Add the oracle-sid-brute script from Patrik Karlsson.

CHANGELOG

@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Added a new oracle-sid-brute script that checks for default Oracle
+  SIDs. The SID list was prepared by Red Database security. [Patrik
+  Karlsson]
+
 o Fixed the RTSPRequest version probe, which was accidentally modified
   to say "RTSP/2.0" rather than "RTSP/1.0" in 5.10BETA2. [Matt Selsky]
 

nselib/data/oracle-sids

@@ -0,0 +1,735 @@
+#!comment: This database is made by Red Database Security and was released
+#!comment: under the Nmap license by Alexander Kornbrust.
+#!comment: Ref: http://seclists.org/nmap-dev/2009/q4/645
+ORCL
+XE
+ASDB
+IASDB
+OEMREP
+ORCL.WORLD
+ADV1
+ADVCPROD
+AIX10
+AIX11
+AIX9
+APEX
+ARIS
+ASDB0
+ASDB1
+ASDB2
+ASDB3
+ASDB4
+ASDB5
+ASDB6
+ASDB7
+ASDB8
+ASDB9
+ASG817
+ASG817P
+ASG817T
+ATRPROD
+ATRTEST
+BLA
+BOOKS
+BUDGET
+C630
+CTM4_0
+CTM4_1
+CTM4_6
+D
+D10
+D8
+D9
+DB
+DB01
+DB02
+DB03
+DB1
+DB2
+DB2EDU
+DB2PROD
+DB2TEST
+DB3
+DBA
+DBA1
+DBA2
+DBA3
+DBA4
+DBA5
+DBA6
+DBA7
+DBA8
+DBA9
+DBX
+DEMO
+DEV
+DEV0
+DEV01
+DEV1
+DEV2
+DEV3
+DEV4
+DEV5
+DEV6
+DEV7
+DEV8
+DEV9
+DEVEL
+DIA1
+DIA2
+DIS
+DWH
+DWHDB
+DWHPROD
+DWHTEST
+DWRHS
+EARTH
+ELCARO
+EMRS2
+EOF
+ERP
+ESOR
+FINDEC
+FINPROD
+FNDFS_HR1
+FNDFS_HR2
+FPRD
+GR01
+GR02
+GR03
+HCDMO
+HEDGEHOG
+HPUX10
+HPUX11
+HPUX9
+HR
+HR0
+HR1
+HR2
+HR3
+HR4
+HR5
+HR6
+HR7
+HR8
+HR9
+HRDMO
+HTMLDB
+IAGTS
+INCD
+ISD01
+ISD06
+ISP
+ISP01
+ISP1
+ISP2
+ISQ1
+ITS
+IXOS
+KRAUS
+KRONOS
+LDAP
+LIN10
+LIN11
+LIN9
+LINUX101
+LINUX1011
+LINUX1012
+LINUX1013
+LINUX1014
+LINUX1015
+LINUX102
+LINUX1021
+LINUX1022
+LINUX1023
+LINUX1024
+LINUX1025
+LINUX111
+LINUX11106
+LINUX11107
+LINUX112
+LINUX11201
+LINUX817
+LINUX8171
+LINUX8172
+LINUX8173
+LINUX8174
+LINUX901
+LINUX902
+LINUX9021
+LINUX9022
+LINUX9023
+LINUX9024
+LINUX9025
+LINUX9026
+LINUX9027
+LINUX9028
+LINUX92
+LINUX9208
+LUN
+MDTEST
+MSAM
+MV713
+MYDB
+NEDB
+NORTHWIND
+OAS
+OAS1
+OAS10
+OAS2
+OAS3
+OAS4
+OAS5
+OAS6
+OAS7
+OAS8
+OAS9
+ODB
+OGDP
+OID
+OJS
+OMS
+ORA
+ORA1
+ORA10
+ORA101
+ORA10101
+ORA10101P
+ORA10101T
+ORA10102
+ORA10102P
+ORA10102T
+ORA10103
