├── .gitattributes ├── .github └── workflows │ └── dotnet.yml ├── .gitignore ├── README.md ├── wodat.sln └── wodat ├── App.config ├── ArgumentParser.cs ├── Arguments.cs ├── IpRanges.cs ├── OracleDatabase.cs ├── Properties └── AssemblyInfo.cs ├── TNS.cs ├── mainProgram.cs ├── packages.config ├── passGuesser.cs ├── reconTool.cs ├── sidGuesser.cs ├── srvGuesser.cs ├── testConnection.cs └── wodat.csproj /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.github/workflows/dotnet.yml: -------------------------------------------------------------------------------- 1 | name: .NET 2 | 3 | on: 4 | push: 5 | branches: [ "master" ] 6 | pull_request: 7 | branches: [ "master" ] 8 | 9 | jobs: 10 | build: 11 | 12 | runs-on: windows-2019 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | 17 | - name: Setup MSBuild 18 | uses: microsoft/setup-msbuild@v1 19 | 20 | - name: Setup NuGet 21 | uses: NuGet/setup-nuget@v1.0.5 22 | 23 | - name: setup-msbuild 24 | uses: microsoft/setup-msbuild@v1.1 25 | 26 | - name: Restore Packages 27 | run: nuget restore wodat.sln 28 | 29 | - name: Create folder 30 | run: | 31 | mkdir -p 'D:/outputrel/outputrel' 32 | 33 | - name: Build solution 34 | run: msbuild wodat.sln -t:rebuild -property:Configuration=Release -verbosity:diag /p:OutputPath='D:/outputrel/outputrel' 35 | 36 | - name: Upload artifact 37 | uses: actions/upload-artifact@v2 38 | with: 39 | name: Release 40 | path: 'D:/outputrel/outputrel' 41 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd 364 | wodat/.DS_Store 365 | .DS_Store 366 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # wodat 2 | Windows Oracle Database Attack Tool 3 | 4 | ![Follow on Twitter](https://img.shields.io/twitter/follow/initroott?label=Follow%20&style=social) 5 | ![GitHub last commit](https://img.shields.io/github/last-commit/initroot/wodat) 6 | 7 | 8 | Simple port of the popular Oracle Database Attack Tool (ODAT) (https://github.com/quentinhardy/odat) to C# .Net Framework. 9 | Credit to https://github.com/quentinhardy/odat as lots of the functionality are ported from his code. 10 | * Perform password based attacks e.g. username as password, username list against given password, password list against given username, username:pass combolist. 11 | * Test if a credential/connection string is working against target 12 | * Brute force attacks to discover valid SID/ServiceNames 13 | * Perform discovery of valid TNS listeners against provided target file or CIDR range 14 | * More to come, I hope! 15 | 16 | ![image](https://user-images.githubusercontent.com/954507/180816033-31dbc5d5-0012-401a-9748-48df230b0fdf.png) 17 | 18 | ## Disclaimer 19 | I take not responsibility for your use of the software. Development is done in my personal capacity and carry no affiliation to my work. 20 | 21 | ## Usage 22 | The general command line arguments required are as follow: 23 | 24 | ``` 25 | wodat.exe COMMAND ARGGUMENTS 26 | COMMAND (ALL,BRUTECRED,BRUTESID,BRUTESRV,TEST,DISC) 27 | -server:XXX.XXX.XXX.XXX -port:1520 28 | -sid:AS OR -srv:AS 29 | -user:Peter -pass:Password 30 | 31 | ``` 32 | To test if a specific credential set works. 33 | ``` 34 | wodat.exe TEST -server:XXX.XXX.XXX.XXX -port:1521 -sid:XE -user:peter -pass:pan 35 | 36 | ``` 37 | See the outline on modules for further usage. The tool will always first check if the TNS listener that is targeted works. 38 | 39 | ## Modules 40 | #### BRUTESID 41 | Module performs wordlist SID guessing attack if not successful will ask for brute force attack. 42 | ``` 43 | wodat.exe BRUTESID -server:XXX.XXX.XXX.XXX -port:1521 44 | ``` 45 | ![image](https://user-images.githubusercontent.com/954507/180816431-7bb82722-55cf-4233-9cca-8e809ebf5f4a.png) 46 | 47 | #### BRUTESRV 48 | Module performs wordlist ServiceName guessing attack if not successful will ask for brute force attack. 49 | ``` 50 | wodat.exe BRUTESRV -server:XXX.XXX.XXX.XXX -port:1521 51 | ``` 52 | #### BRUTECRED 53 | Module performs wordlist password based attack. The following options exist: 54 | ``` 55 | A - username:password combolist with no credentials given during arguments 56 | B - username list with password given in arguments 57 | C - password list with username given in arguments 58 | D - username as password with username list provided 59 | ``` 60 | To perform a basic attack with a given file that has username:password combos. 61 | ``` 62 | wodat.exe BRUTECRED -server:XXX.XXX.XXX.XXX -port:1521 -sid:XE 63 | 64 | ``` 65 | ![image](https://user-images.githubusercontent.com/954507/180830466-3bf2f809-8373-44cc-a72f-bc11ad012283.png) 66 | 67 | #### TEST 68 | Module tests if the given connection string can connect successfully. 69 | ``` 70 | wodat.exe TEST -server:XXX.XXX.XXX.XXX -port:1521 -sid:XE -user:peter -pass:pan 71 | ``` 72 | ![image](https://user-images.githubusercontent.com/954507/180830998-112671d7-d747-43ba-90e9-01c615ca5248.png) 73 | 74 | #### DISC 75 | Module will perform discovery against provided CIDR range or file with instances. Note, only instances with valid TNS listeners will be returned. 76 | Testing a network range will be much faster as it’s processed in parallel. 77 | ``` 78 | wodat.exe DISC 79 | 80 | ``` 81 | Instances to test must be formatted as per the below example `targets.txt`: 82 | 83 | ``` 84 | 192.168.10.1 85 | 192.168.10.5,1521 86 | 87 | ``` 88 | ![image](https://user-images.githubusercontent.com/954507/181905625-a2b4261c-3364-4f5d-b60e-dbfceaba5a65.png) 89 | 90 | 91 | ### ALL 92 | Not implemented yet. 93 | 94 | #### RECON 95 | Not implemented yet. 96 | 97 | 98 | ## Setup and Requirements 99 | You can grab automated release build from the GitHub Actions or build yourself using the following commands: 100 | 101 | ``` 102 | nuget restore wodat.sln 103 | msbuild wodat.sln -t:rebuild -property:Configuration=Release 104 | 105 | ``` 106 | Some general notes: 107 | The `Oracle.ManagedDataAccess.dll` library will have to be copied with the binary. I'm looking at ways of embedding it. 108 | 109 | ## Todo 110 | - Handle SYSDBA and SYSOPER connections 111 | - Implement outstanding modules 112 | - Various validation, error handling code still needs to be done 113 | - Some minor known bugfixes 114 | - Add options to check against built in lists for SID, ServiceNames or common credentials 115 | 116 | ## Changelog 117 | Version 0.1 - Base toolkit and functionality 118 | Version 0.2 - Several bugfixes, improved socket connection and added RECON module 119 | -------------------------------------------------------------------------------- /wodat.