is a valid user account
MAC Address: <MAC> (VMware)
Final times for host: srtt: 0 rttvar: 3750  to: 100000

Whew! Another part of the demo saved.

Now I could try to find out if this is a Nmap 6 problem in general. But I definately work on my demo and presentation first (and after this busy month I might take a little break).

Also I’m working with Metasploit. That is one nifty tool. But it comes with Nmap 6.25 also, so you can expect the exact same problem in the auxiliary/scanner/oracle/oracle_login module.

I’m glad I now actually have something cool to show next Tuesday. If you’re Dutch speaking and at the Planboard Symposium, see you there.

Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Oracle security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s