Currently I’m working on a hacking demo for the Planboard Symposium. The sessions will be on May 28th in Utrecht. The language of the sessions will be Dutch. I can’t say that the preparations go entirely smoothly. It’s when working on these demo’s that I really know I’m not a real hacker. I encountered the following temporary showstoppers on my way to do this demo:
- I couldn’t download Oracle 220.127.116.11 or 7 anymore. OTN does no longer provide these versions (and I deleted it from my harddisk, because who’s working with 11.1 anymore?) Fortunately an old collegue had a whole library of old and new Oracle RDMBS versions for most operating systems. I’m not sure he want’s to be named for that 🙂 But I can see where he is going with this. Such a library can be an asset on times like these.
- I created a VM with the latest VMWare Player, but that VM didn’t work on the VMWare Server 2 setup on the laptop I lended. I lended a laptop, because I can’t run these hackers tools on my employer’s laptop (as you would expect from a bank). And at home I’m somewhat old-fashioned in that I have a powerful desktop. The people from Planboard graciously lended me their laptop and allowed me to install VMWare Player. Because: VMWare Server 2 (=depricated version) and VMWare Player 5 – they don’t mix. I might have seen it coming.
- When running Nmap, I couldn’t get any results. After I while I realized the Linux firewall was still on. So that’s what they’re for 🙂 A lot of Oracle on Linux VM guides tell you to turn off the firewall, so I don’t think I’m cheating much here.
- And then I tried the oracle-enum-users Nmap script from Patrik Karlsson.
I still had example commands from my old “Hack Je Eigen Database” (Hack Your Own Database) course. Everything worked in 2011/2012 with a then most recent version. Now I installed Nmap 6.25, which is the latest version now. I tried the oracle-sid-brute script and that worked beautifully after the firewall snafu.
Then I tried oracle-enum-users with this command:
nmap -d --script oracle-enum-users --script-args oracle-enum-users.sid=HACKME,userdb=D:\temp\orausers.txt -p 1521 <IP>
And I got this:
NSE: Starting oracle-enum-users against <IP>:1521.
Initiating NSE at 21:36
NSE: oracle-enum-users against <IP>:1521 threw an error!
D:\Program Files (x86)\Nmap/nselib/tns.lua:1319: attempt to index field 'socket' (a nil value)
D:\Program Files (x86)\Nmap/nselib/tns.lua:1319: in function 'sendTNSPacket'
D:\Program Files (x86)\Nmap/nselib/tns.lua:1401: in function 'exchTNSPacket'
D:\Program Files (x86)\Nmap/scripts\oracle-enum-users.nse:64: in function 'checkAccount'
D:\Program Files (x86)\Nmap/scripts\oracle-enum-users.nse:119: in function <D:\Program Files (x86)\Nmap/scripts\oracle-enum-users.nse:99>
Completed NSE at 21:36, 0.05s elapsed
I tried every possible way to run the script (even though the command I used was tried and tested), but to no avail. I decided that the only way to get it running might be to use the version I had used back during the course I had done. I had to guess what version that was, because I downloaded Nmap from the website everytime. But I remembered it was Nmap 5, not 6.
So I installed version 5.51. And lo and behold:
Initiating NSE at 23:07
NSE: Finished oracle-enum-users against <IP>:1521.
Completed NSE at 23:07, 16.53s elapsed
Nmap scan report for <IP>
Host is up, received arp-response (0.00s latency).
Scanned at 2013-05-25 23:07:09 West-Europa (zomertijd) for 28s
PORT STATE SERVICE REASON
1521/tcp open oracle syn-ack
| DBSNMP is a valid user account
| DIP is a valid user account
| EXFSYS is a valid user account
| MDSYS is a valid user account
| ORDPLUGINS is a valid user account
| ORDSYS is a valid user account
| OUTLN is a valid user account
| SI_INFORMTN_SCHEMA is a valid user account
| SYS is a valid user account
| SYSTEM is a valid user account
| WMSYS is a valid user account
|_ XDB is a valid user account
MAC Address: <MAC> (VMware)
Final times for host: srtt: 0 rttvar: 3750 to: 100000
Whew! Another part of the demo saved.
Now I could try to find out if this is a Nmap 6 problem in general. But I definately work on my demo and presentation first (and after this busy month I might take a little break).
Also I’m working with Metasploit. That is one nifty tool. But it comes with Nmap 6.25 also, so you can expect the exact same problem in the auxiliary/scanner/oracle/oracle_login module.
I’m glad I now actually have something cool to show next Tuesday. If you’re Dutch speaking and at the Planboard Symposium, see you there.