I have oracle db, will take a crack at adding support for 12c this week.

18c is the newest release. By the looks of it, 18c did not change the hashing that was originally released with 12c. Will test on both versions.

That would be amazing and very much appreciated!

@h00die Maybe you can point me in the right direction.

I've got everything all setup. But I'm having trouble just testing the module out-of-the-box. I'm getting ORA-01031: insufficient privileges upon trying to use oracle_hashdump.

I've tried granting sysdba privileges to my system user:

SQL> grant sysdba to system;
Grant succeeded.

No luck. Any insight?

msf5 auxiliary(scanner/oracle/oracle_hashdump) > show options

Module options (auxiliary/scanner/oracle/oracle_hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   DBPASS   mypass           yes       The password to authenticate with.
   DBUSER   system           yes       The username to authenticate with.
   RHOST    127.0.0.1        yes       The Oracle host.
   RHOSTS   127.0.0.1        yes       The target address range or CIDR identifier
   RPORT    1522             yes       The TNS port.
   SID      mypdb            yes       The sid to authenticate with.
   THREADS  1                yes       The number of concurrent threads

msf5 auxiliary(scanner/oracle/oracle_hashdump) > run

[*] ORA-01031: insufficient privileges
[-] An error occurred. The supplied credentials may not have proper privs
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I see your ninja edit. Off-by-one alignment. 7 character password. Was your password system1 ?

I see your ninja edit. Off-by-one alignment. 7 character password. Was your password system1 ?

xD

I added an extra space because the "Required" column was thrown off.
You guessed my pw!

You guessed my pw!

It was either that, or hunter2.

You guessed my pw!

It was either that, or hunter2.

I mean, hunter2 is pretty easy to remember...

not-so-ninja-edit: @bcoles help me solve my privs issue if you're bored!

not-so-ninja-edit: @bcoles help me solve my privs issue if you're bored!

I'm not bored, but this offers a distraction from reverse engineering terrible code. I odn't have an Oracle test system built at the moment, and don't feel like setting one up, so you're probably on your own.

That said, this stands out as an obvious problem:

  def run_host(ip)

    # ... snip ...

    # Get the usernames and hashes for 8g-10g
    begin
      if is_11g==false
        query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
        results= prepare_exec(query)
        unless results.empty?
          results.each do |result|
            row= result.split(/,/)
            tbl << row
          end
        end
      # Get the usernames and hashes for 11g
      else
        query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
        results= prepare_exec(query)
        #print_status("Results: #{results.inspect}")
        unless results.empty?
          results.each do |result|
            row= result.split(/,/)
            next unless row.length == 2
            tbl << row
          end
        end

      end
    rescue => e
      print_error("An error occurred. The supplied credentials may not have proper privs")
      return
    end
    print_status("Hash table :\n #{tbl}")
    report_hashes(tbl, is_11g, ip, this_service)
  end

The module was written based on the flawed assumption that Oracle will never release a version after 11g. Therefore, any server that's not 11g will fall back to pre-11g code path.

I'd also recommend modifying the exception handling:

    rescue => e
      print_error("An error occurred. The supplied credentials may not have proper privs")
      return
    end

Some liberal use of puts e.message and puts e.backtrace will help.

TBH, I don't have an oracle box, and I dislike it as a database in general

I'm not bored, but this offers a distraction from reverse engineering terrible code.
Glad to hear
The module was written based on the flawed assumption that Oracle will never release a version after 11g. Therefore, any server that's not 11g will fall back to pre-11g code path.

Ah, that should have been more obvious to me. That gives me enough direction to get this going. Thanks.

TBH, I don't have an oracle box, and I dislike it as a database in general

YOU said it. I can't tell you how long I've spent staring at Oracle configuration documentation, files and various errors.

That said, I really wish Instant Client was capable of hosting a database...

YOU said it. I can't tell you how long I've spent staring at Oracle configuration documentation, files and various errors.

Excuse me sir, do you have a few minutes to talk about Solaris?

oracle_hashdump for 12c seems to be working on my end. But I've reached a little hangup that stems from my lack of knowledge of how this module is supposed to work.

What I've got so far:

msf5 auxiliary(scanner/oracle/oracle_hashdump) > run

[*] Server is running 12c
[*] Hash table :
 Oracle Server Hashes
====================

 Username               Hash
 --------               ----
 APEX_040200            S:E0AF6767B5E288C8C242772738940C9BFC3BF1E5F62ABC2D020E689E333D;H:D61498485EC6A3F8BEDCC4E682935315;T:E79376A3FF0AEFB9C423B1E08943B4B433BDEACF9981892F4E8237893AEA551A1FE4BB3F869DC8B07F074A43AF5288A608DEE1E78EEDF006FD37300737A9D86DB2EB5C4B634DC2A822B50D4728430AE1
...
...
[+] Hash Table has been saved
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Looks good, I thought. Now I just need to verify that these creds are saved properly, and that my JTR can crack them.

So I took a long look at auxiliary/analyze/jtr_oracle_fast, and this is where I can use some direction.

How do I test this module? Is this where ./msfdb comes in?

On another note, rerun is such a useful msfconsole command.

Make sure you set jtr_format to oracle12c. You'll need a database connected, creds command will print out the entry. Then you can just use jtr_oracle_fast and it should find it and hopefully crack it if the password is easy. jtr_oracle_fast has docs, info -d should give you an example run through

Thanks for the pointers. I'm excited to wrap up this issue, but I'm having trouble amending this problem when trying to initialize msf database:

 $ ./msfdb init
Traceback (most recent call last):
        2: from ./msfdb:10:in `<main>'
        1: from /usr/share/rvm/rubies/ruby-2.6.1/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
/usr/share/rvm/rubies/ruby-2.6.1/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- rex/socket (LoadError)

It looks like it’s looking for gems inside a ruby 2.6.0 directory that’s contained in the ruby 2.6.1 directory.

Can you help me figure this one out? &thanks

EDIT:
Nevermind. I had to manually install gems rex-socket and rex-text to fix this issue. Now that the script can finally run, the db fails to start. I was just about to get into some ugly debugging steps, but thanks to the log file that was created, this line shows the culprit:
2019-02-28 19:47:44.953 STD [7104] FATAL: could not create lock file /var/run/postgresql/.s.PGSQL.5433.lock": Permission denied

Hopefully the next time I post here it'll be good news.

Some good progress. @h00die Your last reply was helpful.
Learned a lot about setting up environments and installing dependencies from scratch. Basically ran into every issue imaginable, but eventually got the MSF completely setup (special thanks to this tutorial
After running hashdump, creds look good to me:

127.0.0.1  127.0.0.1  1522/tcp (oracle)  SCOTT                  S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699         Nonreplayable hash  oracle12c
...
...
...

But jtr_oracle_fast is not writing any files in my /tmp, although it signals "hashes written..."

msf5 auxiliary(analyze/jtr_oracle_fast) > rerun
[*] Reloading module...

[*] Wordlist file written out to /tmp/jtrtmp20190303-682-1cwq9t3
[*] Hashes Written out to /tmp/hashes_tmp20190303-682-qhuu84
[*] Cracking oracle hashes in normal wordlist mode...
Unknown option: "--nolog"
[*] Cracking oracle hashes in single mode...
Unknown option: "--nolog"
[*] Cracked passwords this run:
Unknown option: "--pot=/path/to/.msf4/john.pot"
[*] Hashes Written out to /tmp/hashes_tmp20190303-682-1l4ftpi
[*] Cracking dynamic_1506 hashes in normal wordlist mode...
Unknown option: "--nolog"
[*] Cracking dynamic_1506 hashes in single mode...
Unknown option: "--nolog"
[*] Cracked passwords this run:
Unknown option: "--pot=/path/to/.msf4/john.pot"
[*] Hashes Written out to /tmp/hashes_tmp20190303-682-x0t6h8
[*] Cracking oracle11 hashes in normal wordlist mode...
Unknown option: "--nolog"
[*] Cracking oracle11 hashes in single mode...
Unknown option: "--nolog"
[*] Cracked passwords this run:
Unknown option: "--pot=/path/to/.msf4/john.pot"
[*] Hashes Written out to /tmp/hashes_tmp20190303-682-5k18ya
[*] Cracking oracle12c hashes in normal wordlist mode...
Unknown option: "--nolog"
[*] Cracking oracle12c hashes in single mode...
Unknown option: "--nolog"
[*] Cracked passwords this run:
Unknown option: "--pot=/path/to/.msf4/john.pot"
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_oracle_fast) > ls /tmp
[*] exec: ls /tmp
ruby-build.20190224165259.7973
(+various other irrelevant tmp files)

Ideas?