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.0.32014.148 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wodat", "wodat\wodat.csproj", "{285677F0-67A9-404B-A679-F8AA4A44B7DF}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | TestDebug|Any CPU = TestDebug|Any CPU 13 | EndGlobalSection 14 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 15 | {285677F0-67A9-404B-A679-F8AA4A44B7DF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 16 | {285677F0-67A9-404B-A679-F8AA4A44B7DF}.Debug|Any CPU.Build.0 = Debug|Any CPU 17 | {285677F0-67A9-404B-A679-F8AA4A44B7DF}.Release|Any CPU.ActiveCfg = Release|Any CPU 18 | {285677F0-67A9-404B-A679-F8AA4A44B7DF}.Release|Any CPU.Build.0 = Release|Any CPU 19 | {285677F0-67A9-404B-A679-F8AA4A44B7DF}.TestDebug|Any CPU.ActiveCfg = Debug|Any CPU 20 | {285677F0-67A9-404B-A679-F8AA4A44B7DF}.TestDebug|Any CPU.Build.0 = Debug|Any CPU 21 | EndGlobalSection 22 | GlobalSection(SolutionProperties) = preSolution 23 | HideSolutionNode = FALSE 24 | EndGlobalSection 25 | GlobalSection(ExtensibilityGlobals) = postSolution 26 | SolutionGuid = {9A79E3F2-3E26-426A-93D3-97349A1D4178} 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /wodat/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 |
5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /wodat/ArgumentParser.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | 4 | namespace wodat 5 | { 6 | 7 | class ArgumentParser 8 | { 9 | public string Command { get; set; } 10 | public string DetailCommand { get; set; } 11 | public Dictionary Parameters { get; set; } 12 | 13 | private List original; 14 | 15 | public ArgumentParser(string[] arguments) 16 | { 17 | Parameters = new Dictionary(); 18 | if (arguments != null) 19 | { 20 | original = new List(arguments); 21 | Parse(); 22 | } 23 | } 24 | 25 | private void Parse() 26 | { 27 | if (original.Count > 0) 28 | { 29 | this.Command = original[0]; 30 | } 31 | if (original.Count > 1) 32 | { 33 | if (!original[1].StartsWith("-")) 34 | { 35 | this.DetailCommand = original[1]; 36 | } 37 | original.ForEach(i => { 38 | if (i.StartsWith("-")) 39 | { 40 | int pos = i.IndexOf(':'); 41 | if (pos == -1) 42 | { 43 | this.Parameters.Add(i.Substring(1), null); 44 | } 45 | else 46 | { 47 | this.Parameters.Add(i.Substring(1, pos - 1), i.Substring(pos + 1)); 48 | } 49 | } 50 | }); 51 | } 52 | } 53 | } 54 | } 55 | 56 | -------------------------------------------------------------------------------- /wodat/Arguments.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | namespace wodat 3 | { 4 | public class Arguments 5 | { 6 | private string username; 7 | private string password; 8 | private string serviceName; 9 | private string sID; 10 | private string serverIP; 11 | private int port; 12 | private string conString; 13 | object dbcon; 14 | 15 | public string Username { get => username; set => username = value; } 16 | public string Password { get => password; set => password = value; } 17 | public string recTarget { get => recTarget; set => recTarget = value; } 18 | public string ServiceName { get => serviceName; set => serviceName = value; } 19 | public string SID { get => sID; set => sID = value; } 20 | public string ServerIP { get => serverIP; set => serverIP = value; } 21 | public int Port { get => port; set => port = value; } 22 | public string ConString { get => conString; set => conString = value; } 23 | public object Dbcon { get => dbcon; set => dbcon = value; } 24 | public string Module { get; set; } 25 | 26 | public Arguments(string username, string password, string sID, string serverIP, int port,string connString, string module, string serviceName = null) 27 | { 28 | this.Username = username; 29 | this.password = password; 30 | this.ServiceName = serviceName; 31 | this.sID = SID; 32 | this.ServerIP = serverIP; 33 | this.Port = port; 34 | this.ConString = connString; 35 | this.Module = module; 36 | 37 | } 38 | 39 | public Arguments() 40 | { 41 | //empty 42 | } 43 | 44 | } 45 | } 46 | 47 | -------------------------------------------------------------------------------- /wodat/IpRanges.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Net; 6 | using System.Text.RegularExpressions; 7 | 8 | namespace IpRanges 9 | { 10 | public class IPRange 11 | { 12 | public IPRange(string ipRange) 13 | { 14 | if (ipRange == null) 15 | throw new ArgumentNullException(); 16 | 17 | if (!TryParseCIDRNotation(ipRange) && !TryParseSimpleRange(ipRange)) 18 | throw new ArgumentException(); 19 | } 20 | 21 | public IEnumerable GetAllIP() 22 | { 23 | int capacity = 1; 24 | for (int i = 0; i < 4; i++) 25 | capacity *= endIP[i] - beginIP[i] + 1; 26 | 27 | List ips = new List(capacity); 28 | for (int i0 = beginIP[0]; i0 <= endIP[0]; i0++) 29 | { 30 | for (int i1 = beginIP[1]; i1 <= endIP[1]; i1++) 31 | { 32 | for (int i2 = beginIP[2]; i2 <= endIP[2]; i2++) 33 | { 34 | for (int i3 = beginIP[3]; i3 <= endIP[3]; i3++) 35 | { 36 | ips.Add(new IPAddress(new byte[] { (byte)i0, (byte)i1, (byte)i2, (byte)i3 })); 37 | } 38 | } 39 | } 40 | } 41 | 42 | return ips; 43 | } 44 | 45 | /// 46 | /// Parse IP-range string in CIDR notation. 47 | /// For example "12.15.0.0/16". 48 | /// 49 | /// 50 | /// 51 | private bool TryParseCIDRNotation(string ipRange) 52 | { 53 | string[] x = ipRange.Split('/'); 54 | 55 | if (x.Length != 2) 56 | return false; 57 | 58 | byte bits = byte.Parse(x[1]); 59 | uint ip = 0; 60 | String[] ipParts0 = x[0].Split('.'); 61 | for (int i = 0; i < 4; i++) 62 | { 63 | ip = ip << 8; 64 | ip += uint.Parse(ipParts0[i]); 65 | } 66 | 67 | byte shiftBits = (byte)(32 - bits); 68 | uint ip1 = (ip >> shiftBits) << shiftBits; 69 | 70 | if (ip1 != ip) // Check correct subnet address 71 | return false; 72 | 73 | uint ip2 = ip1 >> shiftBits; 74 | for (int k = 0; k < shiftBits; k++) 75 | { 76 | ip2 = (ip2 << 1) + 1; 77 | } 78 | 79 | beginIP = new byte[4]; 80 | endIP = new byte[4]; 81 | 82 | for (int i = 0; i < 4; i++) 83 | { 84 | beginIP[i] = (byte)((ip1 >> (3 - i) * 8) & 255); 85 | endIP[i] = (byte)((ip2 >> (3 - i) * 8) & 255); 86 | } 87 | 88 | return true; 89 | } 90 | 91 | /// 92 | /// Parse IP-range string "12.15-16.1-30.10-255" 93 | /// 94 | /// 95 | /// 96 | private bool TryParseSimpleRange(string ipRange) 97 | { 98 | String[] ipParts = ipRange.Split('.'); 99 | 100 | beginIP = new byte[4]; 101 | endIP = new byte[4]; 102 | for (int i = 0; i < 4; i++) 103 | { 104 | string[] rangeParts = ipParts[i].Split('-'); 105 | 106 | if (rangeParts.Length < 1 || rangeParts.Length > 2) 107 | return false; 108 | 109 | beginIP[i] = byte.Parse(rangeParts[0]); 110 | endIP[i] = (rangeParts.Length == 1) ? beginIP[i] : byte.Parse(rangeParts[1]); 111 | } 112 | 113 | return true; 114 | } 115 | 116 | private byte[] beginIP; 117 | private byte[] endIP; 118 | } 119 | } -------------------------------------------------------------------------------- /wodat/OracleDatabase.