Nmap latest stable version (7.70) for Windows (10x64) detects working oracle db server, but does not print out any found credentials. The 'oracle-default-credentials.lst' file contains correct username/password. The older Nmap (6.40) works fine.
Command:
nmap -p 1521 --script oracle-brute --script-args oracle-brute.sid=<instance> <host>
Nmap 7.70 output:
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-15 13:05 Russia TZ 2 Standard Time
Nmap scan report for <host>
Host is up (0.00088s latency).
PORT STATE SERVICE
1521/tcp open oracle
MAC Address: 00:00:00:00:00:00 (Microsoft)
Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds
Nmap 6.40 output:
Starting Nmap 6.40 ( http://nmap.org ) at 2019-02-15 13:13 Russia TZ 2 Standard Time
Nmap scan report for <host>
Host is up (0.00s latency).
PORT STATE SERVICE
1521/tcp open oracle
| oracle-brute:
| Accounts
| <username> as sysdba:<password> - Valid credentials
| Statistics
|_ Performed 15 guesses in 1 seconds, average tps: 15
MAC Address: 00:00:00:00:00:00 (Microsoft)
Nmap done: 1 IP address (1 host up) scanned in 5.19 seconds
Thanks for the report. Can you run the scan with -d --script-trace to provide us some debugging information?
Hello,
I have the same issue so the result of nmap with -d --script-trace option is shown below:
nmap -p 1521 --script oracle-brute --script-args oracle-brute.sid=orcl 192.168.10.250 -d --script-trace
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-11 16:14 CEST
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: oracle-brute.sid=orcl
NSE: Arguments parsed: oracle-brute.sid=orcl
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:14
Completed NSE at 16:14, 0.00s elapsed
Initiating ARP Ping Scan at 16:14
Scanning 192.168.10.250 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x08002798 and arp[22:2] = 0x3EAA
Completed ARP Ping Scan at 16:14, 0.04s elapsed (1 total hosts)
Overall sending rates: 24.69 packets / s, 1036.88 bytes / s.
mass_rdns: Using DNS server 192.168.10.1
Initiating SYN Stealth Scan at 16:14
Scanning orcl (192.168.10.250) [1 port]
Packet capture filter (device eth0): dst host 192.168.10.246 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.10.250)))
Discovered open port 1521/tcp on 192.168.10.250
Completed SYN Stealth Scan at 16:14, 0.04s elapsed (1 total ports)
Overall sending rates: 22.80 packets / s, 1002.99 bytes / s.
NSE: Script scanning 192.168.10.250.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:14
NSE: Starting oracle-brute against 192.168.10.250:1521.
NSOCK INFO [0.4420s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.6470s] nsock_connect_tcp(): TCP connection requested to 192.168.10.250:1521 (IOD #1) EID 8
NSOCK INFO [0.6480s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.10.250:1521]
NSE: TCP 192.168.10.246:57612 > 192.168.10.250:1521 | CONNECT
NSE: TCP 192.168.10.246:57612 > 192.168.10.250:1521 | 00000000: 00 f3 00 00 01 00 00 00 01 3a 01 2c 0c 41 20 00 : , A
00000010: 7f ff 7f 08 00 00 01 00 00 b9 00 3a 00 00 02 00 :
00000020: 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA
00000030: 00 00 00 00 00 00 00 00 00 00 20 20 28 44 45 53 (DES
00000040: 43 52 49 50 54 49 4f 4e 3d 28 41 44 44 52 45 53 CRIPTION=(ADDRES
00000050: 53 3d 28 50 52 4f 54 4f 43 4f 4c 3d 54 43 50 29 S=(PROTOCOL=TCP)
00000060: 28 48 4f 53 54 3d 31 39 32 2e 31 36 38 2e 31 30 (HOST=192.168.10
00000070: 2e 32 35 30 29 28 50 4f 52 54 3d 31 35 32 31 29 .250)(PORT=1521)
00000080: 29 0a 20 20 28 43 4f 4e 4e 45 43 54 5f 44 41 54 ) (CONNECT_DAT
00000090: 41 3d 28 53 45 52 56 45 52 3d 44 45 44 49 43 41 A=(SERVER=DEDICA
000000a0: 54 45 44 29 28 53 45 52 56 49 43 45 5f 4e 41 4d TED)(SERVICE_NAM
000000b0: 45 3d 6f 72 63 6c 29 28 43 49 44 3d 0a 20 20 28 E=orcl)(CID= (
000000c0: 50 52 4f 47 52 41 4d 3d 73 71 6c 70 6c 75 73 29 PROGRAM=sqlplus)
000000d0: 28 48 4f 53 54 3d 31 39 32 2e 31 36 38 2e 31 30 (HOST=192.168.10
000000e0: 2e 32 35 30 29 28 55 53 45 52 3d 6e 6d 61 70 29 .250)(USER=nmap)
000000f0: 29 29 29 )))
NSOCK INFO [0.6480s] nsock_write(): Write request for 243 bytes to IOD #1 EID 19 [192.168.10.250:1521]
NSOCK INFO [0.6480s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [192.168.10.250:1521]
NSE: TCP 192.168.10.246:57612 > 192.168.10.250:1521 | SEND
NSOCK INFO [0.6480s] nsock_read(): Read request from IOD #1 [192.168.10.250:1521] (timeout: 30000ms) EID 26
NSOCK INFO [0.6650s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [192.168.10.250:1521] (8 bytes): ........
NSE: TCP 192.168.10.246:57612 < 192.168.10.250:1521 | 00000000: 00 08 00 00 0b 00 00 00
NSE: TCP 192.168.10.246:57612 > 192.168.10.250:1521 | 00000000: 00 f3 00 00 01 00 00 00 01 3a 01 2c 0c 41 20 00 : , A
00000010: 7f ff 7f 08 00 00 01 00 00 b9 00 3a 00 00 02 00 :
00000020: 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA
00000030: 00 00 00 00 00 00 00 00 00 00 20 20 28 44 45 53 (DES
00000040: 43 52 49 50 54 49 4f 4e 3d 28 41 44 44 52 45 53 CRIPTION=(ADDRES
00000050: 53 3d 28 50 52 4f 54 4f 43 4f 4c 3d 54 43 50 29 S=(PROTOCOL=TCP)
00000060: 28 48 4f 53 54 3d 31 39 32 2e 31 36 38 2e 31 30 (HOST=192.168.10
00000070: 2e 32 35 30 29 28 50 4f 52 54 3d 31 35 32 31 29 .250)(PORT=1521)
00000080: 29 0a 20 20 28 43 4f 4e 4e 45 43 54 5f 44 41 54 ) (CONNECT_DAT
00000090: 41 3d 28 53 45 52 56 45 52 3d 44 45 44 49 43 41 A=(SERVER=DEDICA
000000a0: 54 45 44 29 28 53 45 52 56 49 43 45 5f 4e 41 4d TED)(SERVICE_NAM
000000b0: 45 3d 6f 72 63 6c 29 28 43 49 44 3d 0a 20 20 28 E=orcl)(CID= (
000000c0: 50 52 4f 47 52 41 4d 3d 73 71 6c 70 6c 75 73 29 PROGRAM=sqlplus)
000000d0: 28 48 4f 53 54 3d 31 39 32 2e 31 36 38 2e 31 30 (HOST=192.168.10
000000e0: 2e 32 35 30 29 28 55 53 45 52 3d 6e 6d 61 70 29 .250)(USER=nmap)
000000f0: 29 29 29 )))
NSOCK INFO [0.6690s] nsock_write(): Write request for 243 bytes to IOD #1 EID 35 [192.168.10.250:1521]
NSOCK INFO [0.6690s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.168.10.250:1521]
NSE: TCP 192.168.10.246:57612 > 192.168.10.250:1521 | SEND
NSOCK INFO [0.6700s] nsock_read(): Read request from IOD #1 [192.168.10.250:1521] (timeout: 30000ms) EID 42
NSOCK INFO [0.6710s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 42 [192.168.10.250:1521] (32 bytes): . .......:.A ........ aA........
