FEATURE REQ: Add checks for Oracle SQLDeveloper connections.xml

GhostPack / Seatbelt

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

Other

3.76k stars 689 forks source link

FEATURE REQ: Add checks for Oracle SQLDeveloper connections.xml #20

Closed BaffledJimmy closed 3 years ago

BaffledJimmy commented 5 years ago

Hi there,

Would it be possible to incorporate support for the connections.xml file that Oracle SQLDeveloper will drop, containing hostnames and credentials? Often useful for onward lateral movement.

I believe it is stored in: \Users[User]\AppData\Roaming\SQL Developer\System\

but also often under a subfolder such as:

(Win 7) C:\Users\<username>\AppData\Roaming\SQL Developer\systemX.X.X.X.X\o.jdeveloper.db.connection.X.X.X.X.X.X.X\connections.xml or “C:\users\USER\AppData\Roaming\SQL Developer\system3.1.07.42\o.jdeveloper.db.connection.11.1.1.4.37.59.48”.

They can also be decrypted using something similar to this: https://pypi.org/project/sqldeveloperpassworddecryptor/

If I figure out how to do it within the code, I'll do a PR, but thought I'd submit this issue so that others can see it also.

HarmJ0y commented 4 years ago

We're definitely open to it if we can confirm the locations they're dropped - is there any documentation online as to the connection.xml locations?

Since I don't have a test environment, if you're able to build a module to test that'd likely be ideal, but I'll leave this issue up until a module is merged.

BaffledJimmy commented 4 years ago

Hey there :)

In Win7 they are definitely in:

C:\Users\\AppData\Roaming\SQL Developer\system\o.jdeveloper.db.connection\connections.xml

Seems to vary quite significantly depending on what version of SQLDeveloper that is running / what servers you connect to so hard to pinpoint a path. So I think some form of 'recursive listing of dirs for connections.xml within C:\Users\\AppData\Roaming\SQL Developer*' would pull them out.

Working on finding out where they are on W10 and getting a test install going.

HarmJ0y commented 4 years ago

@BaffledJimmy were you able to get a test install going by chance?

@leechristensen we could build a simple module to just test for the presence of these files, ya? Something along the lines of the DpapiMasterKeys command.

HarmJ0y commented 4 years ago

@BaffledJimmy I finally got a module built for this, and just did a PR for it to master (https://github.com/GhostPack/Seatbelt/pull/55) . Once @leechristensen approves it'll land and I'll close this issue.

cnotin commented 3 years ago

approves it'll land and I'll close this issue.

psst @HarmJ0y :) you can use a keyword such as "closes #" or "fixes #" in your PR or commit to automatically close the corresponding issue! https://docs.github.com/en/free-pro-team@latest/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword

leechristensen commented 3 years ago

Landed now as the OracleSQLDeveloper command