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using Oracle.ManagedDataAccess.Client; 3 | using System.Linq; 4 | 5 | namespace wodat 6 | { 7 | public class OracleDatabase 8 | { 9 | public string[] ERROR_RETURN_LIST = { "12505", "12537", "End of file", "01017","12533" }; 10 | public string[] TARGET_UNAVAILABLE = { "target host or object does not exist", "handler with matching protocol stack" }; 11 | public string[] SYSDBA_CREDS = { "28009", "SYSDBA or SYSOPER" }; 12 | public Arguments cArgs; 13 | public OracleDatabase(Arguments oArgs) 14 | { 15 | this.cArgs = oArgs; 16 | this.GenerateConnectionString(); 17 | } 18 | 19 | /* 20 | Generate Oracle Database connection string 21 | If username is not given, it is taken from args 22 | If password is not given, it is taken from args 23 | Return Connection string according to args and parameters(user, password) 24 | */ 25 | public void GenerateConnectionString(string username, string password) 26 | { 27 | string ouser = username; 28 | string opass = password; 29 | string oconString = ""; 30 | 31 | if (username is null) 32 | { 33 | ouser = cArgs.Username; 34 | } 35 | if (password is null) 36 | { 37 | opass = cArgs.Password; 38 | } 39 | 40 | // TODO: add additional checks for empty servicename, empty SIDS 41 | 42 | 43 | if (cArgs.ServiceName != null) 44 | { 45 | Console.WriteLine("TNS Connection string mode enabled and SERVICE NAME used for connection string"); 46 | cArgs.ConString = String.Format("user id={0};password={1};data source=" + 47 | "(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)" + 48 | "(HOST={2})(PORT={3}))(CONNECT_DATA=" + 49 | "(ServiceName={4})))", ouser, opass, cArgs.ServerIP, cArgs.Port, cArgs.ServiceName); 50 | } 51 | else 52 | { 53 | Console.WriteLine("TNS Connection string mode enabled and SID used for connection string"); 54 | cArgs.ConString = String.Format("user id={0};password={1};data source=" + 55 | "(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)" + 56 | "(HOST={2})(PORT={3}))(CONNECT_DATA=" + 57 | "(SID={4})))", ouser, opass, cArgs.ServerIP, cArgs.Port, cArgs.SID); 58 | } 59 | 60 | Console.WriteLine(String.Format("Oracle connection string: {0}", cArgs.ConString)); 61 | 62 | } 63 | /* 64 | Generate Oracle Database connection string 65 | If username is not given, it is taken from args 66 | If password is not given, it is taken from args 67 | DOES NOT PRINT ANYTHING 68 | Return Connection string according to args and parameters(user, password) // 69 | */ 70 | public void GenerateConnectionString() 71 | { 72 | string ouser = cArgs.Username; 73 | string opass = cArgs.Password; 74 | string oconString = ""; 75 | 76 | if (cArgs.ServiceName != null) 77 | { 78 | cArgs.ConString = String.Format("user id={0};password={1};data source=" + 79 | "(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)" + 80 | "(HOST={2})(PORT={3}))(CONNECT_DATA=" + 81 | "(ServiceName={4})))", ouser, opass, cArgs.ServerIP, cArgs.Port, cArgs.ServiceName); 82 | } 83 | else 84 | { 85 | 86 | cArgs.ConString = String.Format("user id={0};password={1};data source=" + 87 | "(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)" + 88 | "(HOST={2})(PORT={3}))(CONNECT_DATA=" + 89 | "(SID={4})))", ouser, opass, cArgs.ServerIP, cArgs.Port, cArgs.SID); 90 | } 91 | 92 | 93 | 94 | } 95 | 96 | public void reconConnString() 97 | { 98 | cArgs.ConString = String.Format("data source=" + 99 | "(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)" + 100 | "(HOST={0})(PORT={1}))(CONNECT_DATA=" + 101 | "(COMMAND=VERSION)))", cArgs.ServerIP, cArgs.Port); 102 | } 103 | 104 | /* 105 | Connection to the database 106 | 'The threaded argument is expected to be a boolean expression which indicates whether or not Oracle 107 | should use the mode OCI_THREADED to wrap accesses to connections with a mutex. Doing so in single threaded 108 | applications imposes a performance penalty of about 10-15% which is why the default is False.' 109 | If stopIfError == True, stop if connection error 110 | */ 111 | 112 | // TODO: add some control around encoding 113 | // TODO: add handling SYSDBA, SYSOPER connections 114 | // TODO: add additional error handling 115 | 116 | 117 | public object connectDB() 118 | { 119 | using (OracleConnection connection = new OracleConnection()) 120 | { 121 | connection.ConnectionString = cArgs.ConString; 122 | 123 | try 124 | { 125 | 126 | connection.Open(); 127 | cArgs.Dbcon = connection; 128 | Console.WriteLine("[!] -- DB Connection Success!"); 129 | connection.Close(); 130 | return "true"; 131 | } 132 | catch (OracleException ex) 133 | { 134 | if (SYSDBA_CREDS.Any(ex.Message.ToLowerInvariant().Contains)) 135 | { 136 | return "28009"; 137 | } 138 | else if (ERROR_RETURN_LIST.Any(ex.Message.ToLowerInvariant().Contains)) 139 | { 140 | return ex.Message.ToString(); 141 | } 142 | else if (TARGET_UNAVAILABLE.Any(ex.Message.ToLowerInvariant().Contains)) 143 | { 144 | return "TARGET_UNAVAILABLE"; 145 | } 146 | else 147 | { 148 | Console.WriteLine(ex.ToString()); 149 | return "false"; 150 | // Console.ReadLine(); 151 | // throw; 152 | } 153 | 154 | 155 | } 156 | 157 | } 158 | } 159 | 160 | /* 161 | Returns True when the TNS listener is well configured and it can be used for connection. Otherwise, return False 162 | Sends a connection with an invalid login, password and SID. If TNS listener is working, the TNS listener 163 | should returns an error with the SID. Ib this case, the TNS listener is working. Otherwise, TNS does not work well. 164 | */ 165 | 166 | 167 | public bool isWorkingTNSList() 168 | { 169 | bool workingTNS = false; 170 | var lastServiceName = cArgs.ServiceName; 171 | cArgs.ServiceName = null; 172 | var lastSID = cArgs.SID; 173 | cArgs.SID = "ERTUICSLAPIE"; 174 | Console.WriteLine(String.Format("[!] -- Checking if {0}:{1} is a working TNS listener...", cArgs.ServerIP, cArgs.Port)); 175 | GenerateConnectionString("ERTUICS", "PASSWD"); 176 | var status = connectDB(); 177 | 178 | if (status.ToString().Contains("ORA-12505")) 179 | { 180 | workingTNS = true; 181 | } 182 | else 183 | { 184 | Console.WriteLine(status.ToString()); 185 | } 186 | 187 | cArgs.SID = lastSID; 188 | cArgs.ServiceName = lastServiceName; 189 | 190 | return workingTNS; 191 | 192 | } 193 | 194 | public bool reconWorkingTNSList() 195 | { 196 | bool workingTNS = false; 197 | var lastServiceName = cArgs.ServiceName; 198 | cArgs.ServiceName = null; 199 | var lastSID = cArgs.SID; 200 | cArgs.SID = "ERTUICSLAPIE"; 201 | //Console.WriteLine(String.Format("[!] -- Checking if {0}:{1} is a working TNS listener...", cArgs.ServerIP, cArgs.Port)); 202 | cArgs.Username = "ERTUICS"; 203 | cArgs.Password = "PASSWD"; 204 | GenerateConnectionString(); 205 | var status = connectDB(); 206 | 207 | if (status.ToString().Contains("ORA-12505")) 208 | { 209 | workingTNS = true; 210 | } 211 | else 212 | { 213 | Console.WriteLine(status.ToString()); 214 | } 215 | 216 | cArgs.SID = lastSID; 217 | cArgs.ServiceName = lastServiceName; 218 | 219 | return workingTNS; 220 | 221 | } 222 | 223 | // TODO: add other methods to OracleDatabase class 224 | } 225 | } 226 | 227 | -------------------------------------------------------------------------------- /wodat/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("wodat")] 9 | [assembly: AssemblyDescription("windows oracle database attack toolkit")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("initroot")] 12 | [assembly: AssemblyProduct("wodat")] 13 | [assembly: AssemblyCopyright("Copyright © 2022")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("285677f0-67a9-404b-a679-f8aa4a44b7df")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("0.0.1.0")] 36 | [assembly: AssemblyFileVersion("0.0.1.0")] 37 | -------------------------------------------------------------------------------- /wodat/TNS.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Linq; 7 | using System.Net; 8 | using System.Net.Sockets; 9 | 10 | namespace wodat 11 | { 12 | public class TNS 13 | { 14 | public Arguments cArgs; 15 | public TNS(Arguments nArgs) 16 | { 17 | this.cArgs = nArgs; 18 | 19 | } 20 | 21 | private static readonly byte[] Sender = new byte[4] { 0xFF, 0xFF, 0xFF, 0xFF }; 22 | string versionPacket = ""; 23 | private readonly byte[] HeaderDimension = new byte[24]; 24 | private byte[] CommandCode; 25 | private readonly byte[] Receiver = Sender; 26 | private readonly byte[] Error = new byte[] { 0 }; 27 | private readonly byte[] DataDimension = new byte[] { 0 }; 28 | 29 | private void sendTCP() 30 | { 31 | 32 | 33 | 34 | 35 | 36 | try 37 | { 38 | 39 | CommandCode = new byte[4] { 0x35, 0x0, 0x0, 0x4 }; 40 | using (TcpClient tcpClient = new TcpClient(cArgs.ServerIP, cArgs.Port)) 41 | { 42 | NetworkStream networkStream = tcpClient.GetStream(); 43 | 44 | byte[] bytesTosend = HeaderDimension.Concat(CommandCode) 45 | .Concat(Sender) 46 | .Concat(Receiver) 47 | .Concat(Error) 48 | .Concat(DataDimension).ToArray(); 49 | 50 | networkStream.Write(bytesTosend, 0, bytesTosend.Length); 51 | } 52 | 53 | } 54 | catch (Exception ex) 55 | { 56 | Console.WriteLine(ex.ToString()); 57 | } 58 | 59 | } 60 | 61 | 62 | } 63 | 64 | 65 | 66 | 67 | } 68 | -------------------------------------------------------------------------------- /wodat/mainProgram.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.IO; 4 | using System.Net; 5 | using System.Net.Sockets; 6 | 7 | namespace wodat 8 | { 9 | class mainProgram 10 | { 11 | /* 12 | Returns True if it is a working TNS listener. Otherwise False 13 | Use server and port of args only for testing. 14 | TODO: Cleanup the exception handling 15 | */ 16 | public static bool checkListener(Arguments nArgs) 17 | { 18 | var statusWorking = false; 19 | Socket socket; 20 | IPAddress test1 = IPAddress.Parse(nArgs.ServerIP); 21 | IPEndPoint ipe = new IPEndPoint(test1, nArgs.Port); 22 | socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); 23 | try 24 | { 25 | socket.Connect(ipe); 26 | } 27 | catch (ArgumentNullException ae) 28 | { 29 | Console.WriteLine("[x] -- ERROR ArgumentNullException : {0}", ae.ToString()); 30 | throw; 31 | } 32 | catch (SocketException se) 33 | { 34 | Console.WriteLine("[x] -- ERROR SocketException : {0}", se.ToString()); 35 | throw; 36 | } 37 | catch (Exception e) 38 | { 39 | Console.WriteLine("[x] -- ERROR Unexpected exception : {0}", e.ToString()); 40 | throw; 41 | } 42 | 43 | if (socket.Connected) 44 | { 45 | socket.Close(); 46 | Console.WriteLine("[!] -- Socket connection established to target"); 47 | OracleDatabase oDB = new OracleDatabase(nArgs); 48 | statusWorking = oDB.isWorkingTNSList(); 49 | 50 | if (statusWorking == false) 51 | { 52 | Console.WriteLine("[x] -- ERROR TNS listener is NOT well configured. Exiting..."); 53 | return false; 54 | 55 | } 56 | else 57 | Console.WriteLine("[!] -- SUCCESS Working TNS listener. Continue..."); 58 | return true; 59 | 60 | } 61 | else 62 | { 63 | return false; 64 | } 65 | 66 | 67 | } 68 | 69 | static void Main(string[] args) 70 | { 71 | // banner 72 | //Console.WriteLine("#################################################"); 73 | Console.WriteLine("WODAT - Windows Oracle Testing Toolkit"); 74 | Console.WriteLine("@initroot"); 75 | Console.WriteLine("#################################################"); 76 | 77 | /* parse the arguments, split by -key 78 | -user 79 | -pass 80 | -sid 81 | -srv 82 | -server 83 | -port 84 | -help 85 | -module 86 | */ 87 | if (args.Length < 1) 88 | { 89 | Console.WriteLine("[!] -- The following arguments are required: \n COMMAND (ALL,BRUTECRED,BRUTESID,BRUTESRV,TEST,RECON,DISC) \n -server:XXX.XXX.XXX.XXX -port:1520 \n -sid:OR -srv:OR\n -user:Peter -pass:Password"); 90 | } 91 | 92 | else 93 | { 94 | var arguments = new ArgumentParser(args); 95 | Arguments nArgs = new Arguments(); 96 | if (arguments.Parameters.ContainsKey("help")) 97 | { 98 | Console.WriteLine("[!] -- The following arguments are required: \n COMMAND (ALL,BRUTECRED,BRUTESID,BRUTESRV,TEST,RECON,DISC) \n -server:XXX.XXX.XXX.XXX -port:1520 \n -sid:OR -srv:OR\n -user:Peter -pass:Password"); 99 | } 100 | // Let's make sure that server and port and minimal has been provided 101 | else if (arguments.Parameters.ContainsKey("server") && arguments.Parameters.ContainsKey("port")) 102 | { 103 | //Let's check which of the commands to run 104 | if (arguments.Command == "ALL") 105 | { 106 | nArgs.ServerIP = arguments.Parameters["server"]; 107 | nArgs.Port = Convert.ToInt32(arguments.Parameters["port"]); 108 | 109 | 110 | if (checkListener(nArgs) == true) 111 | { 112 | Console.WriteLine("[!] -- ALL has not been implemented yet!"); 113 | //0)TNS Poinsoning 114 | 115 | 116 | //A)SID MANAGEMENT 117 | 118 | 119 | //A.2 SERVICE NAME MANAGEMENT 120 | 121 | 122 | //B)ACCOUNT MANAGEMENT 123 | } 124 | } 125 | else if (arguments.Command == "RECON") 126 | { 127 | nArgs.ServerIP = arguments.Parameters["server"]; 128 | nArgs.Port = Convert.ToInt32(arguments.Parameters["port"]); 129 | 130 | if (checkListener(nArgs) == true) 131 | { 132 | Console.WriteLine("[!] -- RECON has not been implemented yet!"); 133 | } 134 | 135 | } 136 | else if (arguments.Command == "BRUTECRED") 137 | { 138 | if (arguments.Parameters.ContainsKey("sid") || arguments.Parameters.ContainsKey("srv")) 139 | { 140 | // TODO: validate the data provided 141 | if (arguments.Parameters.ContainsKey("sid")) { nArgs.SID = arguments.Parameters["sid"]; }; 142 | if (arguments.Parameters.ContainsKey("srv")) { Console.Write("SET"); nArgs.ServiceName = arguments.Parameters["srv"]; }; 143 | nArgs.ServerIP = arguments.Parameters["server"]; 144 | nArgs.Port = Convert.ToInt32(arguments.Parameters["port"]); 145 | 146 | //Check if the listener is active before we proceed 147 | if (checkListener(nArgs) == true) 148 | { 149 | Console.WriteLine("[?] -- Please provide location to file for testing: "); 150 | Console.Write("> "); 151 | String fileName = Console.ReadLine(); 152 | fileName = fileName.Trim(new Char[] { '"', '*', (char)39 }); 153 | if ((fileName != null) && (File.Exists(fileName))) 154 | { 155 | passGuesser gs = new passGuesser(nArgs, fileName); 156 | gs.runPasswordGuesser(); 157 | Console.WriteLine("[!] -- DONE"); 158 | } 159 | else 160 | { 161 | Console.WriteLine("[x] -- File path not provided or file doesn't exist! Exiting..."); 162 | 163 | } 164 | 165 | } 166 | 167 | } 168 | else 169 | { 170 | Console.WriteLine("[x] -- Please ensure sid or servicename are given!"); 171 | 172 | } 173 | } 174 | else if (arguments.Command == "BRUTESID") 175 | { 176 | 177 | // TODO: validate the data provided 178 | nArgs.ServiceName = null; 179 | nArgs.ServerIP = arguments.Parameters["server"]; 180 | nArgs.Port = Convert.ToInt32(arguments.Parameters["port"]); 181 | //Check if the listener is active before we proceed 182 | if (checkListener(nArgs) == true) 183 | { 184 | Console.WriteLine("[?] -- Please provide location to file for testing: "); 185 | Console.Write("> "); 186 | String fileName = Console.ReadLine(); 187 | fileName = fileName.Trim(new Char[] { '"', '*', (char)39 }); 188 | if ((fileName != null) && (File.Exists(fileName))) 189 | { 190 | sidGuesser sdG = new sidGuesser(nArgs, fileName); 191 | sdG.runSIDGuesser(); 192 | Console.WriteLine("[!] -- DONE"); 193 | } 194 | else 195 | { 196 | Console.WriteLine("[x] -- File path not provided or file doesn't exist! Exiting..."); 197 | 198 | } 199 | 200 | } 201 | 202 | } 203 | else if (arguments.Command == "BRUTESRV") 204 | { 205 | 206 | // TODO: validate the data provided 207 | nArgs.ServiceName = null; 208 | nArgs.ServerIP = arguments.Parameters["server"]; 209 | nArgs.Port = Convert.ToInt32(arguments.Parameters["port"]); 210 | //Check if the listener is active before we proceed 211 | if (checkListener(nArgs) == true) 212 | { 213 | Console.WriteLine("[?] -- Please provide location to file for testing: "); 214 | Console.Write("> "); 215 | String fileName = Console.ReadLine(); 216 | fileName = fileName.Trim(new Char[] { '"', '*', (char)39 }); 217 | if ((fileName != null) && (File.Exists(fileName))) 218 | { 219 | srvGuesser sdG = new srvGuesser(nArgs, fileName); 220 | sdG.runSRVGuesser(); 221 | Console.WriteLine("[!] -- DONE"); 222 | } 223 | else 224 | { 225 | Console.WriteLine("[x] -- File path not provided or file doesn't exist! Exiting..."); 226 | 227 | } 228 | 229 | } 230 | 231 | } 232 | else if (arguments.Command == "TEST") 233 | { 234 | if (arguments.Parameters.ContainsKey("user") && arguments.Parameters.ContainsKey("pass") && (arguments.Parameters.ContainsKey("sid") || arguments.Parameters.ContainsKey("srv"))) 235 | { 236 | // TODO: validate the data provided 237 | nArgs.Username = arguments.Parameters["user"]; 238 | nArgs.Password = arguments.Parameters["pass"]; 239 | 240 | if (arguments.Parameters.ContainsKey("sid")) { nArgs.SID = arguments.Parameters["sid"]; }; 241 | if (arguments.Parameters.ContainsKey("srv")) { Console.Write("SET"); nArgs.ServiceName = arguments.Parameters["srv"]; }; 242 | 243 | nArgs.ServerIP = arguments.Parameters["server"]; 244 | nArgs.Port = Convert.ToInt32(arguments.Parameters["port"]); 245 | 246 | //Check if the listener is active before we proceed 247 | if (checkListener(nArgs) == true) 248 | { 249 | testConnection tDB = new testConnection(nArgs); 250 | Console.WriteLine("[!] -- Attempted to connect to the instance: " + tDB.testConn().ToString()); 251 | Console.Write("> "); 252 | Console.ReadLine(); 253 | } 254 | 255 | 256 | } 257 | else 258 | { 259 | Console.WriteLine("[x] -- Please ensure user, pass, [sid or servicename] are given!"); 260 | 261 | } 262 | } 263 | else 264 | { 265 | Console.WriteLine("[x] -- You have not entered any command!"); 266 | Console.WriteLine("[!] -- The following arguments are required: \n COMMAND (ALL,BRUTECRED,BRUTESID,BRUTESRV,TEST,RECON,DISC) \n -server:XXX.XXX.XXX.XXX -port:1520 \n -sid:OR -srv:OR\n -user:Peter -pass:Password"); 267 | 268 | } 269 | 270 | 271 | } 272 | //discovery module doesn't need any parameters only the command 273 | else if (arguments.Command == "DISC") 274 | { 275 | // TODO: validate the data provided 276 | Console.WriteLine("[?] -- Please provide file with targets or input network range: "); 277 | Console.Write("> "); 278 | String targRecon = Console.ReadLine(); 279 | targRecon = targRecon.Trim(new Char[] { '"', '*', (char)39 }); 280 | if (targRecon != null) 281 | { 282 | reconTool rto = new reconTool(targRecon); 283 | rto.runReconTool(); 284 | Console.WriteLine("[!] -- DONE"); 285 | } 286 | else 287 | { 288 | Console.WriteLine("[x] -- File path not provided or file doesn't exist or network range not correct! Exiting..."); 289 | 290 | } 291 | } 292 | else 293 | { 294 | 295 | Console.WriteLine("[!] -- The following arguments are required: \n COMMAND (ALL,BRUTECRED,BRUTESID,BRUTESRV,TEST,RECON,DISC) \n -server:XXX.XXX.XXX.XXX -port:1520 \n -sid:OR -srv:OR\n -user:Peter -pass:Password"); 296 | } 297 | } 298 | 299 | } 300 | } 301 | } 302 | 303 | -------------------------------------------------------------------------------- /wodat/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /wodat/passGuesser.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace wodat 8 | { 9 | public class passGuesser 10 | { 11 | public Arguments cArgs; 12 | public String fileName; 13 | public string[] comboList; 14 | public List validsList = new List(); 15 | public passGuesser(Arguments nArgs, String fileName) 16 | { 17 | this.cArgs = nArgs; 18 | this.fileName = fileName; 19 | } 20 | 21 | //Returns valid list of creds. 