@7043mcgeep The module makes use of Rex::Quickfile to write temporary files. This functionality deletes files after use.

@bcoles Ah, thanks. I forgot they're saved as creds.
I'm understanding jtr_oracle_fast better now.
Stepping through it a bit:

# dynamic_1506 is oracle 11/12's H field, MD5.

Format section makes sense as it relates to the new 12c partitioned-style hashes.
That explains why 11g and dynamic_1506 routines are being run (as shown in output in previous post).

But,

print_status "Cracked passwords this run:"

is not followed by

print_good "#{username}:#{password}"

I suppose my (easy) password is not being cracked. And I can tell you, it is in the wordlist...

There is a line in the middle of the module that does a cleanup (delete) of the files. If you comment that line out, I often do during testing, you should be able to see the output files are being written correctly

@h00die Thanks. Here's the entry of the user I created, "scott", within one of those tmp hash output files (diff shows all four tmp hash files created are the same):

SCOTT:$oracle12c$0911bac55eef63f0c1769e816355be29492c9d01980dc36c95a86c9ce47f93790631de3d9a60c90451cff152e25d9e94f612a1493ec82af8e3c4d0432b06ba4c2c693b932332bc14d2d66cef098a4699:24:

Looks correct to me, for a password that's not getting cracked, because according to:

password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them

there should be a password after that final ":".

Looking at the relevant output:

[*] Cracking oracle12c hashes in single mode...
Unknown option: "--nolog"
[*] Cracked passwords this run:
Unknown option: "--pot=/path/to/.msf4/john.pot"
[*] Auxiliary module execution completed

What's up with those unknown options? (if --pot stores the cracked passwords, and the option is wrong, could this be why the username/pw are not shown as cracked?)

what version of john the ripper are you using? I have what's included with kali (1.8.0-13-jumbo-1-bleeding-973a245b96 2018-12-17).
If that first snipet you showed, is that the pot file or the file in /tmp?

@h00die That's the file in /tmp. I'm running 1.8.0 as well (newest stable free release).

so we got a few things going on here that may give us the answer.
1) the output for john looks ok to me based on https://github.com/rapid7/metasploit-framework/pull/11351/files#diff-6625c85bb8cc388a87ad2bde9593bcccR142 but maybe the username needs to be lowercase? Some of the hash types salt w/ the username, I don't believe T did, but not 100%
2) all the john errors. I tried to trace back when --nolog was added, but it was quite a while. Why your john doesn't like it is beyond me. However, if john were cracking the password, the way the cracker modules are work means it wouldn't know till it checked in that last "Cracked passwords this run", and if it can't load the pot file, then it has nothing to compare against, and therefore it would fail. Can you run JTR manually (specify a pot file, and a wordlist w/ the password in it for ease) and get it to crack?

I'm running 1.8.0 as well (newest stable free release).

No, I'm not running the same version you are. Whoops. I was running an official release from the openwall.com website, which is thousands of commits behind the JTR github. After installing the bleeding-jumbo version of JTR 1.8.0, cracking threads are actually running. But it's taking a LONG time.

msf5 auxiliary(analyze/jtr_oracle_fast) > run

[*] Wordlist file written out to /tmp/jtrtmp20190314-960-86vsgz
[*] Hashes Written out to /tmp/hashes_tmp20190314-960-1dfa77v
[*] Cracking oracle hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190314-960-gy7nyb
[*] Cracking dynamic_1506 hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking dynamic_1506 hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190314-960-1fpni7i
[*] Cracking oracle11 hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle11 hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190314-960-348sv8
[*] Cracking oracle12c hashes in normal wordlist mode...
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

0g 0:00:04:50 DONE (2019-03-14 20:02) 0g/s 335.1p/s 3686c/s 3686C/s zope..vagrant
Session completed
[*] Cracking oracle12c hashes in single mode...
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

The wordlist mode takes my machine (Intel 3.5GHz i7-6700, 32GB RAM) 30 minutes to complete. Single mode has been running for two hours so far, and is not yet finished. This directly conflicts with this JTR doc's claim: "Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), "single crack" mode is much faster than wordlist mode."

