Saturday, January 10, 2009

Oracle Sid Enumeration Metasploit Auxiliary Module

I recently pushed out (again with MC's) help an Oracle Sid enumeration MSF auxiliary module for Oracle versions less than Oracle 10g Release 2. Starting with 10g Release 2 the TNS listener is protected and wont just cough up the SID for free, you'll have to guess it or brute force it (hopefully the SID guess module will come soon).

Here it is in action

msf > use auxiliary/admin/oracle/oracle_sid
msf auxiliary(oracle_sid) > info

Name: Oracle SID Enumeration.
Version: $Revision$

Provided by:

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1521 yes The target port

This module simply queries the TNS listner for the Oracle SID. With
10g Release 2 and above the listener will be protected and the SID
will have to be bruteforced or guessed.

msf auxiliary(oracle_sid) > set RHOST
msf auxiliary(oracle_sid) > run

[*] Identified SID for admin1
[*] Identified SID for admin2
[*] Identified SID for database
[*] Identified SID for dba3
[*] Identified SID for dba5
[*] Identified SID for dba7
[*] Identified SERVICE_NAME for admin1
[*] Identified SERVICE_NAME for admin2
[*] Identified SERVICE_NAME for database
[*] Identified SERVICE_NAME for dba3
[*] Identified SERVICE_NAME for dba5
[*] Identified SERVICE_NAME for dba7
[*] Auxiliary module execution completed
msf auxiliary(oracle_sid) >

If its protected you'll see this:

msf auxiliary(oracle_sid) > set RHOST
msf auxiliary(oracle_sid) > run

[-] TNS listener protected for
[*] Auxiliary module execution completed

If you are on the MSF 3.3 trunk a svn update should be all you need to do.

No comments: