Saturday, August 24, 2013

How to get Oracle support in Metasploit working in Kali Linux.

Getting the Oracle support in Metasploit can be a complete pain, there are a lot of little things that some blogs have right some are missing a step or two and some are just outdated. I couldn't find any information that gave me the complete answers, when I finally figured it out and tested it the setup was quite painless.When it doesn't work the image below is the error you see and even the link shown in the error is outdated. * It's important to point out the module I'm using in these examples is auxiliary/admin/oracle/oracle_login not the the ones in the scanner directory. 


From here you need a few things head over to the following sites and grab these files, on oracle you need to make an account, don’t worry 10 minute mail works for that (make sure you get the 32 or 64 bit for what your system is):

http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html
  • basic-10.2.0.5.0-linux.zip 
  • sdk-10.2.0.5.0-linux.zip
  • sqlplus-10.2.0.5.0-linux.zip




Next, head over to Rubyforge and get the latest version of the oci-8 file. I used 2.1.5 if you deviate from that, you are on your own.

http://rubyforge.org/frs/download.php/76831/ruby-oci8-2.1.5.tar.gz* 
Rubyforge is no more as pointed out in the comments, please grab the correct version via Google or
https://github.com/kubo/ruby-oci8/releases/tag/ruby-oci8-2.1.5


Make a directory in your opt folder called oracle and put all downloaded files in it and unzip them all and follow the steps for the ruby-oci8 file



By simply typing:
  • cd opt/
  • mkdir oracle
  • cd oracle/
  • unzip basic-10.2.0.5.0-linux.zip 
  • unzip sdk-10.2.0.5.0-linux.zip
  • unzip sqlplus-10.2.0.5.0-linux.zip
  • mv ruby-oci8-2.1.5.tar.gz  instantclient_10_2/
  • cd instantclient_10_2/
  • ln -s libclntsh.so.10.1 libclntsh.so  (if you don’t do this you’ll get an error)
  • tar -zxvf ruby-oci8-2.1.5.tar.gz

Now that that part is done lets add some paths to our .bashrc file.
  • echo "export PATH=$PATH:/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export SQLPATH=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export TNS_ADMIN=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2" >> /root/.bashrc
  • echo "export ORACLE_HOME=/opt/oracle/instantclient_10_2" >> /root/.bashrc

Also, I have always gotten an error on the LD_LIBRARY path so I just ran when I ran the ruby setup so just do this again but define it like below:
  • export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2
  • cd ruby-oci8-2.1.5/
  • ruby setup.rb config *** see update if this errors out.
  • ruby setup.rb setup
  • ruby setup.rb install




Make sure you restart Metasploit and give it a try, if all works like it should have you should now be able to test Oracle with Metasploit. You can test with 127.0.0.1 just to verify everything is working, you don’t need to have Oracle running to verify it will work.



That's it good luck, and enjoy!

As pointed out in the comment below you may also wish to check with the auxiliary/admin/oracle/oracle_sql module, to verify full functionality. Thanks CG!

*****UPDATE*****
Some distros such as Kali 1.08 may need the Ruby dev modules installed before running the ruby setup.rb command.  Simply do an apt-get install ruby-dev before you run it. Thanks to Jagar for pointing out this issue.

9 comments:

  1. that's actually a bad choice of modules to check with as im pretty sure it uses nmap oracle libs to perform the brute attack.

    a better one would be the oracle_sql
    use auxiliary/admin/oracle/oracle_sql

    as that will actually log in via sqlplus, run a command, and give you the output.

    ReplyDelete
    Replies
    1. I didn't see any references to that in the module. But I am not a Metasploit master and could have easily missed or not understood it fully. I have added some info to the blog. Thanks!

      Delete
  2. if you check here
    https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/oracle/oracle_login.rb

    it doesnt call the oracle mixin.

    and you can see it setting up the nmap stuff, but agree the description should say something about using nmap. there is no way to know that unless you look the code (which shouldnt be the case)

    ReplyDelete
    Replies
    1. In my example this is the module I am using https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/oracle/oracle_login.rb. which does have the include Oracle statement.

      Delete
  3. ah yep, thats the old one that one should use the oracle libs.

    ReplyDelete
    Replies
    1. I gets confusing with both in there, I usually end-up using both.

      Delete
  4. Thanks, works like a charm!

    ReplyDelete
  5. Hi,

    as rubyforge.org is down since Mai 15, you may want to change the download path to the oci file: https://github.com/kubo/ruby-oci8/releases

    ReplyDelete