|
| 1 | +#!/usr/bin/env python3 |
| 2 | + |
| 3 | +# This software is Copyright (c) 2024, k4amos <k4amos at proton.me> |
| 4 | +# and it is hereby released to the general public under the following terms: |
| 5 | +# |
| 6 | +# Redistribution and use in source and binary forms, with or without |
| 7 | +# modification, are permitted. |
| 8 | + |
| 9 | +# --- |
| 10 | + |
| 11 | +# Utility to obtain a hash of ORACLE authentication (o5logon) that can be cracked with John |
| 12 | +# This code does not support Oracle authentication with the key derivation function PBKDF2 |
| 13 | +# |
| 14 | +# Usage: ./oracle2john.py <pcap files> |
| 15 | +# |
| 16 | +# This script depends on Scapy (https://scapy.net) |
| 17 | +# To install: pip install --user scapy |
| 18 | + |
| 19 | +import sys |
| 20 | +import argparse |
| 21 | +import re |
| 22 | + |
| 23 | +try: |
| 24 | + import scapy.all as scapy |
| 25 | +except ImportError: |
| 26 | + print( |
| 27 | + "\033[91m[Error] Scapy seems to be missing, run 'pip install --user scapy' to install it\033[0m", |
| 28 | + file=sys.stderr, |
| 29 | + ) |
| 30 | + sys.exit(1) |
| 31 | + |
| 32 | + |
| 33 | +def read_file(args, filename): |
| 34 | + """ |
| 35 | + Reads a PCAP file and extracts relevant Oracle authentication data (o5logon). |
| 36 | + """ |
| 37 | + auth_data = { |
| 38 | + "server_auth_sesskey": None, |
| 39 | + "auth_vfr_data": None, |
| 40 | + "auth_password": None, |
| 41 | + "client_auth_sesskey": None, |
| 42 | + } |
| 43 | + |
| 44 | + packets = scapy.rdpcap(filename) |
| 45 | + for packet in packets: |
| 46 | + auth_data = process_packet(args, packet, auth_data) |
| 47 | + |
| 48 | + if None not in list(auth_data.values()): |
| 49 | + # Format of the hash : $o5logon$ <server's AUTH_SESSKEY> * <AUTH_VFR_DATA> * <AUTH_PASSWORD> * <client's AUTH_SESSKEY> |
| 50 | + |
| 51 | + print( |
| 52 | + f'$o5logon${auth_data["server_auth_sesskey"]}*{auth_data["auth_vfr_data"]}*{auth_data["auth_password"]}*{auth_data["client_auth_sesskey"]}' |
| 53 | + ) |
| 54 | + |
| 55 | + else: |
| 56 | + # Format of the hash : $o5logon$ <server's AUTH_SESSKEY> * <AUTH_VFR_DATA> |
| 57 | + # This format can be cracked only if your Oracle version is affected by CVE-2012-3137 |
| 58 | + |
| 59 | + print( |
| 60 | + f'$o5logon${auth_data["server_auth_sesskey"]}*{auth_data["auth_vfr_data"]}' |
| 61 | + ) |
| 62 | + |
| 63 | + |
| 64 | +def select_hexa(raw_string): |
| 65 | + """ |
| 66 | + Extracts the first valid hexadecimal string from the raw data. |
| 67 | + """ |
| 68 | + match_hexa = re.search( |
| 69 | + "([A-Fa-f0-9]+)", raw_string.decode("ascii", errors="ignore").replace(" ", "") |
| 70 | + ) |
| 71 | + if match_hexa: |
| 72 | + return match_hexa.group(1) |
| 73 | + return None |
| 74 | + |
| 75 | + |
| 76 | +def process_packet(args, packet, auth_data): |
| 77 | + """ |
| 78 | + Processes a packet and updates the auth_data dictionary with the extracted values. |
| 79 | + """ |
| 80 | + raw_data = bytes(packet) |
| 81 | + |
| 82 | + server_auth_sesskey_match = re.search( |
| 83 | + rb"AUTH_SESSKEY([\s\S]+?)AUTH_VFR_DATA", raw_data |
| 84 | + ) |
| 85 | + if server_auth_sesskey_match: |
| 86 | + auth_data["server_auth_sesskey"] = select_hexa( |
| 87 | + server_auth_sesskey_match.group(1) |
| 88 | + ) |
| 89 | + |
| 90 | + auth_vfr_data_match = re.search( |
| 91 | + rb"AUTH_VFR_DATA([\s\S]+?)(AUTH_GLOBALLY_UNIQUE_DBID|$)", raw_data |
| 92 | + ) |
| 93 | + if auth_vfr_data_match: |
| 94 | + auth_data["auth_vfr_data"] = select_hexa(auth_vfr_data_match.group(1)) |
| 95 | + |
| 96 | + auth_password_match = re.search(rb"AUTH_PASSWORD([\s\S]+?)AUTH_RTT", raw_data) |
| 97 | + if auth_password_match: |
| 98 | + auth_data["auth_password"] = select_hexa(auth_password_match.group(1)) |
| 99 | + |
| 100 | + client_auth_sesskey_match = re.search( |
| 101 | + rb"AUTH_SESSKEY([\s\S]+?)AUTH_PASSWORD", raw_data |
| 102 | + ) |
| 103 | + if client_auth_sesskey_match: |
| 104 | + auth_data["client_auth_sesskey"] = select_hexa( |
| 105 | + client_auth_sesskey_match.group(1) |
| 106 | + ) |
| 107 | + |
| 108 | + return auth_data |
| 109 | + |
| 110 | + |
| 111 | +if __name__ == "__main__": |
| 112 | + |
| 113 | + parser = argparse.ArgumentParser( |
| 114 | + formatter_class=argparse.RawDescriptionHelpFormatter, |
| 115 | + epilog=""" |
| 116 | + ### Utility to obtain a hash of ORACLE authentication (o5logon) that can be cracked with John |
| 117 | + This code does not support Oracle authentication with the key derivation function PBKDF2 |
| 118 | + Written by k4amos |
| 119 | +
|
| 120 | + Usage: ./oracle2john.py <pcap files> |
| 121 | + """, |
| 122 | + ) |
| 123 | + |
| 124 | + parser.add_argument("file", type=str, nargs="+") |
| 125 | + |
| 126 | + parsed_args = parser.parse_args() |
| 127 | + args = vars(parsed_args) |
| 128 | + |
| 129 | + for filename in args["file"]: |
| 130 | + read_file(args, filename) |
0 commit comments