What do you make of this behavior?

I'll report back here if/when it finishes. Hopefully it cracks the password.

What do you make of this behavior?

Are you sure it's using single crack mode?

Hopefully it cracks the password.

I wouldn't hold my breath.

This code from modules/auxiliary/analyze/jtr_oracle_fast.rb ...

      print_status "Cracking #{format} hashes in single mode..."
      cracker_instance.rules = 'single'
      cracker_instance.crack do |line|
        vprint_status line.chomp
      end

... sets rules to single (as opposed to setting a ruleset such as KoreLogicRules).

The rules property is defined as per lib/metasploit/framework/jtr/cracker.rb :

        # @!attribute rules
        #   @return [String] The wordlist mangling rules to use inside John
        attr_accessor :rules

Which is later passed to the --rules command line argument, here:

          if rules.present?
            cmd << ( "--rules=" + rules )
          end

Note that JtR parlance differentiates between modes and rules (single is also a valid rule).

"Single crack mode" is the same as:

john <file of hashes to crack>
# or
john --single <file of hashes to crack>

Where as "rules" implies the use of a wordlist mangling ruleset (such as KoreLogicRules), ie:

john <file of hashes to crack> --rules KoreLogicRules -w=wordlist

Depending on the version of John you're using, and how the command line argument is constructed, this may not even work. For example, on one of my systems, john hashes --rules=single bails out due to an invalid combination of options. Instead, a wordlist must also be provided: john hashes --rules=single -w=wordlist

I'd recommend liberal use of puts to figure out what exact command line is being used, and what output is being returned by JtR. Perhaps errors are being silently swallowed?

I'd also recommend simplifying your test data so you don't have to wait 30 minutes for each test.

tl/dr: you're likely using single ruleset, not "single crack mode".

Perhaps this will offer some clarity:

root@network:/tmp# wc -l hashes
1 hashes



root@network:/tmp# john --single hashes --format=raw-md5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any
0g 0:00:00:00 DONE (2019-03-15 01:38) 0g/s 0p/s 0c/s 0C/s
Session completed



root@network:/tmp# john hashes --format=raw-md5 --rules=single
Invalid options combination or duplicate option: "--rules=single"



root@network:/tmp# john --single hashes --format=raw-md5 -w=/usr/share/wordlists/rockyou.txt 
Invalid options combination or duplicate option: "-w=/usr/share/wordlists/rockyou.txt"



root@network:/tmp# john --single hashes --format=raw-md5 -w=/usr/share/wordlists/rockyou.txt --rules=single
Invalid options combination or duplicate option: "-w=/usr/share/wordlists/rockyou.txt"



root@network:/tmp# john hashes --format=raw-md5 -w=/usr/share/wordlists/rockyou.txt --rules=single
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:06 0.90% (ETA: 01:49:40) 0g/s 7699Kp/s 7699Kc/s 7699KC/s wegmel..webaslan
0g 0:00:00:08 1.14% (ETA: 01:50:17) 0g/s 6223Kp/s 6223Kc/s 6223KC/s Sexey..Sasie
0g 0:00:00:10 1.39% (ETA: 01:50:33) 0g/s 5103Kp/s 5103Kc/s 5103KC/s 010187..14973
0g 0:00:00:11 1.50% (ETA: 01:50:49) 0g/s 4996Kp/s 4996Kc/s 4996KC/s ball0.._nica0
0g 0:00:00:12 1.61% (ETA: 01:51:03) 0g/s 4905Kp/s 4905Kc/s 4905KC/s cuteface2..cupcup2
0g 0:00:00:13 1.71% (ETA: 01:51:17) 0g/s 4851Kp/s 4851Kc/s 4851KC/s sanfel?3..sandylam3
0g 0:00:00:14 1.81% (ETA: 01:51:29) 0g/s 4808Kp/s 4808Kc/s 4808KC/s louwhoi4..lourdesaleida4
0g 0:00:00:15 1.91% (ETA: 01:51:41) 0g/s 4773Kp/s 4773Kc/s 4773KC/s feBN5..fdssdf5
0g 0:00:00:16 2.01% (ETA: 01:51:51) 0g/s 4743Kp/s 4743Kc/s 4743KC/s alma6..alhandru6
0g 0:00:00:16 2.07% (ETA: 01:51:29) 0g/s 4723Kp/s 4723Kc/s 4723KC/s mialeah7..miagab7
Session aborted

@bcoles That helps, thanks.

