As a practical follow-up to As a practical follow-up to yesterday’s default credentials rant, I thought I’d share some information about a tool I’ve been using recently — oscanner. There are actually two oscanner security tools out there. We’re looking at the one that does Oracle assessment released by Patrik Karlsson at cqure.net, not the OVAL scanner tool. Oscanner is a simple, lightweight framework that allows you to do SID enumeration, default account/password enumeration, and a number of other Oracle security assessment tasks. It’s been around since 2004 but still offers a quick and easy way to check for Oracle default passwords.
The first time I used oscanner, I was struck by how simple it was. I just ran the script, gave it the options for an IP address and port. Next thing I knew, it enumerated a SID and I was looking at a list of default accounts and passwords that were valid for my database. But they weren’t just standard accounts and passwords, there were some that were very specific to the control system application I was looking at. How did it get these accounts? I checked the accounts.default file — they weren’t there. I did some digging and it turns out that when oscanner finds a valid default account with enough privileges, it will log in and do password guessing for all the accounts it finds in the user tables. This is a very useful feature.
Here is the command string:
./oscanner.sh -s 192.168.10.10 -P 1521
Like I said, pretty simple but powerful. You can throw in a -v if you want the verbose output.
Oscanner isn’t the only tool out there. Nessus will also do Oracle default account auditing and I use it often as well. We discussed this a bit in the November TMICSS podcast. Nessus does not currently do the extended password auditing by logging into the database like oscanner, however.
A few other basics about oscanner:
- You can expand the default credentials list by editing the accounts.default file. I’ve modified mine now with some of the common control system database accounts.
- You can customize which plugins run by editing the oracleplugins.default file.
- You can customize the password dictionary file, dictionary.txt. It only tries the username, oracle, and password by default. This is where it looks to guess passwords for accounts that are enumerated after it is able to log in with another default set of credentials.
- The output dumps to the screen and also to an XML file for each scan you run.
For the purpose of this post, the SID enumeration and default account/password auditing are the most important features of oscanner. But if you are interested in taking a deeper look at Oracle security, it will also do the following according to the documentation:
- Enumerate Oracle version
- Enumerate account roles
- Enumerate account privileges
- Enumerate account hashes
- Enumerate audit information
- Enumerate password policies
- Enumerate database links