search

quentinhardy / odat

ODAT: Oracle Database Attacking Tool
1.62k stars 344 forks source link

stealremotepwds - different salts for same user? #11

Closed Meatballs1 closed 8 years ago

Meatballs1 commented 8 years ago

If I use --test-module I get the same salt each time for a specific user (I already know password)

If I use --get-all-passwords I get a different salt than for the test-module.

If I try decrypt-sessions on the known user it wont decrypt the values? :(

Meatballs1 commented 8 years ago

None being passed to the connection method: 

09:49:02 INFO -: Getting remote passwords of 2 users
09:49:02 INFO -: Try to get the session key and salt of the XXXX user
09:49:02 DEBUG -: Session key and salt are now emply
09:49:02 DEBUG -: Sniffing is running in a new thread
09:49:02 DEBUG -: Session key and salt are now emply
09:49:02 DEBUG -: Waiting 3 seconds
09:49:05 DEBUG -: Connection to the database via a new thread with the username None
09:49:05 DEBUG -: Connecting with None/aaaaaaa@
09:49:05 INFO -: We have captured the session key: 
09:49:05 INFO -: We have captured the salt:
Meatballs1 commented 8 years ago

Maybe not being passed correctly b = Thread(None, self.__try_to_connect__, None, (), {'args':self.args}) ?

Meatballs1 commented 8 years ago

Ah fix below:

  def __try_to_connect__(self, user):
                '''
                Establish a connection to the database
                '''
                import cx_Oracle
                try:
                        connectString = "{0}/{1}@{2}:{3}/{4}".format(user,

It was trying to use self.args['user'] instead of the username from the thread kwargs 

       def getAPassword(self,user):
                '''
                '''
                self.__resetSessionKeyValueAndSalt__()
                logging.debug("Sniffing is running in a new thread")
                a = Thread(None, self.__sniff_sessionkey_and_salt__, None, (), {'ip':self.args['server'],'port':self.args['port']})
                a.start()
                logging.debug("Waiting 3 seconds")
                sleep(3)
                logging.debug("Connection to the database via a new thread with the username {0}".format(user))
                b = Thread(None, self.__try_to_connect__, None, (), {'user':user})
                b.start()
                b.join()
                a.join()
                return "",""
quentinhardy commented 8 years ago

Thank you Meatballs1. Bug fixed in last commit (493035261bf44f373849f146c8a8ccad6cf85b1c).

Meatballs1 commented 8 years ago

Awesome thanks :)