o [NSE] Added a Oracle TNS library and two new scripts that make use of it.

The scripts are: - oracle-brute uses the brute and tns library to perform password guessing - oracle-enum-users attempts to determine valid Oracle user names [Patrik]
2025-12-09 06:01:28 +00:00 · 2010-08-19 23:09:32 +00:00
parent e80b196d2e
commit 87109b5670
5 changed files with 1536 additions and 2 deletions
--- a/10
+++ b/10
@@ -1,9 +1,15 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added a Oracle TNS library and two new scripts that make use of it.
+  The scripts are:
+  - oracle-brute uses the brute and tns library to perform password guessing
+  - oracle-enum-users attempts to determine valid Oracle user names
+  [Patrik]
+
 o [NSE] Added a smallish Lotus Domino rpc library (nrpc.lua) and some Lotus
  Domino oriented scripts:
-  - domino-enum-users.nse guesses users and attempts to download ID files by
-                          exploiting (CVE-2006-5835).
+  - domino-enum-users guesses users and attempts to download ID files by
+                      exploiting (CVE-2006-5835).
  - domino-enum-passwords attempts to download Internet passwords and ID files
                          from the web server.
  - domcon-brute performs password guessing against the remote console.
--- a/nselib/tns.lua
+++ b/nselib/tns.lua
--- a/scripts/oracle-brute.nse
+++ b/scripts/oracle-brute.nse
@@ -0,0 +1,137 @@
+description = [[
+Performs password guessing against Oracle
+]]
+
+---
+-- @usage
+-- nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <host>
+--
+-- @output
+-- PORT     STATE  SERVICE REASON
+-- 1521/tcp open  oracle  syn-ack
+-- | oracle-brute:  
+-- |   Accounts
+-- |     system:powell => Account locked
+-- |     haxxor:haxxor => Login correct
+-- |   Statistics
+-- |_    Perfomed 157 guesses in 8 seconds, average tps: 19
+--
+-- Summary
+-- -------
+--   x The Driver class contains the driver implementation used by the brute
+--     library
+--
+-- @args oracle-brute.sid the instance against which to perform password
+--       guessing
+--
+
+--
+-- Version 0.2
+-- Created 07/12/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+-- Revised 07/23/2010 - v0.2 - added script usage and output and 
+-- 							 - oracle-brute.sid argument
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+
+require 'shortport'
+require 'brute'
+require 'tns'
+
+portrule = shortport.port_or_service(1521, "oracle-tns", "tcp", "open")
+
+Driver = 
+{
+
+	new = function(self, host, port)
+		local o = {}
+       	setmetatable(o, self)
+        self.__index = self
+		o.host = host
+		o.port = port
+		return o
+	end,
+	
+	--- Connects performs protocol negotiation
+	--
+	-- @return true on success, false on failure
+	connect = function( self )
+		local status, data 
+		self.helper = tns.Helper:new( self.host, self.port, nmap.registry.args['oracle-brute.sid'] )
+		
+		status, data = self.helper:Connect()
+		if ( not(status) ) then
+			return status, data
+		end
+		
+		return true
+	end,
+	
+	--- Attempts to login to the Oracle server
+	--
+	-- @param username string containing the login username
+	-- @param password string containing the login password
+	-- @return status, true on success, false on failure
+	-- @return brute.Error object on failure
+	--         brute.Account object on success
+	login = function( self, username, password )
+		local status, data = self.helper:Login( username, password )
+		
+		if ( status ) then
+			return true, brute.Account:new(username, password, "OPEN")
+		-- Check for account locked message
+		elseif ( data:match("ORA[-]28000") ) then
+			return true, brute.Account:new(username, password, "LOCKED")
+		-- check for any other message
+		elseif ( data:match("ORA[-]%d+")) then
+			stdnse.print_debug(3, "username: %s, password: %s, error: %s", username, password, data )
+			return false, brute.Error:new(data)
+		-- any other errors are likely communication related, attempt to re-try
+		else
+			local err = brute.Error:new(data)
+			err:setRetry(true)
+			return false, err
+		end
+
+		return false, brute.Error:new( data )
+
+	end,
+	
+	--- Disconnects and terminates the Oracle TNS communication
+	disconnect = function( self )
+		self.helper:Close()
+	end,
+	
+	--- Perform a connection with the helper, this makes sure that the Oracle
+	-- instance is correct.
+	--
+	-- @return status true on success false on failure
+	-- @return err containing the error message on failure
+	check = function( self )
+		local helper = tns.Helper:new( self.host, self.port, nmap.registry.args['oracle-brute.sid'] )
+		local status, err = helper:Connect()
+
+		if( status ) then
+			helper:Close()
+			return true
+		end
+
+		return false, err
+	end,
+	
+}
+
+
+action = function(host, port)
+	local status, result 
+	local engine = brute.Engine:new(Driver, host, port )
+	
+	if ( not( nmap.registry.args['oracle-brute.sid'] ) and not( nmap.registry.args['tns.sid'] ) ) then
+		return "ERROR: Oracle instance not set (see oracle-brute.sid or tns.sid)"
+	end
+	
+	status, result = engine:start()
+
+	return result
+end
--- a/scripts/oracle-enum-users.nse
+++ b/scripts/oracle-enum-users.nse
@@ -0,0 +1,162 @@
+description = [[
+Attempts to determine valid Oracle user names against unpatched Oracle 11g
+servers.
