with the metasploit framework
play

with the Metasploit Framework defcon 17 Who Are We? Chris Gates - PowerPoint PPT Presentation

Dec 05, 2022 •312 likes •868 views

Attacking Oracle with the Metasploit Framework defcon 17 Who Are We? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester for Security Blogger http:/ / carnal0wnage.attackresearch.com Security Twit

  1. Attacking Oracle with the Metasploit Framework defcon 17

  2. Who Are We?  Chris Gates  <cg [@] metasploit.com>  What pays the bills  Pentester for  Security Blogger  http:/ / carnal0wnage.attackresearch.com  Security Twit  Carnal0wnage  Want more?  Chris Gates + carnal0wnage + maltego 

  3. Who Are We?  Mario Ceballos  <mc [@] metasploit.com> • What do I do?  Vulnerability Research/ E xploit Development.  Metasploit Framework Developer.  Focus is on auxiliary and exploit modules.  Pentesting for some company.

  4. Why Oracle?  Why the focus on Oracle?  Been on lots of pentests & seen lots of potential targets.  The Oracle business model allows for free downloads of products, but you pay for updates. The result is tons of potential shells.  Privilege E scalation and data theft is pretty easy, but shells are always better.

  5. Why Oracle?  Why the focus on Oracle?  Some support is provided by the commercial attack frameworks, but really don’t have much coverage for non-memory corruption vulns.  Other tools that target Oracle.  Inguma  Orasploit (not public) ‏  Pangolin (if you want to give your hard earned shell back to .cn) ‏  A few free commercial products focused on vulnerability assessment rather than exploitation.

  6. Current Metasploit Support  Some support for Oracle is already provided.  E xploit modules.  Handful of memory corruption modules that target earlier versions of Oracle and some of if its other applications.  Auxiliary modules.  Handful of modules that assist in discovering the SID, Identifying the version, sql injection, post exploitation, and a ntlm stealer.

  7. New Metasploit Support  Introduction of a TNS Mixin.  Handles a basic TNS packet structure.  "(CONNECT_DATA=(COMMAND=#{command}))”  Used for some of our auxiliary modules.  Used for our TNS exploits.  Introduction of a ORACLE Mixin.  Handles our direct database access.  Dependencies:  Oracle Instant Client.  ruby-dbi.  ruby-oci8.

  8. New Metasploit Support (cont.) ‏  Introduction of a ORACLE Mixin.  E xposes a few methods.  connect() ‏  E stablishes a database handle.  disconnect() ‏  Disconnect all database handles.  preprare_exec() ‏  Prepares a statement then executes it.

  9. New Metasploit Support (cont.) ‏  Introduction of a ORACLE Mixin.  Really makes things simple. msf auxiliary(sql) > set SQL "select * from global_name" SQL => select * from global_name msf auxiliary(sql) > run [*] Sending SQL... [*] ORCL.REGRESS.RDBMS.DEV.US.ORACLE.COM [*] Done... [*] Auxiliary module execution completed msf auxiliary(sql) >

  10. Oracle Attack Methodology  We need 4 things to connect to an Oracle DB.  IP .  Port.  Service Identifier (SID).  Username/ Password.

  11. Oracle Attack Methodology  Locate Oracle Systems.  Determine Oracle Version.  Determine Oracle SID.  Guess/ Bruteforce USE R/ PASS.  Privilege E scalation via SQL Injection.  Manipulate Data/ Post E xploitation.  Cover Tracks.

  12. Oracle Attack Methodology  Locate Oracle Systems  Nmap.  Information Disclosure Vulns.  Google.

  13. Locate Oracle Systems  Nmap.  Look for common oracle ports 1521-1540,1158,5560  cg@attack:~$ nmap -sV 192.168.0.100 -p 1521 Interesting ports on 192.168.0.100: PORT STATE SERVICE VERSION 1521/tcp open oracle-tns Oracle TNS Listener

  14. Locate Oracle Systems  Google.  Google dorks to locate Oracle systems.  intitle:iSQL intitle:Release inurl:isqlplus intitle:10.1  inurl:pls/portal  "Index of" "Oracle-HTTP-Server" Server at Port "Last modified" 1.3.12  www.red-database-security.com/wp/google_oracle_hacking_us.pdf  Yahoo dorks? to locate Oracle systems.  intitle:iSQL intitle:Release inurl:isqlplus  inurl:pls/portal  “Oracle -HTTP-Server" Server at Port "Last modified" 1.3.12  www.red-database-security.com/wp/yahoo_oracle_hacking_us.pdf

  15. Locate Oracle Systems  Sometimes they come pre-0wned. 

  16. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/ Bruteforce USE R/ PASS.  Privilege E scalation via PL/ SQL Injection.  Manipulate Data/ Post E xploitation.  Cover Tracks.