I followed your advice and simplified my test data by deleting my creds and only selecting a single hash in oracle_hashdump (user scott). I should have done this to begin with -- my machine was just chewing on other default oracle users' hashes for hours.

With this single hash in my creds, I immediately noticed that my pw is getting cracked (hooray). But cannot create cracked credential:

[*] Cracking oracle12c hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle12c hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] SCOTT:hunter3
[-] Auxiliary failed: RuntimeError Problem creating cracked credential: undefined method `id' for #<Array:0x00007fa66c0b5e18>. See log for more details.
[-] Call stack:
[-]   /home/myself/git/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:174:in `log_error'
[-]   /home/myself/git/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:32:in `rescue in create_cracked_credential'
[-]   /home/myself/git/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:13:in `create_cracked_credential'
[-]   /home/myself/git/metasploit-framework/lib/msf/core/auxiliary/report.rb:26:in `create_cracked_credential'
[-]   /home/myself/git/metasploit-framework/modules/auxiliary/analyze/jtr_oracle_fast.rb:86:in `block (2 levels) in run'
[-]   /home/myself/git/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:174:in `block (2 levels) in each_cracked_password'
[-]   /home/myself/git/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:173:in `each_line'
[-]   /home/myself/git/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:173:in `block in each_cracked_password'
[-]   /home/myself/git/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:172:in `popen'
[-]   /home/myself/git/metasploit-framework/lib/metasploit/framework/jtr/cracker.rb:172:in `each_cracked_password'
[-]   /home/myself/git/metasploit-framework/modules/auxiliary/analyze/jtr_oracle_fast.rb:76:in `block in run'
[-]   /home/myself/git/metasploit-framework/modules/auxiliary/analyze/jtr_oracle_fast.rb:40:in `each'
[-]   /home/myself/git/metasploit-framework/modules/auxiliary/analyze/jtr_oracle_fast.rb:40:in `run'
[*] Auxiliary module execution completed

A few puts in the problematic section of the file reveals that data service has a problem calling id.

def create_cracked_credential(opts)
    ...
        old_core.logins.each do |login|
          service = data_service.services(id: login.service_id)
                $stderr.puts "reached\n"
                $stderr.puts "service.id: #{service.id}\n"
                $stderr.puts "unreached?\n"
          data_service.create_credential_login(core: new_core, service_id: service.id, status: Metasploit::Model::Login::Status::UNTRIED)
        end
        new_core
      end
    rescue => e
      self.log_error(e, "Problem creating cracked credential")

Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] SCOTT:hunter2
reached
[-] Auxiliary failed: RuntimeError Problem creating cracked credential: undefined method `id' for #<Array:0x00007ffffad5a690>. See log for more details.
[-] Call stack:
...

Is service the "MSF web service"? If not, don't read the rest of this post. If so, this error is almost definitely happening because my MSF web service fails to start. I've been avoiding this issue as long as I could.

The problem is, ./msfdb restart successfully starts my database, but not the web service:

Attempting to start MSF web service...failed
[!] MSF web service does not appear to be started.
Please see /home/myself/.msf4/logs/msf-ws.log for additional details.

Checking the log:

[*] Metasploit requires the Bundler gem to be installed
    $ gem install bundler
Exiting!

But after I run gem install bundler, same error.

gem list output looks good to me:

...
bundler (2.0.1, default: 1.17.3)
bundler-unload (1.0.2)
...

Suggestions appreciated.

while this may feel like 1 step forward, and 2 back, this is actually great. You've made it past most of the hurdles. You're also the first one to test new updated JTR modules in a more 'real' world scenario than just my tests, so bugs are about to crop up.

I'll take a look over the weekend and see if i can figure something out.

I'm not able to replicate:

creds add user:SCOTT hash:S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699 jtr:oracle12c
msf5 > creds
Credentials
===========

host  origin  service  public  private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
----  ------  -------  ------  -------                                                                                                                                                                                                                                                               -----  ------------        ----------
                       SCOTT   S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699         Nonreplayable hash  oracle12c

msf5 > use auxiliary/analyze/jtr_oracle_fast 
msf5 auxiliary(analyze/jtr_oracle_fast) > set custom_wordlist /tmp/w
custom_wordlist => /tmp/w
msf5 auxiliary(analyze/jtr_oracle_fast) > set use_default_wordist false
use_default_wordist => false
msf5 auxiliary(analyze/jtr_oracle_fast) > run

[*] Wordlist file written out to /tmp/jtrtmp20190316-12962-1pv9lec
[*] Hashes Written out to /tmp/hashes_tmp20190316-12962-1yc0kdb
[*] Cracking oracle hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190316-12962-1c2yvzv
[*] Cracking dynamic_1506 hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking dynamic_1506 hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190316-12962-967x51
[*] Cracking oracle11 hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle11 hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190316-12962-1gdhmxu
[*] Cracking oracle12c hashes in normal wordlist mode...
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-03-16 21:04) 14.28g/s 1828p/s 1828c/s 1828C/s hunter..1234567899
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking oracle12c hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] SCOTT:hunter2
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_oracle_fast) > cat /tmp/w
[*] exec: cat /tmp/w

hunter
hunter2
test
none
bad

If you follow what I just did, does yours still error? This will at least determine if the error is on the hash importer, or the jtr module.

@h00die Following what you just did, still same error.

Does output of you running ./msfdb status show that your MSF web service is started? Because mine is basically broken (as described above). JTR calls create_cracked_credential (lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb) which tries to reference my msf web service.id (framework module WebDataService) that is not started. That must be the cause of this error. I'm pretty stumped as to how to solve my issue there.

@7043mcgeep I have no idea what any of this new-fangled WebDataService technobabbble means. Back in my day, you would start a PostgreSQL service and connect with db_connect user:[email protected]:5432/database.

Works for me.

# ./msfconsole 
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***


  PPPPP   IIIIIII   N    N
  P   PP     I      NN   N   IDENTIFICATION
  P   PP     I      N N  N
  PPPPP      I      N  N N      PROGRAM
  P          I      N   NN
  P       IIIIIII   N    N

  Strike a key when ready ...



       =[ metasploit v5.0.12-dev-188f4da5a5               ]
+ -- --=[ 1883 exploits - 1063 auxiliary - 328 post       ]
+ -- --=[ 553 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 > db_connect msf:[email protected]/msf
Connected to Postgres data service: 127.0.0.1/msf
msf5 > creds
Credentials
===========

host  origin  service  public  private  realm  private_type  JtR Format
----  ------  -------  ------  -------  -----  ------------  ----------

msf5 > creds add user:SCOTT hash:S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699 jtr:oracle12c
msf5 > use auxiliary/analyze/jtr_oracle_fast 
msf5 auxiliary(analyze/jtr_oracle_fast) > set custom_wordlist /tmp/w
custom_wordlist => /tmp/w
msf5 auxiliary(analyze/jtr_oracle_fast) > set use_default_wordist false
use_default_wordist => false
msf5 auxiliary(analyze/jtr_oracle_fast) > cat /tmp/w
[*] exec: cat /tmp/w

hunter
hunter2
test
none
bad

msf5 auxiliary(analyze/jtr_oracle_fast) > run

[*] Wordlist file written out to /tmp/jtrtmp20190317-22327-1u58bp3
[*] Hashes Written out to /tmp/hashes_tmp20190317-22327-1s2vio6
[*] Cracking oracle hashes in normal wordlist mode...
Created directory: /root/.john
Using default input encoding: UTF-8
[*] Cracking oracle hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190317-22327-le1dfj
[*] Cracking dynamic_1506 hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking dynamic_1506 hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190317-22327-1422y0d
[*] Cracking oracle11 hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle11 hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[*] Hashes Written out to /tmp/hashes_tmp20190317-22327-dhua5m
[*] Cracking oracle12c hashes in normal wordlist mode...
Using default input encoding: UTF-8
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-03-17 01:43) 100.0g/s 400.0p/s 400.0c/s 400.0C/s hunter..none
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking oracle12c hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] SCOTT:hunter2
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_oracle_fast) > creds
Credentials
===========

