quentinhardy / odat

ODAT: Oracle Database Attacking Tool
1.62k stars 345 forks source link

passwordguesser: accounts.txt to lower case #46

Closed kazkansouh closed 4 years ago

kazkansouh commented 4 years ago

Hello,

I've just been trying the tool and noticed the text in the default accounts.txt file is uppercase. It seems to me that it would make sense to translate it lowercase as its more likely to be successful.

I am not very experienced with Oracle, or its history, so maybe there is a good reason for having this uppercase. However, after looking into it I see the following two arguments for making it lowercase:

  1. Versions before 11 were case insensitive, so it should not affect old versions (which I think most of these credentials relate to).

  2. In a modern version (I've tested with an XE version), when an account is unlocked the user needs to enter a password. In these cases, if the DBA is lazy enough to use a historic default, then I suspect it will be entered in lowercase :wink:

Possibly, if there is a reason to have uppercase passwords. Maybe the file should contain both upper and lowercase variants?

Finally, after running a quick curl/grep/sed over cirt.net's Oracle default passwords the following entries (case-sensitive) are not included in the accounts.txt file. It might be worth adding them:

ADMIN/WELCOME
ADMIN/JETSPEED
APPLSYS/FND
APPLSYSPUB/FNDPUB
AURORA$JIS$UTILITY$/
OLAPSVR/INSTANCE
OLAPSYS/MANAGER
PORTAL30/PORTAL31
QS_CBADM/QS_CBADM
QS_CS/QS_CS
VIDEOUSER/VIDEO USER
CTXSYS/
REP_OWNER/DEMO
SYSMAN/OEM_TEMP
ADMINISTRATOR/admin
APPUSER/APPUSER
MDDEMO_MGR/MGR
SYS/D_SYSPW
SYSTEM/D_SYSTPW
internal/oracle
scott/tiger
scott/tigger
system/manager
demo/demo
oracle/oracle
sys/sys
admin/welcome
bpel/bpel
system/password
quentinhardy commented 4 years ago

Hello,

Credentials are in upper case in accounts.txt because (most of) default credentials are defined in upper case (e.g. http://www.vulnerabilityassessment.co.uk/default_oracle_passwords.htm, https://www.orafaq.com/wiki/List_of_default_database_users

About credentials in lower case, you can use another credential file with both lower and upper case passwords. Notice usernames are not case sensitive in Oracle Database.

However, I have implemented a new option in odat: --both-ul.(https://github.com/quentinhardy/odat/commit/b25fccc069ced132e35908f36688c6d6b2632e0a) Thanks to this option, Odat will load credentials from your text file(s) and it will load the password in lower case and upper case for each username if it is not done in your text file.

Notice the database can have a account lock policy enabled. So if you try too many passwords for an account, you can lock the account. Consequently, by default, Odat use the accounts.txt file only. There are not all possible credentials in this file.

If you want to try all possible passwords, you can use the following command for example:

python3 ./odat.py all -s $IP -d $SID -vv --both-ul --login-as-pwd --accounts-file ./accounts/accounts_multiple.txt

About your credentials, I have appended some of them in _./accounts/accountsmultiple.txt. Other accounts were in this file already.

kazkansouh commented 4 years ago

Thanks for the reply, the links are interesting. Also, the option looks like it will useful and save some time changing lists about :smile: Although, I wonder if this should be the default behaviour (at least when using the accounts.txt file, see analysis below).

That said, its probably worth noting that Metasploit ships with a lower case variant of the list: https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/oracle_default_userpass.txt

Moreover, I've tried digging in to some of the default hashes stored on a lab'ed 11G DB, it shows that trying both upper and lower cases is the best solution. See below.

Experiment

A few days ago I was playing around in some depth with Oracle, below are some outputs of my notes. In the following it shows extracting and cracking default hashes from an Oracle DB. First, the default legacy (case insensitive), and secondly 11G (case sensitive) password hashes from the same db.

First, when checking the legacy hashes:

SQL> SELECT CONCAT(CONCAT(name,':'),password) FROM sys.user$ WHERE password <> 'x';

CONCAT(CONCAT(NAME,':'),PASSWORD)
-------------------------------------------------------------
SYS:FBA343E7D6C8BC9D
SYSTEM:B5073FE1DE351687
OUTLN:4A3BA55E08595C81
DIP:CE4A36B8E06CA59C
ORACLE_OCM:5A2E026A9157958C
DBSNMP:E066D214D5421CCC
APPQOSSYS:519D632B7EE7F63A
CTXSYS:D1D21CA56994CAB6
XDB:E76A6BD999EF9FF1
ANONYMOUS:anonymous
XS$NULL:DC4FCC8CB69A6733
MDSYS:72979A94BAD2AF80
HR:4C6D73C3E8B0F0DA
FLOWS_FILES:30128982EA6D4A3D
APEX_PUBLIC_USER:4432BA224E12410A
APEX_040000:E7CE9863D7EEB0A4

The pass-up list is just the uppercase passwords from accounts.txt.