22 | public List validCreds() 23 | { 24 | return validsList; 25 | } 26 | 27 | /* 28 | Load data from file. 29 | Impossible to have duplicate data. 30 | */ 31 | public void loadFromFile() 32 | { 33 | comboList = (System.IO.File.ReadAllLines(fileName)).Distinct().ToArray(); 34 | } 35 | 36 | public bool testCredential() 37 | { 38 | var response = ""; 39 | bool success = false; 40 | 41 | OracleDatabase nDB = new OracleDatabase(cArgs); 42 | response = (String)nDB.connectDB(); 43 | if (response.Contains("TARGET_UNAVAILABLE")) 44 | { 45 | Console.WriteLine("\n [x] -- TARGET_UNAVAILABLE You might want to cancel CTRL + C.."); 46 | return success; 47 | } 48 | else if (response.Contains("rue")) 49 | { 50 | success = true; 51 | Console.ForegroundColor = ConsoleColor.Green; 52 | Console.WriteLine("\t Testing: " + cArgs.Username + ":" + cArgs.Password + " \t State: " + "Success!"); 53 | validsList.Add(cArgs.Username + ":" + cArgs.Password); 54 | Console.ResetColor(); 55 | return success; 56 | } 57 | else if (response.Contains("28009")) 58 | { 59 | success = true; 60 | Console.ForegroundColor = ConsoleColor.Yellow; 61 | Console.WriteLine("\t Testing: " + cArgs.Username + ":" + cArgs.Password + " \t State: " + "Potential SYSDBA or SYSOPER account found, manually confirm.."); 62 | validsList.Add(cArgs.Username + ":" + cArgs.Password); 63 | Console.ResetColor(); 64 | return success; 65 | } 66 | 67 | else { Console.WriteLine("\t Testing: " + cArgs.Username + ":" + cArgs.Password + " \t State: " + response); return success; } 68 | 69 | } 70 | 71 | public void runPasswordGuesser() 72 | { 73 | // Let's test the file and read what the user provided 74 | Console.WriteLine("[?] -- Please select which type of file has been provided: \n A - Username:Password \n B - Usernames \n C - Passwords \n D - Username as Pass"); 75 | Console.Write("> "); 76 | String optType = Console.ReadLine().ToUpper(); 77 | if (optType != null) 78 | { 79 | if (optType == "A") 80 | { 81 | 82 | loadFromFile(); 83 | Console.WriteLine("[!] -- Now attempting to connect using [" + comboList.Count() + "] unique credential combos..."); 84 | foreach (string combo in comboList) 85 | { 86 | String user = combo.Split(':')[0]; 87 | String pass = combo.Split(':')[1]; 88 | 89 | cArgs.Username = user; 90 | cArgs.Password = pass; 91 | 92 | testCredential(); 93 | } 94 | 95 | if (validsList.Count > 0) 96 | { 97 | Console.WriteLine("[!] -- Found [" + validsList.Count() + "] set of credentials!" ); 98 | validsList.ForEach(Console.WriteLine); 99 | } 100 | } 101 | else if ((optType == "B") && (cArgs.Password != null)) 102 | { 103 | loadFromFile(); 104 | Console.WriteLine("[!] -- Now attempting to connect using [" + comboList.Count() + "] unique usernames with the password: [" + cArgs.Password + "]" ); 105 | foreach (string combo in comboList) 106 | { 107 | String user = combo; 108 | cArgs.Username = user; 109 | 110 | testCredential(); 111 | } 112 | 113 | if (validsList.Count > 0) 114 | { 115 | Console.WriteLine("[!] -- Found [" + validsList.Count() + "] set of credentials!"); 116 | validsList.ForEach(Console.WriteLine); 117 | } 118 | 119 | 120 | } 121 | else if ((optType == "C") && (cArgs.Username != null)) 122 | { 123 | loadFromFile(); 124 | Console.WriteLine("[!] -- Now attempting to connect using [" + comboList.Count() + "] unique passwords with the username: [" + cArgs.Username + "]"); 125 | foreach (string combo in comboList) 126 | { 127 | String pass = combo; 128 | cArgs.Password = pass; 129 | 130 | testCredential(); 131 | } 132 | 133 | if (validsList.Count > 0) 134 | { 135 | Console.WriteLine("[!] -- Found [" + validsList.Count() + "] set of credentials!"); 136 | validsList.ForEach(Console.WriteLine); 137 | } 138 | 139 | 140 | } 141 | else if (optType == "D") 142 | { 143 | loadFromFile(); 144 | Console.WriteLine("[!] -- Now attempting to connect using [" + comboList.Count() + "] unique usernames as passwords"); 145 | foreach (string combo in comboList) 146 | { 147 | String user = combo; 148 | cArgs.Username = user; 149 | cArgs.Password = user; 150 | 151 | testCredential(); 152 | } 153 | 154 | if (validsList.Count > 0) 155 | { 156 | Console.WriteLine("[!] -- Found [" + validsList.Count() + "] set of credentials!"); 157 | validsList.ForEach(Console.WriteLine); 158 | } 159 | 160 | 161 | } 162 | else 163 | { 164 | Console.WriteLine("[x] -- Option not recognized! \n B -- Ensure password argument is provided. \n C -- Ensure username argument is provided. \n Exiting..."); 165 | } 166 | 167 | } 168 | else 169 | { 170 | Console.WriteLine("[x] -- No option provided! Exiting..."); 171 | } 172 | 173 | 174 | 175 | } 176 | 177 | } 178 | } 179 | -------------------------------------------------------------------------------- /wodat/reconTool.cs: -------------------------------------------------------------------------------- 1 | 2 | using System; 3 | using System.Collections.Generic; 4 | using System.IO; 5 | using System.Linq; 6 | using System.Net; 7 | using System.Net.Sockets; 8 | using System.Text; 9 | using System.Threading; 10 | using System.Threading.Tasks; 11 | using IpRanges; 12 | 13 | namespace wodat 14 | { 15 | public class reconTool 16 | { 17 | 18 | public String targRecon; 19 | public IEnumerable comboList; 20 | int tested = 0; 21 | public List validsList = new List(); 22 | 23 | 24 | public reconTool(String targRecon) 25 | { 26 | this.targRecon = targRecon; 27 | } 28 | 29 | //Returns valid list of targets. 30 | public List validTargets() 31 | { 32 | return validsList.Distinct().ToList(); 33 | } 34 | 35 | 36 | /* 37 | Returns True if it is a working TNS listener. Otherwise False 38 | Use server and port of args only for testing. 39 | TODO: Cleanup the exception handling 40 | */ 41 | public void checkListener(Arguments cArgs) 42 | { 43 | tested = tested + 1; 44 | //Console.WriteLine("Testing manually: " + cArgs.ServerIP); 45 | if (cArgs.Port == 0) 46 | { 47 | cArgs.Port = 1521; 48 | 49 | } 50 | var statusWorking = false; 51 | Socket socket; 52 | IPAddress test1 = IPAddress.Parse(cArgs.ServerIP); 53 | IPEndPoint ipe = new IPEndPoint(test1, cArgs.Port); 54 | socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); 55 | socket.SendTimeout = 2; 56 | var socketConn = false; 57 | try 58 | { 59 | 60 | socket.Connect(ipe); 61 | 62 | 63 | } 64 | catch (Exception ex) 65 | { 66 | //Console.WriteLine("[x] -- ERROR Unexpected exception : {0}", e.ToString()); 67 | // throw; 68 | 69 | } 70 | if (socket.Connected) 71 | { 72 | OracleDatabase oDB = new OracleDatabase(cArgs); 73 | statusWorking = oDB.reconWorkingTNSList(); 74 | 75 | if (statusWorking == false) 76 | { 77 | socket.Close(); 78 | 79 | } 80 | else 81 | { 82 | Console.ForegroundColor = ConsoleColor.Green; 83 | string targ1 = cArgs.ServerIP + ":" + Convert.ToString(cArgs.Port); 84 | Console.WriteLine("\t Found valid target: " + targ1); 85 | validsList.Add(targ1); 86 | Console.ResetColor(); 87 | socket.Close(); 88 | Console.WriteLine("[!] -- Targets tested: " + tested.ToString()); 89 | 90 | } 91 | 92 | 93 | 94 | } 95 | else { } 96 | 97 | } 98 | 99 | public void runReconTool() 100 | { 101 | if (targRecon.Contains("\\") && File.Exists(targRecon)) 102 | { 103 | IEnumerable comboList = File.ReadAllLines(targRecon); 104 | //Console.WriteLine(comboList); 105 | Console.WriteLine("[!] -- Now attempting to discover valid TNS listeners against [" + comboList.Count() + "] targets loaded from file."); 106 | foreach (string combo in comboList) 107 | { 108 | combo.Replace(" ", String.Empty); 109 | Console.WriteLine(combo); 110 | //wrap in try catch for in case something is off with the target provided 111 | try 112 | { 113 | 114 | if (combo.Contains(",")) 115 | { 116 | Arguments cArgs = new Arguments(); 117 | cArgs.ServerIP = combo.Split(',')[0]; 118 | cArgs.Port = Convert.ToInt32(combo.Split(',')[1]); 119 | checkListener(cArgs); 120 | 121 | } 122 | else 123 | { 124 | Arguments cArgs = new Arguments(); 125 | cArgs.ServerIP = combo.Split(',')[0]; 126 | cArgs.Port = 1521; //default port 127 | checkListener(cArgs); 128 | } 129 | } 130 | catch 131 | { 132 | //no need for errors just continue 133 | } 134 | 135 | } 136 | 137 | 138 | } 139 | else 140 | { 141 | 142 | try 143 | { 144 | IPRange range; 145 | range = new IPRange(targRecon); 146 | Console.WriteLine("[!] -- Now attempting to discover valid TNS listeners against [" + range.GetAllIP().Count() + "] targets."); 147 | 148 | //Parallel.ForEach(range.GetAllIP(), new ParallelOptions { MaxDegreeOfParallelism = 8 }, ipa => 149 | Parallel.ForEach(range.GetAllIP(), ipa => { 150 | try 151 | { 152 | Arguments cArgs = new Arguments(); 153 | cArgs.ServerIP = ipa.ToString(); 154 | cArgs.Port = 1521; //default port 155 | checkListener(cArgs); 156 | } 157 | catch (Exception ex) { //Console.WriteLine(ex.ToString()); 158 | } 159 | 160 | }); 161 | 162 | 163 | } 164 | catch (Exception ex) 165 | { 166 | 167 | Console.WriteLine("[x] -- Error encountered, please ensure IP range is provided correctly e.g. 192.168.1.0/24! or file path is correct."); 168 | } 169 | 170 | 171 | } 172 | 173 | 174 | if (validsList.Count > 0) 175 | { 176 | Console.WriteLine("[!] -- Found [" + validsList.Count() + "] valid targets!"); 177 | validsList.ForEach(Console.WriteLine); 178 | } 179 | else 180 | { 181 | 182 | Console.ReadLine(); 183 | 184 | } 185 | } 186 | 187 | 188 | 189 | 190 | } 191 | } 192 | -------------------------------------------------------------------------------- /wodat/sidGuesser.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading; 6 | using System.Threading.Tasks; 7 | 8 | namespace wodat 9 | { 10 | public class sidGuesser 11 | { 12 | public Arguments cArgs; 13 | public String fileName; 14 | public string[] comboList; 15 | public List validsList = new List(); 16 | public string[] NO_GOOD_SID_STRING_LIST = { "transport address syntax","listener does not currently know of service requested", "listener does not currently know of sid", "connection to server failed", "destination host unreachable" }; 17 | 18 | 19 | public sidGuesser(Arguments nArgs, String fileName) 20 | { 21 | this.cArgs = nArgs; 22 | this.fileName = fileName; 23 | } 24 | 25 | //Returns valid list of SIDS. 26 | public List validSIDS() 27 | { 28 | return validsList; 29 | } 30 | 31 | /* 32 | Load data from file. 33 | Impossible to have duplicate data. 34 | */ 35 | public void loadFromFile() 36 | { 37 | comboList = (System.IO.File.ReadAllLines(fileName)).Distinct().ToArray(); 38 | } 39 | 40 | public bool TestSID(bool brute) 41 | { 42 | if (brute == false) 43 | { 44 | Thread.Sleep(2000); 45 | var response = ""; 46 | bool success = false; 47 | OracleDatabase nDB = new OracleDatabase(cArgs); 48 | cArgs.Username = "POIOPI"; 49 | cArgs.Password = "SDFEWRTER"; 50 | nDB.GenerateConnectionString(); 51 | response = (String)nDB.connectDB(); 52 | if (response.Contains("TARGET_UNAVAILABLE")) 53 | { 54 | Console.WriteLine("\n [x] -- TARGET_UNAVAILABLE You might want to cancel CTRL + C.."); 55 | return success; 56 | } 57 | else if (NO_GOOD_SID_STRING_LIST.Any(response.ToLowerInvariant().Contains)) 58 | { 59 | success = true; 60 | return success; 61 | } 62 | else 63 | { 64 | success = true; 65 | Console.ForegroundColor = ConsoleColor.Green; 66 | Console.WriteLine("\t Found potential valid SID: " + cArgs.SID + " \t State: " + response); 67 | validsList.Add(cArgs.SID); 68 | Console.ResetColor(); 69 | return success; 70 | } 71 | } 72 | else 73 | { 74 | Thread.Sleep(750); 75 | var response = ""; 76 | bool success = false; 77 | OracleDatabase nDB = new OracleDatabase(cArgs); 78 | cArgs.Username = "POIOPI"; 79 | cArgs.Password = "SDFEWRTER"; 80 | nDB.GenerateConnectionString(); 81 | response = (String)nDB.connectDB(); 82 | if (response.Contains("TARGET_UNAVAILABLE")) 83 | { 84 | Console.WriteLine("\n [x] -- TARGET_UNAVAILABLE You might want to cancel CTRL + C.."); 85 | return success; 86 | } 87 | else if (NO_GOOD_SID_STRING_LIST.Any(response.ToLowerInvariant().Contains)) 88 | { 89 | return success; 90 | } 91 | else 92 | { 93 | success = true; 94 | Console.ForegroundColor = ConsoleColor.Green; 95 | validsList.Add(cArgs.SID); 96 | Console.WriteLine("\t Found potential valid SID: " + cArgs.SID + " \t State: " + response); 97 | Console.ResetColor(); 98 | return success; 99 | } 100 | } 101 | 102 | 103 | } 104 | 105 | string ValidChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; 106 | 107 | public void bruteSIDs(string prefix, int level, int maxlen) 108 | { 109 | 110 | level += 1; 111 | foreach (char c in ValidChars) 112 | { 113 | string word = (prefix + c); 114 | //Console.Write("\b\b\b\b\b{0}", word); 115 | cArgs.SID = word.ToUpperInvariant(); 116 | TestSID(true); 117 | if (level < maxlen) 118 | { 119 | bruteSIDs(prefix + c, level, maxlen); 120 | } 121 | } 122 | 123 | } 124 | 125 | 126 | // TODO: implement function when networking module works 127 | public void loadSIdsFromListenerAlias() 128 | { 129 | 130 | 131 | } 132 | public void runSIDGuesser() 133 | { 134 | loadFromFile(); 135 | Console.WriteLine("[!] -- Now attempting to connect using [" + comboList.Count() + "] unique SIDs..."); 136 | foreach (string combo in comboList) 137 | { 138 | cArgs.SID = combo.ToUpperInvariant(); 139 | TestSID(false); 140 | } 141 | 142 | if (validsList.Count > 0) 143 | { 144 | Console.WriteLine("[!] -- Found [" + validsList.Count() + "] valid SIDs!"); 145 | validsList.ForEach(Console.WriteLine); 146 | } 147 | else 148 | { 149 | Console.WriteLine("[?] -- No valid SIDs found from provided list... Would you like to perform bruteforce attack \t (Y - Yes | N - No)?"); 150 | Console.Write("> "); 151 | String respBrute = Console.ReadLine().ToUpperInvariant(); 152 | if (respBrute == "Y") 153 | { 154 | Console.WriteLine("[!] -- Now attempting to bruteforce 1 char SID values. Please be patient, this can take a couple of minutes... CTRL + C to quit.."); 155 | bruteSIDs("", 0,1); 156 | Console.WriteLine("[!] -- Now attempting to bruteforce 2 char SID values. Please be patient, this can take a couple of minutes... CTRL + C to quit.."); 157 | bruteSIDs("", 0,2); 158 | Console.WriteLine("[!] -- Now attempting to bruteforce 3 char SID values. Please be patient, this can take a couple of minutes... CTRL + C to quit.."); 159 | bruteSIDs("", 0,3); 160 | Console.WriteLine("[!] -- Now attempting to bruteforce 4 char SID values. Please be patient, this can take a couple of minutes... CTRL + C to quit.."); 161 | bruteSIDs("", 0, 4); 162 | } 163 | else 164 | { 165 | 166 | } 167 | 168 | } 169 | } 170 | 171 | } 172 | } 173 | -------------------------------------------------------------------------------- /wodat/srvGuesser.