Saturday, August 24, 2013

How to get Oracle support in Metasploit working in Kali Linux.

Getting the Oracle support in Metasploit can be a complete pain, there are a lot of little things that some blogs have right some are missing a step or two and some are just outdated. I couldn't find any information that gave me the complete answers, when I finally figured it out and tested it the setup was quite painless.When it doesn't work the image below is the error you see and even the link shown in the error is outdated. * It's important to point out the module I'm using in these examples is auxiliary/admin/oracle/oracle_login not the the ones in the scanner directory. 


From here you need a few things head over to the following sites and grab these files, on oracle you need to make an account, don’t worry 10 minute mail works for that (make sure you get the 32 or 64 bit for what your system is):

http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html
  • basic-10.2.0.5.0-linux.zip 
  • sdk-10.2.0.5.0-linux.zip
  • sqlplus-10.2.0.5.0-linux.zip




Next, head over to Rubyforge and get the latest version of the oci-8 file. I used 2.1.5 if you deviate from that, you are on your own.

http://rubyforge.org/frs/download.php/76831/ruby-oci8-2.1.5.tar.gz* 
Rubyforge is no more as pointed out in the comments, please grab the correct version via Google or
https://github.com/kubo/ruby-oci8/releases/tag/ruby-oci8-2.1.5


Make a directory in your opt folder called oracle and put all downloaded files in it and unzip them all and follow the steps for the ruby-oci8 file



By simply typing:
  • cd opt/
  • mkdir oracle
  • cd oracle/
  • unzip basic-10.2.0.5.0-linux.zip 
  • unzip sdk-10.2.0.5.0-linux.zip
  • unzip sqlplus-10.2.0.5.0-linux.zip
  • mv ruby-oci8-2.1.5.tar.gz  instantclient_10_2/
  • cd instantclient_10_2/
  • ln -s libclntsh.so.10.1 libclntsh.so  (if you don’t do this you’ll get an error)
  • tar -zxvf ruby-oci8-2.1.5.tar.gz

Now that that part is done lets add some paths to our .bashrc file.
  • echo "export PATH=$PATH:/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export SQLPATH=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export TNS_ADMIN=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export ORACLE_HOME=/opt/oracle/instantclient_10_2" >> /root/.bashrc

Also, I have always gotten an error on the LD_LIBRARY path so I just ran when I ran the ruby setup so just do this again but define it like below:
  • export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2
  • cd ruby-oci8-2.1.5/
  • ruby setup.rb config *** see update if this errors out.
  • ruby setup.rb setup
  • ruby setup.rb install




Make sure you restart Metasploit and give it a try, if all works like it should have you should now be able to test Oracle with Metasploit. You can test with 127.0.0.1 just to verify everything is working, you don’t need to have Oracle running to verify it will work.



That's it good luck, and enjoy!

As pointed out in the comment below you may also wish to check with the auxiliary/admin/oracle/oracle_sql module, to verify full functionality. Thanks CG!

*****UPDATE*****
Some distros such as Kali 1.08 may need the Ruby dev modules installed before running the ruby setup.rb command.  Simply do an apt-get install ruby-dev before you run it. Thanks to Jagar for pointing out this issue.

Tuesday, April 30, 2013

Your Neighborhood Online, Good or Bad Idea?


I ran across this site Nextdoor.com, it is another social media site with one difference. “Nextdoor is the private social network for you, your neighbors and your community. It's the easiest way for you and your neighbors to talk online and make all of your lives better in the real world.” The idea is that only people in your real neighborhood can join. Out of curiosity I started looking around the demo site and started to think, this sounds like a terrible idea.

However, in my opinion this starts to go wrong very fast.  A quick Google of site: nextdoor.com already starts to produce some interesting results. The first and second page reports results such as the West Briar, Pointe Marin, Covie Hill and Bent Creek. Clicking these links will take you to a login page where you can get a little more information about the neighborhood, such as the city, state and an outlined map of the neighborhood.


Figure 1

Okay, so what’s the risk? First the “bad guys” already know the city, state and the neighborhood. Another quick Google search results in finding an invite page where you enter your address and thanks to the mini map and some more Google it is easy to find an address within the outline.
  

Figure 2


The next step is an address verification page. The site requires either a credit card for checking the billing address, a mobile number they can call or they can send you a postcard in the mail. I won’t get into the other worries that some of those options might cause, but it looks like they are trying hard to protect the people using the site, but is that enough? And can it be easily circumvented?

What if someone simply gets into a valid account, (we don’t care about how at this moment it happens every day to many sites.) could an attacker use any of the data or information to their advantage. The demo site shows us that there is a lot of information ripe for the picking.

The site is a standard social media site. You have maps, an inbox, events and a neighbor’s button, the exception here is the site really wants your physical data as well and it becomes a data gatherers dream. Clicking on a user shows some useful information, obviously it is up to the user on what to display.  With the data in figure 3 an attacker could start looking to impersonate that person, or use the data to gain access other accounts via password resets or challenge questions like “what is your dog’s name, what is your oldest child’s name”  

Figure 3

As we go deeper into the site we start to see more information that could be valuable or even deadly. The personal risk you accept is huge; one of the best things about the internet is if you’re careful someone finding you in the real world is a little bit challenging.   

Figure 4


This example on the demo site shows a user asking for a baby sitter from 4-10 pm, and other users posting phone numbers to great baby sitters. This of course is incredibly helpful for the person needing the sitter. But, what does it tell the bad guys? Mom or Dad won’t be home from 4-10, the name and number of the babysitter, the kids are older most likely between the ages 7-12. That information could be valuable to any person who wants to use it to their advantage.  Did this home just become a possible target for a personal attack, a robbery, an angry boyfriend of the babysitter, or that creepy person down the street that nobody talks to? 

It is your job to decide if this information is secure, and okay for display to the public. No matter what the claims of privacy there are, assume someone you don’t want seeing this information will see it.  Above all else protect your family and yourself, and maybe just maybe actually go outside and talk to your neighbors. Finally, another important item to consider when signing up for this type of site is: Do they care about security? In looking at the current job posting they are hiring a lot of developers and none of the requirements of any of those posted are for “secure coding practices”.  Hopefully, that is asked during the interview process.

Thursday, February 28, 2013

Gather Sploits: Necessity is the mother of Invention


Ever run into a test where you port scan and you just cannot remember what those ports are or if there is any vulnerabilities connected to them? Normally, I would just take the port do a search on Exploit-db.com. However, I found myself doing that a lot on this last test there were lots of weird ports.   I started by writing a page scraper for Exploit-DB, that took just a list of ports, it was a little slow. I added functionality to search the Exploit-DB CSV file that is in Backtrack or if you have the file just point the script at it. I quickly became annoyed with having to take the ports from my Nmap results and put them into a text file and then run my script.  I then found out there is an API for Exploit-DB so back to the drawing board at the end of the day the Gather Sploits script was born. 

The script simply parses an Nmap xml file grabs the host, ports and OS and runs them through either the Exploit-DB online search or locally if specified. There are some requirements though, you will need a Shodan API key you can get the instructions at http://docs.shodanhq.com/. You will also need the Shodan python libraries which you can get at https://github.com/achillean/shodan-python. Finally, you will need the code at the end of this article and python 2.7.

If the Nmap XML has the operating system (OS) detection in it the script will limit the port findings based on that OS along with the exploits that are for multiple OS’s. You can specify an OS or force all results. This script produces a lot of data, you have been warned. 

Usage is simple


Results are plenty

Code below: