with metasploit
play

with Metasploit Chris Gates (carnal0wnage) Whoami Chris Gates (CG) - PowerPoint PPT Presentation

Dec 19, 2023 •804 likes •1.46k views

Attacking Oracle Web Applications with Metasploit Chris Gates (carnal0wnage) Whoami Chris Gates (CG) Twitter carnal0wnage Blog carnal0wnage.attackresearch.com Job Sr. Security Consultant for Rapid7 Affiliations

  1. Attacking Oracle Web Applications with Metasploit Chris Gates (carnal0wnage)

  2. Whoami • Chris Gates (CG) – Twitter  carnal0wnage – Blog  carnal0wnage.attackresearch.com – Job  Sr. Security Consultant for Rapid7 – Affiliations  Attack Research, Metasploit Project • Work • Previous Talks – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks 3

  3. Why Are We Here? • Here to talk about attacking oracle web applications (middleware) • What’s out there and how prevalent it is • Why so much of it is unpatched • Demo Metasploit auxiliary modules to find and attack it 4

  4. What Is Oracle Middleware? 5

  5. What is Oracle Middleware?  Enterprise Resource Planning (ERP)  Oracle E-Business Suite*  Oracle Application Server 9i/10g/11i**  Oracle Reports/Forms  Oracle Portal  Oracle Financials/Supplier/Recruitment  For Oracle lots of different products…  For this talk I’m going to lump them all together as “web applications” *Technically Oracle considers E- Business Suite an “application” as it rides on top of OAS  **weblogic  6

  6. Market Share  Big list of customers http://www.oracle.com/customers/cust  _list_atoz.html 8

  7. Reach  By now we should agree there's a lot of Oracle out there...  That's good right?  Except a lot of it is un-patched and vulnerable :-(  Why? 9

  8. How Did We Get Here?  Pay for patches  Most products are free downloads but you pay for support and patches 10

  9. How Did We Get Here?  Extremely vague advisories  Must pay for extended advisory info (metalink)  Oracle does not release POC code 11

  10. How Did We Get Here?  Extremely vague advisories 12

  11. How Did We Get Here?  Difficult patch / upgrade processes  Complex applications / If it works don't touch it mentality 13

  12. Locating Oracle Servers  Numerous server header strings:  www.owasp.org/index.php/Testing_for_Oracle  Solution:  oracle_version_scanner.rb 14

  13. Locating Oracle Servers • oracle_version_scanner.rb 15

  14. Finding Default Content  First step is to find useful “stuff”  Google/Bing useful (Google Dorks)  Issue is how to find content internal or when its not indexed  Solution:  oas_cgi_scan.rb 16

  15. Abusing Default Content  Most Oracle Middleware applications come with lots of default content  Must be manually removed (no patch to remove content)  Must know exactly where and what files to delete  Tons of information disclosure  Sometimes exploitation potential or credential leakage 18

  16. Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Ships with Oracle 9.2 Database and installed by default 19

  17. Abusing Default Content Examples (DB) • /demo/sql/jdbc/JDBCQuery.jsp • Select sys.database_name • '1'='2' UNION SELECT sys.database_name, -500 FROM Dual 20

  18. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • /dav_portal/portal/ directory is protected using basic authentication. It is possible to bypass and access content of dav_portal by adding a specially crafted cookie value in the http request header. 22

  19. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • Finding vulnerable hosts: 23

  20. Abusing Default Content Examples (OAS) • oracle_dav_bypass.rb 24

  21. Abusing Default Content Examples (OAS) • Oracle Application Server 10g DAV Authentication Bypass CVE-2008-2138 • How many targets? • And… unpatched 25

  22. Abusing Default Content Examples (OAS) • /xsql/adhocsql/sqltoxml.html • Now in all fairness, this one usually doesn't work...db usually isn't set up. But sometimes it is :-) 26

  23. Abusing Default Content Examples (OAS) • Ability to run SQL Commands (database version) 27

  24. Abusing Default Content Examples (OAS) • UDDI Endpoints 33

  25. Abusing Default Content Examples (OAS) • UDDI Endpoints 34

  26. Abusing Default Content Examples (OAS) • UDDI Endpoints – Check Default Passwords 35

  27. Abusing Default Content Examples (OAS) • UDDI Endpoints – Check Default Passwords (Success) 36

  28. Abusing Default Content Examples (OAS) • Info Disclosure -- /webapp/wm/javart.jsp 37

  29. Abusing Default Content Examples (OAS) • Info Disclosure 38

  30. Abusing Default Content Examples (OAS) • Info Disclosure -- /cgi-bin/printenv 39

  31. Oracle iSQLPlus • Web-based interface to the TNS Listener – Available on Oracle Database 9 & 10  oracle_isqlplus_sidbrute  oracle_isqlplus_login 41

  32. Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb  Different POST requests for 9 vs 10  Module fingerprints version and chooses correct POST  Uses SID list already in Metasploit  Using error message returned by Oracle determines valid SID  Wrong SID: ORA-12154: TNS: could not resolve service name   Right SID (wrong password): ORA-01017: invalid username/password; logon denied  42

