Nmap Development mailing list archives
Re: Script suggestion - oracle
From: David Fifield <david () bamsoftware com>
Date: Sat, 29 Sep 2012 10:10:58 -0700
On Fri, Sep 28, 2012 at 10:59:14AM +0200, Martin Holst Swende wrote:
I took a look at this http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol Then checked tns.lua. Patrik has implemented TNS far enough it seems, there is implementation support for enumerating users and getting the salt (auth["AUTH_VFR_DATA"] ) and session key. As I interpret the info given above and in the comments on http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular ), it seems like the session key is encrypted with SHA1(salt+pw), and it is possible to determine whether the decryption is correct or not, and thereby determine what the password is. More info about this will probably be released soon, would be solid script to add to NSE. Since enumeration is already implemented, a script could just get all users and their passwords in one go. That's pretty awesome.
I made a script ideas entry for it. https://secwiki.org/w/Nmap/Script_Ideas#oracle-dump-hashes oracle-dump-hashes might not be the best name. I was thinking the script could just dump the keys or hashes or whatever, and an offline tool (or postrule script) could crack them. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Script suggestion - oracle Martin Holst Swende (Sep 28)
- Re: Script suggestion - oracle David Fifield (Sep 29)
- Re: Script suggestion - oracle Dhiru Kholia (Sep 29)
- Re: Script suggestion - oracle David Fifield (Sep 29)