+ORA10103P
+ORA10103T
+ORA10104
+ORA10104P
+ORA10104T
+ORA10105
+ORA10105P
+ORA10105T
+ORA1011
+ORA1011P
+ORA1011T
+ORA1012
+ORA1012P
+ORA1012T
+ORA1013
+ORA1013P
+ORA1013T
+ORA1014
+ORA1014P
+ORA1014T
+ORA1015
+ORA1015P
+ORA1015T
+ORA1021
+ORA1021P
+ORA1021T
+ORA1022
+ORA1022P
+ORA1022T
+ORA1023
+ORA1023P
+ORA1023T
+ORA1024
+ORA1024P
+ORA1024T
+ORA1025
+ORA1025P
+ORA1025T
+ORA11
+ORA111
+ORA11106
+ORA11107
+ORA112
+ORA11201
+ORA11202
+ORA11g
+ORA2
+ORA3
+ORA4
+ORA5
+ORA6
+ORA7
+ORA8
+ORA805
+ORA806
+ORA815
+ORA816
+ORA817
+ORA8170
+ORA8170P
+ORA8170T
+ORA8171
+ORA8171P
+ORA8171T
+ORA8172
+ORA8172P
+ORA8172T
+ORA8173
+ORA8173P
+ORA8173T
+ORA8174
+ORA8174P
+ORA8174T
+ORA8_SC
+ORA9
+ORA910
+ORA920
+ORA9201
+ORA9201P
+ORA9201T
+ORA9202
+ORA9202P
+ORA9202T
+ORA9203
+ORA9203P
+ORA9203T
+ORA9204
+ORA9204P
+ORA9204T
+ORA9205
+ORA9205P
+ORA9205T
+ORA9206
+ORA9206P
+ORA9206T
+ORA9207
+ORA9207P
+ORA9207T
+ORA9208
+ORA9208P
+ORA9208T
+ORACL
+ORACLE
+ORADB
+ORADB1
+ORADB2
+ORADB3
+ORALIN
+ORCL0
+ORCL1
+ORCL10
+ORCL10G
+ORCL11
+ORCL11G
+ORCL2
+ORCL3
+ORCL4
+ORCL5
+ORCL6
+ORCL7
+ORCL8
+ORCL9
+ORCLA
+ORCLB
+ORCLC
+ORCLD
+ORCLE
+ORCLF
+ORCLG
+ORCLH
+ORCLI
+ORCLJ
+ORCLK
+ORCLL
+ORCLM
+ORCLN
+ORCLO
+ORCLP
+ORCLP0
+ORCLP1
+ORCLP2
+ORCLP3
+ORCLP4
+ORCLP5
+ORCLP6
+ORCLP7
+ORCLP8
+ORCLP9
+ORCLQ
+ORCLR
+ORCLS
+ORCLSOL
+ORCLT
+ORCLU
+ORCLV
+ORCLW
+ORCLX
+ORCLY
+ORCLZ
+ORIONDB
+ORTD
+P
+P10
+P10G
+P8
+P8I
+P9
+P9I
+PD1
+PINDB
+PORA10101
+PORA10102
+PORA10103
+PORA10104
+PORA10105
+PORA1011
+PORA1012
+PORA1013
+PORA1014
+PORA1015
+PORA1021
+PORA1022
+PORA1023
+PORA1024
+PORA1025
+PORA11106
+PORA11107
+PORA11201
+PORA11202
+PORA8170
+PORA8171
+PORA8172
+PORA8173
+PORA8174
+PORA9201
+PORA9202
+PORA9203
+PORA9204
+PORA9205
+PORA9206
+PORA9207
+PORA9208
+PRD
+PRITXI
+PROD
+PROD0
+PROD1
+PROD10
+PROD10G
+PROD11
+PROD11G
+PROD2
+PROD3
+PROD4
+PROD5
+PROD6
+PROD7
+PROD8
+PROD8I
+PROD9
+PROD920
+PROD9I
+PROG10
+QM
+QS
+RAB1
+RAC
+RAC1
+RAC2
+RAC3
+RAC4
+RDB
+RDS
+RECV
+REP
+REP0
+REP1
+REP2
+REP3
+REP4
+REP5
+REP6
+REP7
+REP8
+REP9
+REPO
+REPO0
+REPO1
+REPO2
+REPO3
+REPO4
+REPO5
+REPO6
+REPO7
+REPO8
+REPO9
+REPOS
+REPOS0
+REPOS1
+REPOS2
+REPOS3
+REPOS4
+REPOS5
+REPOS6
+REPOS7
+REPOS8
+REPOS9
+REPSCAN
+RIPPROD
+RITCTL
+RITDEV
+RITPROD
+RITQA
+RITTRN
+RITTST
+SA0
+SA1
+SA2
+SA3
+SA4
+SA5
+SA6
+SA7
+SA8
+SA9
+SAA
+SAB
+SAC
+SAD
+SAE
+SAF
+SAG
+SAH
+SAI
+SAJ
+SAK
+SAL
+SALES
+SAM
+SAMPLE
+SAN
+SANIPSP
+SAO
+SAP
+SAP0
+SAP1
+SAP2
+SAP3
+SAP4
+SAP5
+SAP6
+SAP7
+SAP8
+SAP9
+SAPHR
+SAQ
+SAR
+SAS
+SAT
+SAU
+SAV
+SAW
+SAX
+SAY
+SAZ
+SDB
+SENTRIGO
+SES
+SGNT
+SID0
+SID1
+SID2
+SID3
+SID4
+SID5
+SID6
+SID7
+SID8
+SID9
+SIP
+SOL10
+SOL11
+SOL9
+STAG1
+STAG2
+T1
+T10
+T101
+T102
+T2
+T3
+T4
+T7
+T71
+T72
+T73
+T8
+T80
+T81
+T82
+T9
+T91
+T92
+TEST
+TEST10G
+TEST11G
+TEST9I
+TESTORCL
+THUMPER
+TRC28
+TRIUMF
+TSH1
+TSM
+TST
+TST0
+TST1
+TST2
+TST3
+TST4
+TST5
+TST6
+TST7
+TST8
+TST9
+TYCP
+UNIX101
+UNIX1011
+UNIX1012
+UNIX1013
+UNIX1014
+UNIX1015
+UNIX102
+UNIX1021
+UNIX1022
+UNIX1023
+UNIX1024
+UNIX1025
+UNIX817
+UNIX8171
+UNIX8172
+UNIX8173
+UNIX8174
+UNIX901
+UNIX902
+UNIX9021
+UNIX9022
+UNIX9023
+UNIX9024
+UNIX9025
+UNIX9026
+UNIX9027
+UNIX9028
+V713
+VENOM
+VENU
+VISTA
+W101
+W1011
+W1012
+W1013
+W1014
+W1015
+W102
+W1021
+W1022
+W1023
+W1024
+W1025
+W111
+W11102
+W11106
+W11107
+W112
+W11201
+W817
+W8171
+W8172
+W8173
+W8174
+W901
+W902
+W9021
+W9022
+W9023
+W9024
+W9025
+W9026
+W9027
+W9028
+WEB
+WEB1
+WEB10
+WEB2
+WEB3
+WEB4
+WEB5
+WEB6
+WEB7
+WEB8
+WEB9
+WEBDEV
+WG73 
+WIN101
+WIN1011
+WIN1012
+WIN1013
+WIN1014
+WIN1015
+WIN102
+WIN1021
+WIN1022
+WIN1023
+WIN1024
+WIN1025
+WIN11
+WIN111
+WIN11106
+WIN11107
+WIN112
+WIN11201
+WIN11202
+WIN7
+WIN817
+WIN8171
+WIN8172
+WIN8173
+WIN8174
+WIN901
+WIN902
+WIN9021
+WIN9022
+WIN9023
+WIN9024
+WIN9025
+WIN9026
+WIN9027
+WIN9028
+WINDOWS101
+WINDOWS1011
+WINDOWS1012
+WINDOWS1013
+WINDOWS1014
+WINDOWS1015
+WINDOWS102
+WINDOWS1021
+WINDOWS1022
+WINDOWS1023
+WINDOWS1024
+WINDOWS1025
+WINDOWS11
+WINDOWS111
+WINDOWS11106
+WINDOWS11107
+WINDOWS112
+WINDOWS11201
+WINDOWS11202
+WINDOWS817
+WINDOWS8171
+WINDOWS8172
+WINDOWS8173
+WINDOWS8174
+WINDOWS901
+WINDOWS902
+WINDOWS9021
+WINDOWS9022
+WINDOWS9023
+WINDOWS9024
+WINDOWS9025
+WINDOWS9026
+WINDOWS9027
+WINDOWS9028
+XEXDB
+XE_XPT