  17. Oracle Attack Methodology  Determine Oracle Version.  tns_packet(“(CONNECT_DATA=(COMMAND=VERSION))”) ‏ msf auxiliary(tnslsnr_version) > set RHOSTS 172.10.1.107-172.10.1.110 RHOSTS => 172.10.1.107-172.10.1.110 msf auxiliary(tnslsnr_version) > run [*] Host 172.10.1.107 is running: Solaris: Version 9.2.0.1.0 – Production [*] Host 172.10.1.108 is running: Linux: Version 11.1.0.6.0 - Production [*] Host 172.10.1.109 is running: 32-bit Windows: Version 10.2.0.1.0 - Production [*] Auxiliary module execution completed msf auxiliary(tnslsnr_version) > db_notes [*] Time: Fri May 29 16:09:41 -0500 2009 Note: host=172.10.1.107 type=VERSION Solaris: Version 9.2.0.1.0 – Production … [*] Time: Fri May 29 16:09:44 -0500 2009 Note: host=172.10.1.109 type=VERSION data=32- bit Windows: Version 10.2.0.1.0 - Production msf auxiliary(tnslsnr_version) >

  18. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/ Bruteforce USE R/ PASS.  Privilege E scalation via SQL Injection.  Manipulate Data/ Post E xploitation.  Cover Tracks.

  19. Oracle Attack Methodology  Determine Oracle Service Identifier (SID).  tns_packet(“(CONNECT_DATA=(COMMAND=STATUS))”) ‏  By querying the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_enum) > run [*] Identified SID for 172.10.1.107: PLSExtProc [*] Identified SID for 172.10.1.107 : acms [*] Identified SERVICE_NAME for 172.10.1.107 : PLSExtProc [*] Identified SERVICE_NAME for 172.10.1.107 : acms [*] Auxiliary module execution completed msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.109... [*] Auxiliary module execution completed

  20. Oracle Attack Methodology  Determine Oracle SID.  By quering the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_brute) > run [*] Starting brute force on 172.10.1.109, using sids from /home/cg/evil/msf3/dev/data/exploits/sid.txt... [*] Found SID 'ORCL' for host 172.10.1.109. [*] Auxiliary module execution completed

  21. Oracle Attack Methodology  Determine Oracle SID.  By quering the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.108... [*] Auxiliary module execution completed msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/spy_sid msf auxiliary(spy_sid) > run [*] Discovered SID: ‘ orcl' for host 172.10.1.108 [*] Auxiliary module execution completed msf auxiliary(spy_sid) >

  22. Oracle Attack Methodology  Determine Oracle SID.  E nterprise Manger Console.

  23. Oracle Attack Methodology  Determine Oracle SID.  E nterprise Manager Console.  Query other components that may contain it. msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.108... [*] Auxiliary module execution completed msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/oas_sid msf auxiliary(oas_sid) > run [*] Discovered SID: ‘ orcl' for host 172.10.1.109 [*] Auxiliary module execution completed msf auxiliary(oas_sid) >

  24. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/ Bruteforce USE R/ PASS.  Privilege E scalation via SQL Injection.  Manipulate Data/ Post E xploitation.  Cover Tracks.

  25. Oracle Attack Methodology  Determine Oracle Username/ Password.  Brute Force For Known Default Accounts. msf auxiliary(brute_login) > set SID ORCL SID => ORCL msf auxiliary(brute_login) > run . [-] ORA-01017: invalid username/password; logon denied [-] ORA-01017: invalid username/password; logon denied [*] Auxiliary module execution completed msf auxiliary(brute_login) > db_notes [*] Time: Sat May 30 08:44:09 -0500 2009 Note: host=172.10.1.109 type=BRUTEFORCED_ACCOUNT data= SCOTT/TIGER

  26. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/ Bruteforce USE R/ PASS.  Privilege E scalation via SQL Injection.  Manipulate Data/ Post E xploitation.  Cover Tracks.

  27. Oracle Attack Methodology  Privilege E scalation via SQL Injection.  SQL Injection in default Oracle packages.  A good chunk of it executable by public!   Regular SQLI requires CRE ATE PROCE DURE privilege which most default accounts possess.  Cursor SQLI only requires CRE ATE SE SSION privilege.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami James Lee egypt Core Developer, Metasploit Project Working full time on Metasploit for 2 User Interface Scanning for

793 views • 60 slides
with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates &lt;cg [@]

with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates &lt;cg [@]

Attacking Oracle with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates &lt;cg [@] metasploit.com&gt; What pays the bills Pentester/Security Consultant Security Blogger

360 views • 31 slides
who am i ? H D Moore &lt;hdm [at] metasploit.com&gt; Metasploit project Core developer and

who am i ? H D Moore &lt;hdm [at] metasploit.com&gt; Metasploit project Core developer and

METASPLOIT FOSDEM 2007 who am i ? H D Moore &lt;hdm [at] metasploit.com&gt; Metasploit project Core developer and project lead BreakingPoint Systems Director of Security Research FOSDEM 2007 why listen ? A great tool you can use today

