Script oracle-brute-stealth

Script types: portrule
Categories: intrusive, brute
Download: https://svn.nmap.org/nmap/scripts/oracle-brute-stealth.nse

Script Summary

Exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's O5LOGIN authentication scheme. The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash. When initiating an authentication attempt as a valid user the server will respond with a session key and salt. Once received the script will disconnect the connection thereby not recording the login attempt. The session key and salt can then be used to brute force the users password.

See also:

• oracle-brute.nse

Script Arguments

oracle-brute-stealth.johnfile

- if specified the hashes will be written to this file to be used by JtR

oracle-brute-stealth.accounts

- a list of comma separated accounts to test

oracle-brute-stealth.sid

- the instance against which to perform password guessing

oracle-brute-stealth.nodefault

- do not attempt to guess any Oracle default accounts

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

tns.sid

See the documentation for the tns library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL <host>

Script Output

PORT     STATE  SERVICE REASON
1521/tcp open  oracle  syn-ack
| oracle-brute-stealth:
|   Accounts
|     dummy:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 - Hashed valid or invalid credentials
|     nmap:$o5logon$D1B28967547DBA3917D7B129E339F96156C8E2FE5593D42540992118B3475214CA0F6580FD04C2625022054229CAAA8D*7BCF2ACF08F15F75B579 - Hashed valid or invalid credentials
|   Statistics
|_    Performed 2 guesses in 1 seconds, average tps: 2

Requires

• brute
• coroutine
• creds
• io
• nmap
• shortport
• stdnse
• string
• stringaux
• tns
• unpwdb
• openssl

---

Author:

• Dhiru Kholia

License: Same as Nmap--See https://nmap.org/book/man-legal.html