  33. Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb 43

  34. Oracle iSQLPlus  oracle_isqlplus_sidbrute.rb 44

  35. Oracle iSQLPlus  oracle_isqlplus_login.rb  Once we have a valid SID start checking for default user/pass accounts 47

  36. Oracle iSQLPlus  oracle_isqlplus_login.rb  Works on Oracle DB 10 as well 49

  37. Oracle Portal  Web based PL/SQL applications are enabled by the PL/SQL Gateway, which is is the component that translates web requests into database queries.  Products that use the PL/SQL Gateway include, but are not limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB, WebDB and Oracle Application Server  Several software implementations, ranging from the early web listener product to the Apache mod_plsql module to the XML Database (XDB) web server. 50

  38. Oracle Portal http://download.oracle.com/docs/cd/B10467_16/tour/portal_intro.htm 51

  39. Oracle Portal Essentially the PL/SQL Gateway simply acts as a proxy • server taking the user's web request and passes it on to the database server where it is executed. 1. The web server accepts a request from a web client and determines if it should be processed by the PL/SQL Gateway. 2. The PL/SQL Gateway processes the request by extracting the requested package name, procedure, and variables. 3. The requested package and procedure are wrapped in a block of anonymous PL/SQL, and sent to the database server. 4. The database server executes the procedure and sends the results back to the Gateway as HTML. 5. The gateway sends the response, via the web server, back to the client. 52

  40. Oracle Portal  URLs for PL/SQL web applications are normally easily recognizable and generally start with the following http://www.example.com/pls/xyz  http://www.example.com/xyz/owa  http://www.example.com/xyz/portal   In this URL, xyz is the Database Access Descriptor , or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, etc 53

  41. Oracle Portal http://download.oracle.com/docs/cd/B10467_16/tour/portal_how.htm 54

  42. Oracle Portal • Database Access Descriptors  Similar to SIDs, required to interact with the portal.  Lots of defaults but can be anything alphanumeric  Common Defaults: SIMPLEDAD ORASSO HTMLDB SSODAD PORTAL PORTAL2 PORTAL30 PORTAL30_SSO DAD OWA PROD APP 55

  43. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs 56

  44. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs 57

  45. Oracle DAD Scanner • oracle_dad_scanner.rb – Scans for common Oracle DADs – Set VERBOSE to false to just see found DADs 58

  46. Oracle Portal • Verify mod_plsql gateway is running • Null is valid function and should return a 200 • Something random is not, and should return a 404 – http://www.example.com/pls/dad/null – http://www.example.com/pls/dad/nosuchfunction • If the server responds with a 200 OK response for the first and a 404 Not Found for the second then it indicates that the server is running the PL/SQL Gateway. • http://www.owasp.org/index.php/Testing_for_Oracle 59

  47. Oracle Portal Testing PLSQL Gateway • oracle_plsql_enabled.rb 60

  48. Oracle Portal • It is possible to exploit vulnerabilities in the PL/SQL packages that are installed by default in the database server. How you do this depends on the version of the PL/SQL Gateway. • Examples: – http://www.example.com/pls/dad/OWA_UTIL.CELLSPRINT? P_THEQUERY=SELECT+USERNAME+FROM+ALL_USERS – http://www.example.com/pls/dad/CXTSYS.DRILOAD.VALIDATE_ST MT?SQLSTMT=SELECT+1+FROM+DUAL – http://server.example.com/pls/dad/orasso.home?);execute+imm ediate+:1;--=select+1+from+dual 61

  49. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Test the various PL/SQL gateway exploit methods • Based on notsosecure.com’s oap.pl http://code.google.com/p/oaphacker/ 62

  50. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Test the various PL/SQL gateway exploit methods 63

  51. Oracle Portal Exploitation • oracle_modplsql_pwncheck.rb • Attack Surface? 64

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

who am i ? H D Moore <hdm [at] metasploit.com> Metasploit project Core developer and

who am i ? H D Moore <hdm [at] metasploit.com> Metasploit project Core developer and

METASPLOIT FOSDEM 2007 who am i ? H D Moore <hdm [at] metasploit.com> Metasploit project Core developer and project lead BreakingPoint Systems Director of Security Research FOSDEM 2007 why listen ? A great tool you can use today

403 views • 21 slides
Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th 2015 Only perform scans and exploitations after receiving permission from the owner of the machine/device. Nmap Purpose Scan a

671 views • 30 slides
Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami James Lee egypt Core Developer, Metasploit Project Working full time on Metasploit for 2 User Interface Scanning for

793 views • 60 slides
with the Metasploit Framework defcon 17 Who Are We? Chris Gates <cg [@]

with the Metasploit Framework defcon 17 Who Are We? Chris Gates <cg [@]

Attacking Oracle with the Metasploit Framework defcon 17 Who Are We? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester for Security Blogger http:/ / carnal0wnage.attackresearch.com Security Twit

868 views • 54 slides
with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates <cg [@]

with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates <cg [@]

Attacking Oracle with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester/Security Consultant Security Blogger

