ODAT - Oracle Database Attacking Tool

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that allows you to test the security of Oracle Databases remotely.

Features:

• Search valid SID on a remote Oracle Database listener via:
• • a dictionary attack
  • a brute force attack
  • ALIAS of the listener
• Search Oracle accounts using:
• • a dictionary attack
  • each Oracle user like the password (need an account before to use this attack)
• Execute system commands on the database server using:
• • DBMS_SCHEDULER
  • JAVA
  • external tables
  • oradbg
• Download files stored on the database server using:
• • UTL_FILE
  • external tables
  • CTXSYS
  • DBMS_LOB
• Upload files on the database server using:
• • UTL_FILE
  • DBMS_XSLPROCESSOR
  • DBMS_ADVISOR
• Delete files using:
• • UTL_FILE
• Gain privileged access using these following system privileges combinations: 
• • CREATE ANY PROCEDURE
  • CREATE PROCEDURE and EXECUTE ANY PROCEDURE
  • CREATE ANY TRIGER (and CREATE PROCEDURE)
  • ANALYZE ANY (and CREATE PROCEDURE)
  • CREATE ANY INDEX (and CREATE PROCEDURE)
• Send/reveive HTTP requests from the database server using:
• • UTL_HTTP
  • HttpUriType
• Scan ports of the local server or a remote server using:
• • UTL_HTTP
  • HttpUriType
  • UTL_TCP
• Capture a SMB authentication through:
• • an index in order trigger a SMB connection
• Exploit some CVE
• Search in column names thanks to the search module:
• • search a pattern (ex: password) in column names
• Unwrap PL/SQL source code (10g/11g and 12c)
• Get system privileges and roles granted.

If you want to have the development version installed on your computer, these following tools and dependencies are needed:

• Python 2.7
• Instant Oracle basic
• Instant Oracle sdk
• cx_Oracle
• passlib
• pycrypto
• python-scapy
• colorlog (recommended)
• termcolor (recommended)
• argcomplete (recommended)
• pyinstaller (recommended)

How To Use ODAT

The -h option can be used to get the ODAT help menu:

  ./odat.py -h  

The all module is the first module that should be used when you meet an Oracle Database. For example, you can use this command for starting:

  ./odat.py all -s 192.168.1.254 -p 1521  

You can give the SID if you know it:

  ./odat.py all -s 192.168.1.254 -p 1521 -d ORCL  

If you know a valid account, you can give it to this module:

  ./odat.py all -s 192.168.1.254 -p 1521 -d ORCL -U SYS -P password  

For each module (i.e. sidguesser), you can use -v, -vv or -vvv for enabling verbosity and understanding how or what the module is doing. For example:

  ./odat.py all -s 192.168.1.254 -vvv  

Before using a specific command of a module, the --test-module should be used first for knowing if you can use it (target is vulnerable, Oracle account has enough privileges, etc). For example:

  ./odat.py tnspoison -s 192.168.1.254 -p 1521 -d ORCL --test-module  

Download ODAT

You might also like:

• dSploit - Android App For Hackers
• CrowdInspect - Host-based Process Inspection Tool
• Parsero - Robots.txt Audit Tool
• MobiSec - Mobile Penetration Testing Distribution
• EyeWitness - A Rapid Web Application Triage Tool
• WIG - Web Application Information Gathering Tool
• Skipfish - Web Application Security Scanner
• Blackhash - Audit Passwords Without Hashes
• peepdf - PDF Analysis Tool
• MITMer - Automated Man-In-The-Middle Attack Tool
• Nagios XI - Enterprise Server and Network Monitoring Software
• URLCrazy - Domain Name Typo Tool
• Responder - An LLMNR, NBT-NS, and mDNS Poisoner
• Ncrack - High-Speed Network Authentication Cracker
• Maltrieve - Tool To Retrieve Malware Directly From the Source
• Burp CO2 - A Collection Of Enhancements for Burp Suite
• Dumb0 - Simple Script To Harvest Usernames From Popular Forums and CMS
• ParameterFuzz - Web Application Security Scanner
• WAF-FLE - An Open-source ModSecurity Console
• DVIA - Damn Vulnerable iOS Application
• Havij - Automated SQL Injection Tool
• FGscanner - An Open-source URL Scanner

from Effect Hacking full article here