Continuing from Exploiting an Oracle database with Metasploit (Part 1). Here’s the next set of Metasploit exploits and scanners I’ve tried and tested.
This one just checks if your database is vulnerable to TNS poisoning:
msf auxiliary(tnspoison_checker) > info Name: Oracle TNS Listener Checker Module: auxiliary/scanner/oracle/tnspoison_checker License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2012-04-18 Provided by: ir0njaw (Nikita Kelesis) <firstname.lastname@example.org> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.56.163 yes The target address range or CIDR identifier RPORT 1521 yes The target port THREADS 1 yes The number of concurrent threads Description: This module checks the server for vulnerabilities like TNS Poison. Module sends a server a packet with command to register new TNS Listener and checks for a response indicating an error. If the registration is errored, the target is not vulnearble. Otherwise, the target is vulnerable to malicious registrations.
Yup, it’s vulnerable. But Metasploit doesn’t have the tools to exploit it. To be fair, you probably need to setup a listener to do the exploit properly. So you would need Oracle database software on the Kali Linux box to make the exploit work.
For this one you don’t need a connection to the database. It will only communicate with the listener, asking time and time again “do you have this instance? No? Do you have that instance? No?…” and so on.
msf auxiliary(win32exec) > use auxiliary/admin/oracle/sid_brute msf auxiliary(sid_brute) > info Name: Oracle TNS Listener SID Brute Forcer Module: auxiliary/admin/oracle/sid_brute License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2009-01-07 Provided by: MC <email@example.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.56.163 yes The target address RPORT 1521 yes The target port SIDFILE /usr/share/metasploit-framework/data/wordlists/sid.txt no The file that contains a list of sids. SLEEP 1 no Sleep() amount between each request. Description: This module simply attempts to discover the protected SID. References: https://www.metasploit.com/users/mc http://www.red-database-security.com/scripts/sid.txt
The check comes with a list of 577 commonly used instance names, like ORCL, PROD, TEST, instance names set by certain software and variations on those themes. I had to add my instance name to make it come up with anything, because I didn’t have any instances with names in the default list.
msf auxiliary(sid_brute) > run [*] Starting brute force on 192.168.56.163, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt... [+] 192.168.56.163:1521 Found SID 'KNUTSEL' [*] Done with brute force... [*] Auxiliary module execution completed
If you want to demo this one, I would advice you to make your own sid list, because going through these will take ages. But make it long enough so you have time to visit the listener.log (in $ORACLE_BASE/diag/tnslsnr/<hostname>/listener/trace), because there you’ll see that this attack can actually be detected. Because you’ll see these errors:
Wed Aug 19 21:19:33 2015 19-AUG-2015 21:19:33 * (CONNECT_DATA=(SID=ORADB3)(CID=(PROGRAM=)(HOST=MSF)(USER= ))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.162)(PORT=33181)) * establish * OR ADB3 * 12505 TNS-12505: TNS:listener does not currently know of SID given in connect descriptor 19-AUG-2015 21:19:34 * (CONNECT_DATA=(SID=ORALIN)(CID=(PROGRAM=)(HOST=MSF)(USER=))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.162)(PORT=58410)) * establish * ORALIN * 12505 TNS-12505: TNS:listener does not currently know of SID given in connect descriptor 19-AUG-2015 21:19:35 * (CONNECT_DATA=(SID=ORCL0)(CID=(PROGRAM=)(HOST=MSF)(USER=))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.162)(PORT=59442)) * establish * ORCL0 * 12505
I’m still testing some other exploits, but I have a feeling I’m missing some good scanners to fully utilize Metasploit. I’m thinking of writing my own stuff for Metasploit. For example, I’d like to see a scanner that tries to find usable database links.
The story continues, but I have a lot of other stuff to do. I’ll post info about it when I’m done.