Skip to content
ODAT: Oracle Database Attacking Tool
Branch: master
Clone or download
quentinhardy Merge pull request #29 from phra/patch-1
chore: fix typo in README.md
Latest commit b94ca12 Oct 31, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Docker Bug fix May 2, 2018
accounts New trivial credentials in accounts Dec 11, 2017
docs @ 402d044
pictures
.gitignore
.gitmodules Add the wiki https://github.com/quentinhardy/odat.wiki.git in the repo Mar 25, 2016
CVE_2012_3137.py
CVE_XXXX_YYYY.py New module ('cve') for exploiting CVE. CVE-2012-3137 only today. Mar 3, 2016
Constants.py
Ctxsys.py First Commit: Project ODAT Jun 25, 2014
DbmsAdvisor.py
DbmsLob.py
DbmsScheduler.py Modification of the reverse shell cmd executed on the target because … Mar 11, 2016
DbmsXslprocessor.py First Commit: Project ODAT Jun 25, 2014
DirectoryManagement.py
ExternalTable.py Catch an Oracle error Jul 4, 2016
Http.py
HttpUriType.py
Info.py
Java.py
LICENSE Initial commit Feb 28, 2014
OracleDatabase.py
Oradbg.py
Output.py
PasswordGuesser.py Bug fix: some creds could not be detected in passwordguesser (SYSDBA … May 30, 2018
Passwords.py Print 10g hashes password for john the ripper Jun 27, 2018
PrivilegeEscalation.py
README.md chore: fix typo in README.md Oct 9, 2018
SIDGuesser.py Bug fix Jan 18, 2018
SMB.py
Search.py option for desc each tables and --without-example option Jun 28, 2018
TODO.txt Additional SMB Auth method with TNS set_log Mar 16, 2016
Tnscmd.py
Tnspoison.py Bug fix: false positive in tnspoison May 2, 2018
Unwrapper.py New option '--object-type' for searching on object type also Mar 23, 2016
UsernameLikePassword.py
Utils.py Print credentials found with \n May 25, 2016
UtlFile.py
UtlHttp.py Bug fix when you want to scan only one port in http oralce modules. T… Nov 28, 2015
UtlTcp.py
createALinuxBinary.sh New deps for binary Apr 12, 2017
odat-libc2.19-x86_64.spec
odat.py
progressbar.py Bug fix when you want to scan only one port in http oralce modules. T… Nov 28, 2015
sids.txt New SID Apr 28, 2017
testAllOdatModules.sh
texttable.py Improvements Mar 17, 2015

README.md

Quentin HARDY
quentin.hardy@protonmail.com
quentin.hardy@bt.com

ODAT

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.

Usage examples of ODAT:

  • You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
  • You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA
  • You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database

Tested on Oracle Database 10g, 11g and 12c.

ODAT linux standalone version at https://github.com/quentinhardy/odat/releases/. Notice it is recommended to use the development version (git clone). (Deprecated at this time)