$ john --wo=pass-up --format=oracle  oracle.hash
Loaded 16 password hashes with 16 different salts (oracle, Oracle 10 [DES 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
HR               (HR)
DIP              (DIP)
ORACLE           (XDB)
MDSYS            (MDSYS)
OUTLN            (OUTLN)
ORACLE           (CTXSYS)
DBSNMP           (DBSNMP)

And then, with the modern hashes (in the same DB):

SQL> SELECT CONCAT(CONCAT(name,':'),spare4) FROM sys.user$ WHERE password <> 'x';

CONCAT(CONCAT(NAME,':'),SPARE4)
--------------------------------------------------------------------------------
SYS:S:9665BEDD55BCDB06121B34917713A19F7C3AC2F34554781395D2560B1D1D
SYSTEM:S:486D06A8C62E20F7BDE616E55889CD0A68AB8E6C7FCB86D16CB576441467
OUTLN:S:142AD444D8A63983FF69C77DBFD3E60947C14237AEC71031E24F5228D44C
DIP:S:1E4C37D0E8DC2E556D3C02A961ACEF1500B315D076BE13E578D1A28FC757
ORACLE_OCM:S:1575D1C89A1AACFE161ED788D2DC59CF6C57AE3B6CCC341D831AAF5BC447
DBSNMP:S:59354E99120C523F77232A8CCFDE5E780591FCE14109EEE2C86F4A9B4E8F
APPQOSSYS:S:4237CCB702887B049107EE6D13C312123F40E3F51208B2B70D6DA92E621D
CTXSYS:S:3548FDA49F84F2F7ECE4635BA0FD714EC2446723074ED6167F1CD9B6EDFB
XDB:S:88D6BE2B593143BD5AE5185C564826F9213E71361230D3360E36C3FF55D2
ANONYMOUS:
XS$NULL:S:6C4F97FF654AE30BCD9BDBB3007EF952B5943F0A9ED491455E9FB185D8A1
MDSYS:S:F337C5D6300E3F8CDEDE0F2B2336415EAAE098A700A35E6731BF1370657E
HR:S:F437C1647EBCEB1D1FB4BB3D866953B4BF612B343944B899E061B361F31B
FLOWS_FILES:S:A3657555975A9F7527C4B97637734D74465C592B9D231CA3DAB100ED5865
APEX_PUBLIC_USER:S:E8D8CCD600CBCEA08ACB158A502C5DA711B00146404621BB2F83E8997246
APEX_040000:S:03D9B47D20C9A9EC3023177D80C0EE2D1DCEDA619215C2405177CEFFEE76

Again, the result of cracking them:

$ john --wo=pass-up --format=oracle11  oracle-11g.hash 
Loaded 16 password hashes with 16 different salts (oracle11, Oracle 11g [SHA1 256/256 AVX2 8x])
HR               (HR)
MDSYS            (MDSYS)

$ john --wo=pass-lo --format=oracle11  oracle-11g.hash 
Loaded 16 password hashes with 16 different salts (oracle11, Oracle 11g [SHA1 256/256 AVX2 8x])
dbsnmp           (DBSNMP)
dip              (DIP)
oracle           (CTXSYS)
oracle           (XDB)
outln            (OUTLN)

Conclusion

Thus, it looks like the default accounts (even though they are locked and expired) are configured with credentials. Further, it looks like for legacy/case-insensitive systems it should not matter which case is used but they are stored as upper case, and no doubt the reason many of the password lists use uppercase. Where as for systems that use modern hashing it could be either the upper or lower case that is hashed. So, at least from this DB (an 11G XE) that I looked at it makes sense to try lowercase variant of the password first, then upper case if that fails.

Although, to enable these accounts its needed to unlock and then set the password. My gut instinct is that if someone is going to unlock and then explicitly set the account with a default password, they are probably going to use the lower case variant.

I should say my experience of Oracle DB's is fairly limited and I have not really checked this on various different Oracle DB's so I might have got completely the wrong idea. Nonetheless, I hope these details are of some use.

quentinhardy commented 4 years ago

You are right.

Thank you for the improvement.

All account files are in lower case now. So passwords will be tested in lower case by default now. With "--both-ul", account can be tested in upper case too. The modification is done here https://github.com/quentinhardy/odat/commit/cbdbff7b2120f85ea1600b7c9ca83bce6d302fd7

kazkansouh commented 4 years ago

It looks good!

Thankyou for making this change.