+
+This script does only work against Oracle 11g pre October 2009 Critical Patch
+Update (CPU).
+]]
+
+---
+-- @usage
+-- nmap --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560 <host>
+--
+-- If no userdb is supplied the default userlist is used
+--
+-- @output
+-- PORT     STATE SERVICE REASON
+-- 1521/tcp open  oracle  syn-ack
+-- | oracle-enum-users:  
+-- |   haxxor is a valid user account
+-- |   noob is a valid user account
+-- |_  patrik is a valid user account
+--
+-- The get_random_string function was stolen from Ron's smb code
+--
+-- @args oracle-enum-users.sid the instance against which to attempt user
+--       enumeration
+
+-- Version 0.3
+
+-- Created 12/07/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+-- Revised 21/07/2010 - v0.2 - revised to work with patched systems <patrik>
+-- Revised 21/07/2010 - v0.3 - removed references to smb in get_random_string
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "auth"}
+
+require 'shortport'
+require 'tns'
+require 'unpwdb'
+
+portrule = shortport.port_or_service(1521, 'oracle-tns' )
+
+local function checkAccount( host, port, user )
+	
+	local helper = tns.Helper:new( host, port, nmap.registry.args['oracle-enum-users.sid'] )
+	local status, data = helper:Connect()
+	local tnscomm, auth
+	local auth_options = tns.AuthOptions:new()
+	
+	
+	if ( not(status) ) then
+		return false, data
+	end
+
+	-- A bit ugly, the helper should probably provide a getSocket function
+	tnscomm = tns.Comm:new( helper.tnssocket )
+	
+	status, auth = tnscomm:exchTNSPacket( tns.Packet.PreAuth:new( user, auth_options ) )
+	if ( not(status) ) then
+		return false, auth
+	end
+	helper:Close()
+	
+	return true, auth["AUTH_VFR_DATA"]	
+end
+
+---Generates a random string of the requested length. This can be used to check how hosts react to 
+-- weird username/password combinations. 
+--@param length (optional) The length of the string to return. Default: 8. 
+--@param set    (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore. 
+--@return The random string. 
+local function get_random_string(length, set)
+	if(length == nil) then
+		length = 8
+	end
+
+	if(set == nil) then
+		set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_"
+	end
+
+	local str = ""
+
+	-- Seed the random number, if we haven't already
+	if (not(nmap.registry.oracle_enum_users) or not(nmap.registry.oracle_enum_users.seeded)) then
+		math.randomseed(os.time())
+		nmap.registry.oracle_enum_users = {}
+		nmap.registry.oracle_enum_users.seeded = true
+	end
+
+	for i = 1, length, 1 do
+		local random = math.random(#set)
+		str = str .. string.sub(set, random, random)
+	end
+
+	return str
+end
+
+
+
+action = function( host, port )
+
+	local known_good_accounts = { "system", "sys", "dbsnmp", "scott" }
+
+	local status, salt
+	local count = 0
+	local result = {}
+	local usernames
+	
+	if ( not( nmap.registry.args['oracle-enum-users.sid'] ) and not( nmap.registry.args['tns.sid'] ) ) then
+		return "ERROR: Oracle instance not set (see oracle-brute.sid or tns.sid)"
+	end
+	
+	status, usernames = unpwdb.usernames()
+	if( not(status) ) then
+		return stdnse.format_output(true, "ERROR: Failed to load the usernames dictionary")
+	end
+	
+	-- Check for some known good accounts
+	for _, user in ipairs( known_good_accounts ) do
+		status, salt = checkAccount(host, port, user)
+		if( not(status) ) then return salt	end
+		if ( salt ) then
+			count = count + #salt
+		end
+	end
+	
+	-- did we atleast get a single salt back?
+	if ( count < 20 ) then
+		return stdnse.format_output(true, "ERROR: None of the known accounts were detected (oracle < 11g)")
+	end
+	
+	-- Check for some known bad accounts
+	count = 0
+	for i=1, 10 do
+		local user = get_random_string(10)
+		status, salt = checkAccount(host, port, user)
+		if( not(status) ) then return salt	end
+		if ( salt ) then
+			count = count + #salt
+		end
+	end
+
+	-- It's unlikely that we hit 3 random combinations as valid users
+	if ( count > 60 ) then
+		return stdnse.format_output(true, ("ERROR: %d of %d random accounts were detected (Patched Oracle 11G or Oracle 11G R2)"):format(count/20, 10))
+	end
+	
+	for user in usernames do
+		status, salt = checkAccount(host, port, user)
+		if ( not(status) ) then return salt end
+		if ( salt and #salt == 20 ) then
+			table.insert( result, ("%s is a valid user account"):format(user))
+		end
+	end
+	
+	if ( #result == 0 ) then
+		table.insert( result, "Failed to find any valid user accounts")
+	end
+	
+	return stdnse.format_output(true, result)
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -87,6 +87,8 @@ Entry { filename = "nfs-showmount.nse", categories = { "discovery", "safe", } }
 Entry { filename = "nfs-statfs.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ntp-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "ntp-monlist.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "oracle-brute.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "oracle-enum-users.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "oracle-sid-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "p2p-conficker.nse", categories = { "default", "safe", } }
 Entry { filename = "pgsql-brute.nse", categories = { "auth", "intrusive", } }