Changelog

  • Version 2.3.1 (10/08/2018):
  • Version 2.3 (06/03/2018):
    • Bug fixes:
      • Some database credentials could not be detected in passwordguesser module (when it tries to connect as SYSDBA/SYSOPER before). Important bug fix!
      • PPoutput missing in smb module (thx to dirkjanm)
      • False positive in tnspoison module
      • Sometimes, impossible to get version from VSNNUM
    • Improvements:
      • Performence improvements when you bruteforce accounts.
      • Option for connection with a TNS Connection String
      • New trivial credentials in accounts file
      • Better read file method in dbmsLob module (thx to omair2084)
  • Version 2.2.1 (12/04/2017):
    • Bug fixes:
      • Version in tnscmd (info)
      • External module (Catch an Oracle error)
      • Catch error when "connection to server failed"
      • Tnscmd: "The server SID must be given with the '-d SID' option
      • TypeError Bug Fix in tnspoison module
      • TNS poisoning module when port!=1521 (Integer bug)
    • Improvements:
      • New SIDs
  • Version 2.2 (25/03/2016):
    • A new module (tnspoison) for exploiting the TNS listener poisoning attack (CVE-2012-1675). Big thanks to Joxean Koret and donctl.
    • Some bug fixes
    • Better help menu
    • WIKI pages in the ODAT repository
  • Version 2.1 (04/03/2016) :
    • A new module (cve) for exploiting some CVE (Common Vulnerabilities and Exposures). CVE-2012-3137 (perhaps this number, I'm not sure...) implemented at the moment: A user authenticated can modify all tables who can select even if he can't modify them normally (no ALTER privilege).
    • new option (--accounts-files) for remote authentication attack which uses 2 distinct files: a login list and password list.
    • Print 10g passwords for oclHashcat compatibility.
    • bug fixes (listening with nc).
  • Version 2.0 (21/02/2016) :
    • A new module (privesc) for using system privileges of an Oracle user (e.g. CREATE ANY PROCEDURE) in order to gain privileged access (i.e. DBA). System privileges that can be used by ODAT in this version:
      • CREATE ANY PROCEDURE: execution of arbitrary requests with APEX_040200's privileges (e.g. modification of Oracle users' passwords)
      • CREATE PROCEDURE and EXECUTE ANY PROCEDURE: execution of arbitrary requests as SYS (e.g. gives DBA role to a user)
      • CREATE ANY TRIGER (and CREATE PROCEDURE): execution of arbitrary requests as SYS (e.g. gives DBA role to a user)
      • ANALYZE ANY (and CREATE PROCEDURE): execution of arbitrary requests as SYS (e.g. gives DBA role to a user)
      • CREATE ANY INDEX (and CREATE PROCEDURE): execution of arbitrary requests as SYS (e.g. gives DBA role to a user)
    • The module privesc can be used to get all system privileges and roles granted. It shows system privileges that can be used to gain privileged access.
    • new option (-vvv) for showing SQL requests sent by ODAT in debugs
    • standalone version moved to releases (https://github.com/quentinhardy/odat/releases/)
  • Version 1.6 (14/07/2015) :
    • new feature to detect if a target is vulnerable to TNS poisoning (CVE-2012-1675)
    • new module named unwrapper to unwrap PL/SQL source code wrapped, from a file or a remote database
    • some improvements done
  • Version 1.5 (17/03/2015) :
    • new module named search in order to search in column names
    • some improvements done (ex: output of tables)
    • new option : output encoding
  • Version 1.4 (07/12/2014) :
    • fix some false positives
    • improve the CVE-2012-3137 module: check more easily if the vulnerability can be exploited
  • Version 1.3 (07/10/2014) :
    • add the -C option in the all module. This module can be used to use file which contains credentials (disable the -U and -P option)
    • add the tnscmd module to get TNS alias, database version (thanks to VSNNUM) and TNS status
    • bug fix: name server can be given to the -s option
  • Version 1.2 (08/08/2014) :
    • add the SMB module to capture a SMB authentication
    • add an option (SHOW_SQL_REQUESTS_IN_VERBOSE_MODE) in Constants.py to show SQL requests sent to the database server
  • Version 1.1 (28/07/2014) :
    • add the DBMS_LOB module useful in order to download files stored on a remote server through Oracle Database.
    • bug fix: java source code: "getenv no longer supported, use properties and -D instead"
  • Version 1.0 (26/06/2014) :
    • first ODAT version.

Features

Thanks to ODAT, you can:

