The Web Local
 

 

 

OAK

 

The Oracle Assessment Kit, (OAT) was released in early 2007 by David Litchfield as a basic enumeration suite ideal for first stage Penetration Testing or for utilisation on a Oracle Vulnerability Assessment engagement.

 

OAK consists of a number of distinct tools:

 

  • ora-getsid - Enumerating the SID based on a user supplied dictionary.

  • ora-auth-alter-session - Demonstrates the ora-auth-alter-session exploit.

  • ora-brutesid - Brute force attack against an Oracle SID.

  • ora-pwdbrute - Brute force password attack against Oracle user accounts with a pre-supplied dictionary.

  • ora-userenum - Dictionary supplied attack to enumerate specific usrs on an Oracle database.

  • ora-ver - TNS Listener enumeration, akin to the tnsver tool released at BlackHat in 2006.

 

It is available from here.

 

Installation:

 

Simply extract the zip file, all source code is also included.

 

Syntax and example output:

 

Ora-getsid:

 

ora-getsid host port sidlistfile

 

C:\va_oracle\OAK>ora-getsid.exe 200.100.100.120 1521 sidlist.txt

 

Found SID: DATABASE

 

Ora-auth-alter-session:

 

ora-auth-alter-session host port sid username password sql

 

The following references explain this exploit further:

 

 

Ora-brutesid:

 

ora-brutesid host port start

 

Ora-pwdbrute:

 

ora-pwdbrute host port sid username password-file

 

C:\va_oracle\OAK>ora-pwdbrute.exe 200.100.100.120 1521 database test passwords.txt

Version: Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production

With the Partitioning, OLAP and Oracle Data Mining options

JServer Release 9.2.0.1.0 - Production

Password is ARSENAL

32 checked

 

Ora-userenum:

 

ora-userenum host port sid userlistfile

 

C:\va_oracle\OAK>ora-userenum.exe 200.100.100.120 1521 database userlist.txt

SYS exists

SYSTEM exists

MARKEROULN does not exist

XDB does not exist

DBNSMP exists

MARKERSCOTT does not exist

WMSYS does not exist

CTXSYS exists

MDSYS exists

QS exists

SH exists

AASH exists

MARKERABA1 does not exist

ABM does not exist

MARKERADAMS does not exist

MARKERADS does not exist

ADSEUL_US does not exist

MARKERAHL does not exist

MARKERAHM does not exist

AK does not exist

MARKERAL does not exist

MARKERALA1 does not exist

ALLUSERS does not exist

MARKERALR does not exist

MARKERAMA1 does not exist

AMA2 does not exist

MARKERAMA3 does not exist

------abridged--------------------------

 

Ora-ver:

 

All options:

 

Get Version From Error:

ora-ver -e host port

 

Get Version From TTI Function:

ora-ver -f host port sid

 

Get Version From Listener:

ora-ver -l host port

 

Get Version From ANO:

ora-ver -a host port sid

 

C:\va_oracle\OAK>ora-ver.exe -e 200.100.100.120 1521

Packet size doesn't match bytes received.

Not enough data.

 

C:\va_oracle\OAK>ora-ver.exe -l 200.100.100.120 1521

Packet: 1

Size: 69

Type: TNS_ACCEPT

 

0000   00 45 00 00 02 00 00 00 01 34 00 01 08 00 7F FF    .E.......4.... 

0010   01 00 00 2D 00 18 0D 01 28 44 45 53 43 52 49 50    ...-....(DESCRIP

0020   54 49 4F 4E 3D 28 54 4D 50 3D 29 28 56 53 4E 4E    TION=(TMP=)(VSNN

0030   55 4D 3D 31 35 33 30 39 32 33 35 32 29 28 45 52    UM=153092352)(ER

0040   52 3D 30 29 29                                     R=0))

 

Packet: 1

Size: 399

Type: TNS_DATA

Data Flags: 00

Type: Unknown

 

0000   01 8F 00 00 06 00 00 00 00 00 54 4E 53 4C 53 4E    .Å........TNSLSN

0010   52 20 66 6F 72 20 33 32 2D 62 69 74 20 57 69 6E    R for 32-bit Win

0020   64 6F 77 73 3A 20 56 65 72 73 69 6F 6E 20 39 2E    dows: Version 9.

0030   32 2E 30 2E 31 2E 30 20 2D 20 50 72 6F 64 75 63    2.0.1.0 - Produc

0040   74 69 6F 6E 0A 09 54 4E 53 20 66 6F 72 20 33 32    tion..TNS for 32

0050   2D 62 69 74 20 57 69 6E 64 6F 77 73 3A 20 56 65    -bit Windows: Ve

0060   72 73 69 6F 6E 20 39 2E 32 2E 30 2E 31 2E 30 20    rsion 9.2.0.1.0

0070   2D 20 50 72 6F 64 75 63 74 69 6F 6E 0A 09 4F 72    - Production..Or

0080   61 63 6C 65 20 42 65 71 75 65 61 74 68 20 4E 54    acle Bequeath NT

0090   20 50 72 6F 74 6F 63 6F 6C 20 41 64 61 70 74 65     Protocol Adapte

00A0   72 20 66 6F 72 20 33 32 2D 62 69 74 20 57 69 6E    r for 32-bit Win

00B0   64 6F 77 73 3A 20 56 65 72 73 69 6F 6E 20 39 2E    dows: Version 9.

00C0   32 2E 30 2E 31 2E 30 20 2D 20 50 72 6F 64 75 63    2.0.1.0 - Produc

00D0   74 69 6F 6E 0A 09 57 69 6E 64 6F 77 73 20 4E 54    tion..Windows NT

00E0   20 4E 61 6D 65 64 20 50 69 70 65 73 20 4E 54 20     Named Pipes NT

00F0   50 72 6F 74 6F 63 6F 6C 20 41 64 61 70 74 65 72    Protocol Adapter

0100   20 66 6F 72 20 33 32 2D 62 69 74 20 57 69 6E 64     for 32-bit Wind

0110   6F 77 73 3A 20 56 65 72 73 69 6F 6E 20 39 2E 32    ows: Version 9.2

0120   2E 30 2E 31 2E 30 20 2D 20 50 72 6F 64 75 63 74    .0.1.0 - Product

0130   69 6F 6E 0A 09 57 69 6E 64 6F 77 73 20 4E 54 20    ion..Windows NT

0140   54 43 50 2F 49 50 20 4E 54 20 50 72 6F 74 6F 63    TCP/IP NT Protoc

0150   6F 6C 20 41 64 61 70 74 65 72 20 66 6F 72 20 33    ol Adapter for 3

0160   32 2D 62 69 74 20 57 69 6E 64 6F 77 73 3A 20 56    2-bit Windows: V

0170   65 72 73 69 6F 6E 20 39 2E 32 2E 30 2E 31 2E 30    ersion 9.2.0.1.0

0180   20 2D 20 50 72 6F 64 75 63 74 69 6F 6E 2C 2C        - Production,,

 

Packet: 2

Size: 10

Type: TNS_DATA

Data Flags: 40

Type: NULL

 

0000   00 0A 00 00 06 00 00 00 00 40                      .........@

 

 

Pen Testing Framework:

 

Latest Tool Reviews:

 

 

 

  
 

© VulnerabilityAssessment.co.uk 11 April 2008