Overview
I decided to write a quick little guide on installing the Oracle Database Attacking Tool (ODAT) on the latest version of Kali Linux since I noticed people were running into issues with it.
ODAT is an open source penetration testing tool targeted at attacking, and auditing the security of Oracle Database servers.
Requirements
- git
- python 2.7.x
- An account on oracle.com or use something like bugmenot.com
Installation
Note: For this setup ODAT is being installed on the latest version of Kali at the moment (2018.2)
We are also installing the development version of ODAT (seems to work better than the release binaries)
Getting instaclient, sdk, and sqlplus
Oracle forces you to register to their site in order to download pretty much anything (thanks oracle).
You can create a temporary email using any temporary email service like 10minutemail.com, your own personal email (why?), or use the service bugmenot.com to get a login. After you’ve logged in you need to download the following items.
(all version 12.2.0.1.0)
- instantclient-basic-linux.x64-12.2.0.1.0.zip
- instantclient-sqlplus-linux.x64-12.2.0.1.0.zip
- instantclient-sdk-linux.x64-12.2.0.1.0.zip
we need to move all these files from the downloads directory into the /opt/oracle directory.
root@kali:~/Downloads# mkdir -p /opt/oracle/
root@kali:~/Downloads# cp instantclient-* /opt/oracle/
After you’ve downloaded the following files ensure you unzip the instantclient-basic-linux.x64-12.2.0.1.0.zip zip first.
root@kali:~/Downloads# cd /opt/oracle/
root@kali:/opt/oracle# unzip instantclient-basic-linux.x64-12.1.0.2.0.zip
root@kali:/opt/oracle# unzip instantclient-sdk-linux.x64-12.1.0.2.0.zip
root@kali:/opt/oracle# unzip instantclient-sqlplus-linux.x64-12.1.0.2.0.zip
You should now have an “instantclient_12_1” directory.
Create symlink to the libclntsh.so.12.1 so file.
root@kali:/opt/oracle# cd instantclient_12_1/
root@kali:/opt/oracle/instantclient_12_1# ln libclntsh.so.12.1 libclntsh.so
Add the following to your bashrc
echo "
export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1
" >> ~/.bashrc
reload bashrc
root@kali:/opt/oracle/instantclient_12_1# source ~/.bashrc
If you are able to run sqlplus without any errors you are good to continue.
root@kali:/opt/oracle/instantclient_12_1# sqlplus
SQL*Plus: Release 12.1.0.2.0 Production on Wed Aug 1 03:08:10 2018
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Enter user-name:
Installing ODAT (development version)
From this point forward, it’s basically following the guide on the github setup page minus a few steps. (I recommend doing an apt-get update before performing the following steps)
root@kali:~# cd /opt/
root@kali:/opt# git clone https://github.com/quentinhardy/odat.git
cd odat/
Install: libaio1 python-dev alien python-pip python-scapy
root@kali:/opt/odat# apt-get install -y libaio1 python-dev alien python-pip python-scapy
install: cx_Oracle
root@kali:/opt/odat# pip install cx_Oracle
Test to make sure the dependencies so far have installed correctly. You shouldn’t have any errors here.
root@kali:/opt/odat# python -c 'import cx_Oracle'
Install the following python packages from pip: colorlog termcolor pycrypto passlib argcomplete
root@kali:/opt/odat# pip install colorlog termcolor pycrypto passlib argcomplete
Active python-argcomplete
root@kali:/opt/odat# activate-global-python-argcomplete
ODAT should be fully functioning without any issue. Good Luck
root@kali:/opt/odat# ./odat.py -h
usage: odat.py [-h] [--version]
{all,tnscmd,tnspoison,sidguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
...
_ __ _ ___
/ \| \ / \|_ _|
( o ) o ) o || |
\_/|__/|_n_||_|
-------------------------------------------
_ __ _ ___
/ \ | \ / \ |_ _|
( o ) o ) o | | |
\_/racle |__/atabase |_n_|ttacking |_|ool
-------------------------------------------
By Quentin Hardy (quentin.hardy@bt.com or quentin.hardy@protonmail.com)
positional arguments:
{all,tnscmd,tnspoison,sidguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
Choose a main command
all to run all modules in order to know what it is possible to do
tnscmd to communicate with the TNS listener
tnspoison to exploit TNS poisoning attack
sidguesser to know valid SIDs
passwordguesser to know valid credentials
utlhttp to send HTTP requests or to scan ports
httpuritype to send HTTP requests or to scan ports
utltcp to scan ports
ctxsys to read files
externaltable to read files or to execute system commands/scripts
dbmsxslprocessor to upload files
dbmsadvisor to upload files
utlfile to download/upload/delete files
dbmsscheduler to execute system commands without a standard output
java to execute system commands
passwordstealer to get hashed Oracle passwords
oradbg to execute a bin or script
dbmslob to download files
stealremotepwds to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)
userlikepwd to try each Oracle username stored in the DB like the corresponding pwd
smb to capture the SMB authentication
privesc to gain elevated access
cve to exploit a CVE
search to search in databases, tables and columns
unwrapper to unwrap PL/SQL source code (no for 9i version)
clean clean traces and logs
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
root@kali:/opt/odat# ./odat.py --version
Version 2.3 - 2018/06/03