File oracle-brute-stealth

脚本使用类型: portrule
脚本所属分类: intrusive, brute
脚本下载地址: http://nmap.org/svn/scripts/oracle-brute-stealth.nse

User Summary

Exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's O5LOGIN authentication scheme. The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash. When initiating an authentication attempt as a valid user the server will respond with a session key and salt. Once received the script will disconnect the connection thereby not recording the login attempt. The session key and salt can then be used to brute force the users password.

Script Arguments

oracle-brute-stealth.johnfile

- if specified the hashes will be written to this file to be used by JtR

oracle-brute-stealth.accounts

- a list of comma separated accounts to test

oracle-brute-stealth.sid

- the instance against which to perform password guessing

oracle-brute-stealth.nodefault

- do not attempt to guess any Oracle default accounts

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

Example Usage

执行格式

nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL <host>

Script Output

PORT     STATE  SERVICE REASON
1521/tcp open  oracle  syn-ack
| oracle-brute-stealth: 
|   Accounts
|     dummy:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 - Hashed valid or invalid credentials
|     nmap:$o5logon$D1B28967547DBA3917D7B129E339F96156C8E2FE5593D42540992118B3475214CA0F6580FD04C2625022054229CAAA8D*7BCF2ACF08F15F75B579 - Hashed valid or invalid credentials
|   Statistics
|_    Performed 2 guesses in 1 seconds, average tps: 2

Requires

• brute
• coroutine
• creds
• io
• nmap
• shortport
• stdnse
• string
• tns
• unpwdb
• openssl

Author: Dhiru Kholia

License: VER007 整理 http://www.ver007.com