360 views • 31 slides
Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti

Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti

Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti Universit` a degli Studi di Milano Table of contents 1. Basic commands in the Metasploit console 2. DEMO: exploiting Heartbleed 3. Exercises

690 views • 13 slides
Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

1.02k views • 76 slides
Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation

Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation

Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation Security Hardwear.io Agenda Overview of what the HW Bridge is Details on how it works How you can build hardware to support Metasploit

632 views • 22 slides
Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Metasploit- able Honeypots Wouter Katz Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter Katz Results wouter.katz@os3.nl Conclusions References University of Amsterdam July 4th 2013 Wouter

623 views • 30 slides
Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack

Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack

Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our

408 views • 19 slides
Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance

382 views • 20 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the

Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the

Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the Metasploit Framework James Lee # whoami James Lee egypt Developer, Metasploit Project Co-Founder, Teardrop Security Member,

738 views • 35 slides
Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurcom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar Introduction Overview Introduction

584 views • 42 slides
Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of

693 views • 12 slides
Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY February 22. 2019 whoami AND HOW DID I GET HERE? Cecillia Tran Kelly Albrink External network pen testing & web Network pen testing,

882 views • 31 slides
Provocation #1 (by Frank van Harmelen, CIA-ws, Edinburgh, 11 Sep 2006) Ontology research

Provocation #1 (by Frank van Harmelen, CIA-ws, Edinburgh, 11 Sep 2006) Ontology research

Ontology, Scientific Method, and the Research Agenda: Two Provocations and One Argument ! o w T Hans Akkermans & Jaap Gordijn Hans A & Jaap G EKAW-06, Podebrady, CZ, 05 Oct 2006 1 Provocation #1 (by Frank van Harmelen,

334 views • 9 slides
Content CEBC Energy Efficiency Working Group 2019 ESCO Survey Profile of the

Content CEBC Energy Efficiency Working Group 2019 ESCO Survey Profile of the

Clean Energy Business Council 2019 ESCO Survey Mustapha Aanzi, CEBC Energy Efficiency Workgroup, ESCO Subgroup 15 September 2019 1 Content CEBC Energy Efficiency Working Group 2019 ESCO Survey Profile of the ESCOs

679 views • 18 slides
Woolverstone Project Pontoons different setups Pontoons Welcome Peter Hibberd

Woolverstone Project Pontoons different setups Pontoons Welcome Peter Hibberd

Woolverstone Project Pontoons different setups Pontoons Welcome Peter Hibberd Chief Instructor Woolverstone Project 18 Hansa dinghies 2 RS Ventures 3 Challengers 1 Wheelyboat 1 Sonar Waveney Sailability

581 views • 30 slides
Navigate with Covenham Sailability & NAVIGO CASE STUDY Dene Covenham has helped

Navigate with Covenham Sailability & NAVIGO CASE STUDY Dene Covenham has helped

Navigate with Covenham Sailability & NAVIGO CASE STUDY Dene Covenham has helped me learn new skills, meet new people and to get involved with group activities. Group working is not something I was used to but with the help of the

582 views • 8 slides
INTERNAL DISPLACEMENT AND CROSS BORDER MOVEMENT OF NIGERIAN NATIONALS Dr. Mary Boatemaa Setrana

INTERNAL DISPLACEMENT AND CROSS BORDER MOVEMENT OF NIGERIAN NATIONALS Dr. Mary Boatemaa Setrana

INTERNAL DISPLACEMENT AND CROSS BORDER MOVEMENT OF NIGERIAN NATIONALS Dr. Mary Boatemaa Setrana Dr. Justice Richard Kwabena Owusu Kyei SPONSORED BY UNITED NTIONS UNIVERSITY UNU-WIDER Introduction Purpose of Presentation To examine internal

446 views • 10 slides
Gender Gap and Firm Performance in Developing Countries WIDER, Helsinki October 2019 Inmaculada

Gender Gap and Firm Performance in Developing Countries WIDER, Helsinki October 2019 Inmaculada

Gender Gap and Firm Performance in Developing Countries WIDER, Helsinki October 2019 Inmaculada Martnez-Zarzoso*,** *Department of Economics, University of Gttingen, Germany **IEI, Universitat Jaume I in Castelln, Spain Outline

551 views • 38 slides
Double-dot quantum ratchet driven by an independent quantum point contact Vadim Khrapay LMU

Double-dot quantum ratchet driven by an independent quantum point contact Vadim Khrapay LMU

Double-dot quantum ratchet driven by an independent quantum point contact Vadim Khrapay LMU Munich, Germany present address: ISSP RAS, Chernogolovka, Russia Classical ratchet and a powl Spatial asymmetry is not enough for directed

414 views • 29 slides
Behavior/Collective Action Is there a Link? Arab Spring and sudden regime change in

Behavior/Collective Action Is there a Link? Arab Spring and sudden regime change in

Information Technology and Protest Behavior/Collective Action Is there a Link? Arab Spring and sudden regime change in Egypt, Tunisia, and Libya Rise of insurgent groups globally (Al Qaeda, ISIS, Boko Haram) Has info tech

1.03k views • 54 slides

More recommend