host  origin  service  public  private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
----  ------  -------  ------  -------                                                                                                                                                                                                                                                               -----  ------------        ----------
                       SCOTT   S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699         Nonreplayable hash  oracle12c
                       SCOTT   hunter2                                                                                                                                                                                                                                                                      Password            

msf5 auxiliary(analyze/jtr_oracle_fast) > 

@bcoles My postgresql database starts just fine. But the web service fails to start ("gem install bundler" mess described in previous post). I'm wondering if this is causing create_cracked_credential's reference to service.id to error out. Unless I'm misunderstanding service here. Am I correct in thinking service = msf web service? (what is going on)

@7043mcgeep I have no idea what any of that means. I can't reproduce your issue using PostgreSQL and db_connect.

Your issue may or may not be a configuration issue. There may or may not be a bug with the web service.

In the interim, as a workaround, you could try using PostgreSQL with db_connect.

@bcoles Probably no bugs there. It's on my end. I've been using the msfdb tool instead of the manual db_connect command. I'm simply unable to get the web service to start due to this bundler gem it's hung up on (but that's another issue I'll open later). Regardless, since you two are able to run this and crack the password nicely, it's time to wrap this up. I'll clean up my oracle_hashdump supporting 12c (and 18c should work, in theory) and submit a PR. If that sounds good, thanks @h00die @bcoles for your attention and help!

Probably no bugs there.

Maybe. Maybe not.

It's on my end. I've been using the msfdb tool instead of the manual db_connect command.

msfdb may or may not be the current best practice. db_connect is the old method for users who have not yet migrated to the data service.

I'm simply unable to get the web service to start due to this bundler gem

You may or may not be able to fix this with gem update --system.

~/metasploit-framework# ./msfdb status
Traceback (most recent call last):
./msfdb:16:in `<main>': uninitialized constant Rex::Text::Color (NameError)

I'm pretty sure mines more broken than yours, but like @bcoles i'm old school and am just using postgres.

msf5 > db_status
[*] Connected to msf_dev. Connection type: postgresql.

Would love to see the PR get put up!

@7043mcgeep I know this isn't your first PR, but its been a long road to get this VERY close to landing. It's also been 6 weeks since you set out to conquer this. So I wanted to note some encouraging things:

1. You are the first person I know of to give the jtr_oracle_fast a more real world test
2. You inspired me to discover I can actually download and install Oracle for free (had no idea before last week)
3. you've updated a module which hasn't been touched (real content wise) since pre-git (oct 2011 is the first commit I see)
4. you added docs to a module that had none and now people can understand how its supposed to work
5. you made the module MUCH more streamlined for updates of new versions because unfortunately Oracle isn't going away.
6. you gave me a good use case for not deleting temp files in the jtr modules (which was PRed)
7. you inspired me to update the wiki on how to get oracle support working

So while yes, it has been a long road for this, its actually made a bunch of changes to msf, so don't consider just the one PR you put in as all you influenced!

@h00die I really appreciate the words of encouragement! You could probably tell, but MSF is the first major open-source project I've set out to learn about and contribute to. That said, it's nice to be assured of the influence this change has had, and I'm growing to enjoy digging around the framework and attempting to solve issues interesting to me. Again, thanks.

... because unfortunately Oracle isn't going away.

*laughter turns into sobbing*

Oh there's plenty to look at for whatever interest you may have. I think I started with a brocade telnet module, then moved to persistence modules for Linux, then grammar/spelling fixes, then docs and more docs, then an overhaul of jtr. When time allows I usually pick something I know nothing about and write docs to learn it. Inevitably doing that it becomes a 'this would work better like that', or 'there's a new version/dependency' etc. Unfortunately not enough volunteer time in the day, and the ideas keep piling up!

11623