  • search valid SID on a remote Oracle Database listener via:
    • a dictionary attack
    • a brute force attack
    • ALIAS of the listener
  • search Oracle accounts using:
    • a dictionary attack
    • each Oracle user like the password (need an account before to use this attack)
  • execute system commands on the database server using:
    • DBMS_SCHEDULER
    • JAVA
    • external tables
    • oradbg
  • download files stored on the database server using:
    • UTL_FILE
    • external tables
    • CTXSYS
    • DBMS_LOB
  • upload files on the database server using:
    • UTL_FILE
    • DBMS_XSLPROCESSOR
    • DBMS_ADVISOR
  • delete files using:
    • UTL_FILE
  • gain privileged access using these following system privileges combinations (see help for privesc module commands): (NEW : 2016/02/21)
    • CREATE ANY PROCEDURE
    • CREATE PROCEDURE and EXECUTE ANY PROCEDURE
    • CREATE ANY TRIGER (and CREATE PROCEDURE)
    • ANALYZE ANY (and CREATE PROCEDURE)
    • CREATE ANY INDEX (and CREATE PROCEDURE)
  • send/reveive HTTP requests from the database server using:
    • UTL_HTTP
    • HttpUriType
  • scan ports of the local server or a remote server using:
    • UTL_HTTP
    • HttpUriType
    • UTL_TCP
  • capture a SMB authentication through:
    • an index in order trigger a SMB connection
  • exploit some CVE:
    • the CVE-2012-3137
      • pickup the session key and salt for arbitrary users
      • attack by dictionary on sessions
    • the CVE-2012-????: A user authenticated can modify all tables who can select even if he can't modify them normally (no ALTER privilege).
    • the CVE-2012-1675 (aka TNS poisoning attack) (NEW : 25/03/2016)
  • search in column names thanks to the search module:
    • search a pattern (ex: password) in column names
  • unwrap PL/SQL source code (10g/11g and 12c)
  • get system privileges and roles granted. It is possible to get privileges and roles of roles granted also (NEW : 21/02/2016)

Alt text

Supported Platforms and dependencies

ODAT is compatible with Linux only.

Standalone versions exist in order to don't have need to install dependencies and slqplus (see https://github.com/quentinhardy/odat/releases/). The ODAT standalone has been generated thanks to pyinstaller.

If you want to have the development version installed on your computer, these following tools and dependencies are needed:

  • Langage: Python 2.7
  • Oracle dependancies:
    • Instant Oracle basic
    • Instant Oracle sdk
  • Python libraries:
    • cx_Oracle
    • passlib
    • pycrypto
    • python-scapy
    • colorlog (recommended)
    • termcolor (recommended)
    • argcomplete (recommended)
    • pyinstaller (recommended)

Installation (optional, for development version)

This part describes how to install instantclient, CX_Oracle and some others python libraries on Ubuntu in order to have the ODAT development version. Don't forget that an ODAT standalone version exists at https://github.com/quentinhardy/odat/releases/: It is not required to install something for use the standalone version

  • Clone the repository to get the ODAT source code:
git clone https://github.com/quentinhardy/odat.git
  • Update wiki pages in this repository for getting the ODAT documentation locally:
cd odat/
git submodule init
git submodule update
sudo apt-get install libaio1 python-dev alien python-pip
  • Generate DEB files from RPM files thanks to :
sudo alien --to-deb oracle-instantclient11.2-basic-???.x???.rpm
sudo alien --to-deb oracle-instantclient11.2-sqlplus-???.x???.rpm
sudo alien --to-deb oracle-instantclient11.2-devel-???.x???.rpm
  • Install instant client basic, sdk and sqlplus:
sudo dpkg -i oracle-instantclient11.2-basic-???.x???.deb
sudo dpkg -i oracle-instantclient11.2-sqlplus-???.x???.deb
sudo dpkg -i oracle-instantclient11.2-devel_???_???.deb
  • Put these lines in your /etc/profile file in order to define Oracle env variables:
export ORACLE_HOME=/usr/lib/oracle/11.2/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH
  • Restart your session (to apply env variables) and run sqlplus:
sqlplus

If nor error: good job, Continue...

  • Create a symlink to your so file.
cd $ORACLE_HOME/lib/
sudo ln -s libclntsh.so.11.1   libclntsh.so
  • Create the /etc/ld.so.conf.d/oracle.conf file and add the path to Oracle home:
/usr/lib/oracle/11.2/client64/lib/
  • Update the ldpath using:
sudo ldconfig
  • Install CX_Oracle
sudo -s
source /etc/profile
pip install cx_Oracle
  • Test if all is good:
python -c 'import cx_Oracle' 

This command should just return without errors.

  • Install some python libraries:
sudo apt-get install python-scapy
sudo pip install colorlog termcolor pycrypto passlib
sudo pip install argcomplete && sudo activate-global-python-argcomplete
python setup.py install
  • Run ODAT:
./odat.py -h

Good job if you have not errors:)

Docs and examples

Docs and examples are on the WIKI

Donation

If you want to support my work doing a donation, I will appreciate a lot:

  • Via BTC: 36FugL6SnFrFfbVXRPcJATK9GsXEY6mJbf
You can’t perform that action at this time.