Next tuesday I’ll be doing an Oracle database hacking course for teammembers at my work. (Because, the best way to gain security awareness, is to learn to hack). We’ll be doing SQL injection, port scanning with Nmap, network sniffing with Wireshark, password cracking with woraauthbf. It’s going to be a blast. But there is one thing that would just be supercool to have in the course: Metasploit running exploits against an Oracle database. Nothing says “hacking is that easy” like a tool that has a database with many exploits, ready to use. Except.. hacking is NOT that easy. Not with Metasploit against Oracle anyhow. I just can’t seem to get the OCI drivers working.
I’m not asking for much. All I want is a virtual machine with a Linux distro and an Oracle 11g database running, and Metasploit installed and able to connect to the database from Metasploit with OCI. Oh, and while we’re at it, I would like to be able to copy and past between my virtual machine and the “mother host” and dragging and dropping files would be even better. In VirtualBox, you’ll need to run the Guest Additions on your VM for that.
For the other assignments I want to run the oldest version of Oracle 11g available, 126.96.36.199. The older the software, the more exploits are available and thus the chance to experience how hackers approach an Oracle database. Oracle 188.8.131.52 by the way isn’t exacty available in the sense that you can download it from Oracle’s sites, but luckily a former collegue did have it in his software library. For such an old version, you need an older Linux distro. CentOS 5.9 worked just fine. Everything worked fine. But installing Metasploit? That’s another thing. After some digging, I found out it required GLIBC2.6 (after I first found out I ran out of disk space and that that was the reason I didn’t get a proper error message before). That’s not on CentOS 5.9 then.
Now I decided that if I was to have any success at all, I’d better make a separate VM for this, with an Oracle 11g database and all. So I tried CentOS 6.4, because I had the downloads already on disk. And, very important, after installing CentOS 6.4, the VirtualBox Guest Additions worked well. Of course Oracle 11g R1 wouldn’t install here, so I installed Oracle 11g R2. So far so good. Installing Metasploit went on without a hitch.
And then it was time to install the OCI drivers for Ruby, which Metasploit needed. First I needed Oracle Instant Client. And as about every blogpost and site about installing Oracle OCI drivers for Metasploit advised, I installed Oracle Instant Client 10g. I’ve tried to install these drivers before and I can tell you, these don’t install without a fight. So it’s best not to deviate in any way when you start this endeavour.
I unzipped ruby-oci8-2.1.5.tar.gz. Made sure all possibly necessary enviromnent variables were set twice. And I ran “ruby setup.rb config”. Which was responded in kind with the message that Ruby wasn’t found. Ruby is part of the Metasploit installation, but not added to the PATH variable. So I ran “/opt/metasploit/ruby/bin/ruby setup.rb config” and there it started. And it stopped. The error was:
Error Message: The compiler failed to generate an executable file. You have to install development tools first.
Hmm? What development tools? Ruby development tools? Perhaps the Ruby installation that came with Metasploit? I tried many ways around this, but it was the same dead end I got in a couple of months ago.
I’ve read a couple of blogs about installing Oracle drivers for Metasploit on Kali Linux. Kali is a Debian Linux distribution for penetration testing. It is apparently the rebirth of Backtrack. Maybe I could do this thing the other way around? Install Kali, which comes with Metasploit, and then install Oracle and OCI drivers? It was only a different Linux distro. “How hard could it be?”.. is one phrase I didn’t dare to utter during this whole process.
The setup of Kali on a VirtualBox VM went quickly enough. During installation of Kali I found out I needed to choose Dutch settings to choose a local timezone. But that resulted in a complete translation of Linux and all messages in Dutch. Which is not as convenient as it sounds for a Dutch speaking user. Imagine the niche of people that want to use Metasploit against Oracle. Now imagine the niche of the niche of that set that encounters Dutch error messages and shares solutions for those on the Internet. It’s a population of zero and I definitely encountered errors.
To be exact, I encountered them immediately when I wanted to install the VirtualBox Guest Additions. Apparently libssl was of a different version, or something was holding it. Having these error messages translated in my native language didn’t do much wonders for the clarity of the message. Anyhow, I’m not going along without the guest additions, because no guest addition means I have to type over commands (and long error messages) all the time.
So where to go next? One way is to have Metasploit from the Kali distribution (supposing I will have a splendidly working OCI driver there) communicate with the VM with my Oracle 11g R1 database. I shudder when I type this, because the idea of having to make a working network connection between my host and the VM (after I changed the VM to a static IP address) for me usually already is a trial and error affair. Now imagine having to make a connection between two VMs. Hours of frustration guaranteed.
Another way to go, is not to rely on the Ruby that came with Metasploit and install a different version in a different path. Maybe I could even run a fabled command called “gem install ruby-oci8”. I heavily doubt it will work, but maybe tomorrow I’ll go “once more unto the breach“.