scripts/oracle-sid-brute.nse

@@ -0,0 +1,167 @@
+description = [[
+Guesses Oracle instance/sid names against the TNS-listener
+]]
+
+--
+-- @usage
+-- nmap --script=oracle-sid-brute --script-args=oraclesids=/path/to/sidfile -p 1521-1560 <host>
+-- nmap --script=oracle-sid-brute -p 1521-1560 <host>
+--
+-- If no oraclesids file is specified, it falls back to the default oracle-sids file
+-- License to use the oracle-sids file was granted by the author (Alexander Kornbrust) 
+-- Ref: http://seclists.org/nmap-dev/2009/q4/645
+--
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 1521/tcp open  oracle  syn-ack
+-- | oracle-sid-brute:  
+-- |   orcl
+-- |   prod
+-- |_  devel
+--
+---
+
+-- Version 0.3
+
+-- Created 12/10/2009 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+-- Revised 12/11/2009 - v0.2 - Added tns_type, split packet creation to header & data
+-- Revised 12/14/2009 - v0.3 - Fixed ugly file_exist kludge
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+
+require 'comm'
+require 'datafiles'
+require 'shortport'
+
+portrule = shortport.port_or_service(1521, 'oracle-tns')
+
+-- A table containing the different TNS types ... not complete :)
+local tns_type = {CONNECT=1, REFUSE=4, REDIRECT=5, RESEND=11}
+
+--- Creates a TNS header
+-- A lot of values are still hardcoded ...
+--
+-- @param packetType string containing the type of TNS packet
+-- @param packetLength number defining the length of the DATA segment of the packet
+--
+-- @return string with the raw TNS header
+--
+local function create_tns_header(packetType, packetLength)
+
+	local request = bin.pack( ">SSCCS", 
+					packetLength + 34, -- Packet Length
+					0, -- Packet Checksum
+					tns_type[packetType], -- Packet Type
+					0, -- Reserved Byte
+					0 -- Header Checksum
+					)
+  
+	return request
+
+end
+
+--- Creates a TNS connect packet
+--
+-- @param host_ip string containing the IP of the remote host
+-- @param port_no number containing the remote port of the Oracle instance
+-- @param sid string containing the SID against which to attempt to connect
+--
+-- @return string containing the raw TNS packet
+--
+local function create_connect_packet( host_ip, port_no, sid )
+	
+	local connect_data =  "(DESCRIPTION=(CONNECT_DATA=(SID=" .. sid .. ")"
+	connect_data = connect_data .. "(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))"
+	connect_data = connect_data .. "(ADDRESS=(PROTOCOL=tcp)(HOST=" .. host_ip .. ")"
+	connect_data = connect_data .. "(PORT=" .. port_no .. ")))"
+	
+	local data = bin.pack(">SSSSSSSSSSICCA",
+							308, -- Version
+							300, -- Version (Compatibility)
+							0, -- Service Options
+							2048, -- Session Data Unit Size
+							32767, -- Maximum Transmission Data Unit Size
+							20376, -- NT Protocol Characteristics
+							0, -- Line Turnaround Value
+							1, -- Value of 1 in Hardware
+							connect_data:len(), -- Length of connect data
+							34, -- Offset to connect data
+							0, -- Maximum Receivable Connect Data
+							1, -- Connect Flags 0
+							1, -- Connect Flags 1 
+							connect_data
+							)
+	
+
+	local header = create_tns_header("CONNECT", connect_data:len() )
+
+	return header .. data
+	
+end
+
+--- Process a TNS response and extracts Length, Checksum and Type
+--
+-- @param packet string as a raw TNS response 
+-- @return table with Length, Checksum and Type set
+--
+local function process_tns_packet( packet )
+
+	local tnspacket = {}
+	
+	-- just pull out the bare minimum to be able to match
+	_, tnspacket.Length, tnspacket.Checksum, tnspacket.Type = bin.unpack(">SSC", packet)
+	
+	return tnspacket
+	
+end
+
+action = function(host, port)
+
+	local found_sids = {}
+	local socket = nmap.new_socket()
+	local catch = function() socket:close() end
+  	local try = nmap.new_try(catch)
+	local request, response, tns_packet
+	local sidfile
+	
+	socket:set_timeout(5000)
+
+	-- open the sid file specified by the user or fallback to the default oracle-sids file
+	sidfilename = nmap.registry.args.oraclesids or nmap.fetchfile("nselib/data/oracle-sids")
+	
+	sidfile = io.open(sidfilename)
+	
+	if not sidfile then
+		return
+	end
+	
+	-- read sids line-by-line from the sidfile
+	for sid in sidfile:lines() do
+		
+		-- check for comments
+		if not sid:match("#!comment:") then
+
+			try(socket:connect(host.ip, port.number))
+			request = create_connect_packet( host.ip, port.number, sid )
+			try(socket:send(request))
+			response = try(socket:receive_bytes(1))
+			tns_packet = process_tns_packet(response)
+
+			-- If we get anything other than REFUSE consider it as a valid SID
+			if tns_packet.Type ~= tns_type.REFUSE then
+				table.insert(found_sids, sid)
+			end
+
+			try(socket:close())
+		
+		end
+
+	end
+
+	sidfile:close()
+
+	return stdnse.format_output(true, found_sids)
+
+end

scripts/script.db

@@ -38,6 +38,7 @@ Entry { filename = "mysql-info.nse", categories = { "default", "discovery", "saf
 Entry { filename = "nbstat.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "nfs-showmount.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ntp-info.nse", categories = { "default", "discovery", "safe", } }
+Entry { filename = "oracle-sid-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } }
 Entry { filename = "pjl-ready-message.nse", categories = { "intrusive", } }
 Entry { filename = "pop3-brute.nse", categories = { "auth", "intrusive", } }