NSE: TCP 192.168.10.246:57612 < 192.168.10.250:1521 | 00000000: 00 20 00 00 02 00 00 00 01 3a 08 41 20 00 7f ff : A
00000010: 01 00 00 00 00 20 61 41 00 00 00 00 00 00 00 00 aA
NSE: TCP 192.168.10.246:57612 > 192.168.10.250:1521 | 00000000: 00 9e 00 00 06 00 00 00 00 00 de ad be ef 00 92
00000010: 0b 10 06 00 00 04 00 00 04 00 03 00 00 00 00 00
00000020: 04 00 05 0b 10 06 00 00 08 00 00 10 00 01 5c b3 \
00000030: 53 ab ec b0 01 20 00 1d ea db ee f0 00 30 00 00 S 0
00000040: 00 40 00 40 00 10 00 10 00 02 00 01 00 03 00 00 @ @
00000050: 00 00 00 04 00 05 0b 10 06 00 00 02 00 03 e0 e1
00000060: 00 02 00 06 fc ff 00 02 00 00 20 00 00 00 00 00
00000070: 40 00 50 b1 00 60 00 00 c0 00 10 01 10 61 00 c0 @ P ` a
00000080: f0 a0 b0 80 20 10 30 00 30 00 02 00 00 00 00 00 0 0
00000090: 04 00 05 0b 10 06 00 00 03 00 01 00 03 01
NSOCK INFO [0.6740s] nsock_write(): Write request for 158 bytes to IOD #1 EID 51 [192.168.10.250:1521]
NSOCK INFO [0.6740s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 51 [192.168.10.250:1521]
NSE: TCP 192.168.10.246:57612 > 192.168.10.250:1521 | SEND
NSOCK INFO [0.6740s] nsock_read(): Read request from IOD #1 [192.168.10.250:1521] (timeout: 30000ms) EID 58
NSOCK INFO [0.7230s] nsock_trace_handler_callback(): Callback: READ EOF for EID 58 [192.168.10.250:1521]
NSOCK INFO [0.7230s] nsock_read(): Read request from IOD #1 [192.168.10.250:1521] (timeout: 30000ms) EID 66
NSOCK INFO [0.7230s] nsock_trace_handler_callback(): Callback: READ EOF for EID 66 [192.168.10.250:1521]
NSOCK INFO [0.7230s] nsock_read(): Read request from IOD #1 [192.168.10.250:1521] (timeout: 30000ms) EID 74
NSOCK INFO [0.7230s] nsock_trace_handler_callback(): Callback: READ EOF for EID 74 [192.168.10.250:1521]
NSOCK INFO [0.7230s] nsock_read(): Read request from IOD #1 [192.168.10.250:1521] (timeout: 30000ms) EID 82
NSOCK INFO [0.7230s] nsock_trace_handler_callback(): Callback: READ EOF for EID 82 [192.168.10.250:1521]
NSOCK INFO [0.7230s] nsock_read(): Read request from IOD #1 [192.168.10.250:1521] (timeout: 30000ms) EID 90
NSOCK INFO [0.7230s] nsock_trace_handler_callback(): Callback: READ EOF for EID 90 [192.168.10.250:1521]
NSOCK INFO [0.7230s] nsock_read(): Read request from IOD #1 [192.168.10.250:1521] (timeout: 30000ms) EID 98
NSOCK INFO [0.7230s] nsock_trace_handler_callback(): Callback: READ EOF for EID 98 [192.168.10.250:1521]
NSE: Finished oracle-brute against 192.168.10.250:1521.
NSE: TCP 192.168.10.246:57612 > 192.168.10.250:1521 | CLOSE
NSOCK INFO [0.7230s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
Completed NSE at 16:14, 0.08s elapsed
Nmap scan report for orcl (192.168.10.250)
Host is up, received arp-response (0.00020s latency).
Scanned at 2019-07-11 16:14:26 CEST for 0s
PORT STATE SERVICE REASON
1521/tcp open oracle syn-ack ttl 128
| oracle-brute:
|_ ERROR: Failed to connect to oracle server
MAC Address: 54:E1:AD:65:12:66 (Lcfc(hefei) Electronics Technology)
Final times for host: srtt: 198 rttvar: 3770 to: 100000
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:14
Completed NSE at 16:14, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
Thank you for any help.
This is still an issue with version 7.80 of nmap.
@dmiller-nmap hello again, I'm using Nmap 7.80 now, and the problem still exists...
Here is my command for Zenmap withh -d --script-trace option:
nmap -sT -p 1521 -d -Pn --script-trace --script oracle-brute --script-args "oracle-brute.sid=orcl, brute.credfile=C:\Program Files (x86)\Nmap\nselib\data\oracle-default-accounts.lst" 192.168.100.154
And the resulting output is in the attached file. Any help will be appreciated.
oracle-brute-output.txt
@dmiller-nmap it seems to me, I've found the cause of the problem: it appears only for Oracle 12 (and probably higher versions), while for Oracle 11 script completes successfully. And digging further, I've found why: Oracle 12 requires new authentication SHA-2 protocol, whereas Oracle 10/11 use SHA-1. So, trying to authenticate to Oracle 12, the script gets the error message: ORA-28040 "No matching authentication protocol".
The limitation for Oracle versions is mentioned in comment in script tns.lua (containing the inner part of Oracle bruteforce code).
It is possible for you to extend the current feature and support Oracle >12 bruteforce?
Most helpful comment
This is still an issue with version 7.80 of nmap.