403 views • 21 slides
Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th 2015 Only perform scans and exploitations after receiving permission from the owner of the machine/device. Nmap Purpose Scan a

671 views • 30 slides
Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the

Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the

Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the Metasploit Framework James Lee # whoami James Lee egypt Developer, Metasploit Project Co-Founder, Teardrop Security Member,

738 views • 35 slides
Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti

Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti

Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti Universit` a degli Studi di Milano Table of contents 1. Basic commands in the Metasploit console 2. DEMO: exploiting Heartbleed 3. Exercises

690 views • 13 slides
Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

1.02k views • 76 slides
Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation

Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation

Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation Security Hardwear.io Agenda Overview of what the HW Bridge is Details on how it works How you can build hardware to support Metasploit

632 views • 22 slides
Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Metasploit- able Honeypots Wouter Katz Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter Katz Results wouter.katz@os3.nl Conclusions References University of Amsterdam July 4th 2013 Wouter

623 views • 30 slides
Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack

Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack

Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our

408 views • 19 slides
Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance

382 views • 20 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurcom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar Introduction Overview Introduction

584 views • 42 slides
with Metasploit Chris Gates (carnal0wnage) Whoami Chris Gates (CG) Twitter

with Metasploit Chris Gates (carnal0wnage) Whoami Chris Gates (CG) Twitter

Attacking Oracle Web Applications with Metasploit Chris Gates (carnal0wnage) Whoami Chris Gates (CG) Twitter carnal0wnage Blog carnal0wnage.attackresearch.com Job Sr. Security Consultant for Rapid7 Affiliations

1.46k views • 64 slides
Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of

693 views • 12 slides
Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY February 22. 2019 whoami AND HOW DID I GET HERE? Cecillia Tran Kelly Albrink External network pen testing &amp; web Network pen testing,

882 views • 31 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
User Security Chapter 30 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

User Security Chapter 30 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

User Security Chapter 30 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 30-1 Outline Policy Access Files, devices Processes Electronic communications Computer Security: Art and Science , 2 nd Edition

945 views • 62 slides
3 UkkVaT XCE best . k as rank approximation of Xc 0k Rpxk ) orthogonal prnxk

3 UkkVaT XCE best . k as rank approximation of Xc 0k Rpxk ) orthogonal prnxk

Random Projection dimensionality &amp; High Lecture 4 . . - Sep -11,2017 Recall pxn Xn ] X=[ data xi , ... , - nt11T . 1=f!]RP data Xc= H=I centered XH , 3 UkkVaT XCE best . k as rank approximation of Xc 0k Rpxk )

261 views • 5 slides
Todays topics Computer Applications Computer Security Upcoming Operating Systems ( Great

Todays topics Computer Applications Computer Security Upcoming Operating Systems ( Great

Todays topics Computer Applications Computer Security Upcoming Operating Systems ( Great Ideas, Chapter 10) Reading Great Ideas, Chapter 11 32.1 CompSci 001 Computer Security: Problem The Problem: Billions in Losses Outright theft

280 views • 11 slides
Everything you wanted to know about x86 microcode - but might have been afraid to ask 34 th Chaos

Everything you wanted to know about x86 microcode - but might have been afraid to ask 34 th Chaos

Everything you wanted to know about x86 microcode - but might have been afraid to ask 34 th Chaos Communication Congress, Leipzig December 28, 2017 Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar,

1.42k views • 103 slides
Zen Internet Building For Ultrafast Andy Furnell &lt;andy.furnell@zeninternet.co.uk&gt;

Zen Internet Building For Ultrafast Andy Furnell &lt;andy.furnell@zeninternet.co.uk&gt;

Zen Internet Building For Ultrafast Andy Furnell &lt;andy.furnell@zeninternet.co.uk&gt; Technical Architect Zen Internet About Zen OVER 110K INDEPENDENT BROADBAND PRIVATELY CONNECTIONS OVER OWNED ISP 3.5M 1995 450 10K NETWORK 25

257 views • 23 slides
EoFTTC webinar Tabitha Liddell, Product Manager Simon Allen, Partner Account Manager PRIVATE

EoFTTC webinar Tabitha Liddell, Product Manager Simon Allen, Partner Account Manager PRIVATE

EoFTTC webinar Tabitha Liddell, Product Manager Simon Allen, Partner Account Manager PRIVATE Product, APIs and Insights TTB Commercial Owner: TTB Marketing Release 1.0 Any copies of this document are uncontrolled 1 What is EoFTTC?

587 views • 13 slides
Fixedmobile Convergence: Structural convergence Backhaul Dirk Breuer Deutsche Telekom

Fixedmobile Convergence: Structural convergence Backhaul Dirk Breuer Deutsche Telekom

Fixedmobile Convergence: Structural convergence Backhaul Dirk Breuer Deutsche Telekom Laboratories, Germany Tibor Cinkler Budapest University of Technology and Economics, Hungary Stphane Gosselin Orange R&amp;D, France Annie Gravey

84 views • 5 slides

More recommend