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading; 6 | using System.Threading.Tasks; 7 | 8 | namespace wodat 9 | { 10 | public class srvGuesser 11 | { 12 | public Arguments cArgs; 13 | public String fileName; 14 | public string[] comboList; 15 | public List validsList = new List(); 16 | public string[] NO_GOOD_SRV_STRING_LIST = { "listener does not currently know of service requested", "listener does not currently know of SID", "connection to server failed", "destination host unreachable" }; 17 | 18 | 19 | public srvGuesser(Arguments nArgs, String fileName) 20 | { 21 | this.cArgs = nArgs; 22 | this.fileName = fileName; 23 | } 24 | 25 | //Returns valid list of SRVS. 26 | public List validSRVS() 27 | { 28 | return validsList; 29 | } 30 | 31 | /* 32 | Load data from file. 33 | Impossible to have duplicate data. 34 | */ 35 | public void loadFromFile() 36 | { 37 | comboList = (System.IO.File.ReadAllLines(fileName)).Distinct().ToArray(); 38 | } 39 | 40 | public bool TestSRV(bool brute) 41 | { 42 | if (brute == false) 43 | { 44 | Thread.Sleep(2000); 45 | var response = ""; 46 | bool success = false; 47 | OracleDatabase nDB = new OracleDatabase(cArgs); 48 | cArgs.Username = "POIOPI"; 49 | cArgs.Password = "SDFEWRTER"; 50 | nDB.GenerateConnectionString(); 51 | response = (String)nDB.connectDB(); 52 | if (response.Contains("TARGET_UNAVAILABLE")) 53 | { 54 | Console.WriteLine("\n [x] -- TARGET_UNAVAILABLE You might want to cancel CTRL + C.."); 55 | return success; 56 | } 57 | else if (NO_GOOD_SRV_STRING_LIST.Any(response.ToLowerInvariant().Contains)) 58 | { 59 | success = true; 60 | return success; 61 | } 62 | else 63 | { 64 | success = true; 65 | Console.ForegroundColor = ConsoleColor.Green; 66 | Console.WriteLine("\t Found potential valid ServiceName: " + cArgs.ServiceName + " \t State: " + response); 67 | validsList.Add(cArgs.ServiceName); 68 | Console.ResetColor(); 69 | return success; 70 | } 71 | } 72 | else 73 | { 74 | Thread.Sleep(750); 75 | var response = ""; 76 | bool success = false; 77 | OracleDatabase nDB = new OracleDatabase(cArgs); 78 | cArgs.Username = "POIOPI"; 79 | cArgs.Password = "SDFEWRTER"; 80 | nDB.GenerateConnectionString(); 81 | response = (String)nDB.connectDB(); 82 | if (response.Contains("TARGET_UNAVAILABLE")) 83 | { 84 | Console.WriteLine("\n [x] -- TARGET_UNAVAILABLE You might want to cancel CTRL + C.."); 85 | return success; 86 | } 87 | else if (NO_GOOD_SRV_STRING_LIST.Any(response.ToLowerInvariant().Contains)) 88 | { 89 | return success; 90 | } 91 | else 92 | { 93 | success = true; 94 | Console.ForegroundColor = ConsoleColor.Green; 95 | validsList.Add(cArgs.ServiceName); 96 | Console.WriteLine("\t Found potential valid ServiceName: " + cArgs.ServiceName + " \t State: " + response); 97 | Console.ResetColor(); 98 | return success; 99 | } 100 | } 101 | 102 | 103 | } 104 | 105 | string ValidChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; 106 | 107 | public void bruteSRVs(string prefix, int level, int maxlen) 108 | { 109 | 110 | level += 1; 111 | foreach (char c in ValidChars) 112 | { 113 | string word = (prefix + c); 114 | //Console.Write("\b\b\b\b\b{0}", word); 115 | cArgs.ServiceName = word.ToUpperInvariant(); 116 | TestSRV(true); 117 | if (level < maxlen) 118 | { 119 | bruteSRVs(prefix + c, level, maxlen); 120 | } 121 | } 122 | 123 | } 124 | 125 | 126 | // TODO: implement function when networking module works 127 | public void loadSRVsFromListenerAlias() 128 | { 129 | 130 | 131 | } 132 | public void runSRVGuesser() 133 | { 134 | loadFromFile(); 135 | Console.WriteLine("[!] -- Now attempting to connect using [" + comboList.Count() + "] unique ServiceNames..."); 136 | foreach (string combo in comboList) 137 | { 138 | cArgs.ServiceName = combo.ToUpperInvariant(); 139 | TestSRV(false); 140 | } 141 | 142 | if (validsList.Count > 0) 143 | { 144 | Console.WriteLine("[!] -- Found [" + validsList.Count() + "] valid ServiceNames!"); 145 | validsList.ForEach(Console.WriteLine); 146 | } 147 | else 148 | { 149 | Console.WriteLine("[?] -- No valid ServiceNames found from provided list... Would you like to perform bruteforce attack \t (Y - Yes | N - No)?"); 150 | Console.Write("> "); 151 | String respBrute = Console.ReadLine().ToUpperInvariant(); 152 | if (respBrute == "Y") 153 | { 154 | Console.WriteLine("[!] -- Now attempting to bruteforce 2 char ServiceNames values. Please be patient, this can take a couple of minutes... CTRL + C to quit.."); 155 | bruteSRVs("", 0, 2); 156 | Console.WriteLine("[!] -- Now attempting to bruteforce 3 char ServiceNames values. Please be patient, this can take a couple of minutes... CTRL + C to quit.."); 157 | bruteSRVs("", 0, 3); 158 | Console.WriteLine("[!] -- Now attempting to bruteforce 4 char ServiceNames values. Please be patient, this can take a couple of minutes... CTRL + C to quit.."); 159 | bruteSRVs("", 0, 4); 160 | } 161 | else 162 | { 163 | 164 | } 165 | 166 | } 167 | } 168 | } 169 | } 170 | 171 | 172 | 173 | -------------------------------------------------------------------------------- /wodat/testConnection.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Linq; 3 | using System.Net; 4 | using System.Net.Sockets; 5 | 6 | namespace wodat 7 | { 8 | public class testConnection 9 | { 10 | public Arguments cArgs; 11 | public testConnection(Arguments nArgs) 12 | { 13 | this.cArgs = nArgs; 14 | 15 | } 16 | 17 | public bool testConn() 18 | { 19 | var response = ""; 20 | bool success = false; 21 | OracleDatabase nDB = new OracleDatabase(cArgs); 22 | response = (String)nDB.connectDB(); 23 | if (response.Contains("rue")) 24 | { 25 | success = true; 26 | return success; 27 | } 28 | else { return success; } 29 | } 30 | 31 | 32 | 33 | } 34 | } 35 | 36 | -------------------------------------------------------------------------------- /wodat/wodat.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {285677F0-67A9-404B-A679-F8AA4A44B7DF} 8 | Exe 9 | wodat 10 | wodat 11 | v4.7 12 | 512 13 | true 14 | true 15 | 16 | 17 | 18 | false 19 | publish\ 20 | true 21 | Disk 22 | false 23 | Foreground 24 | 7 25 | Days 26 | false 27 | false 28 | true 29 | 0 30 | 1.0.0.%2a 31 | false 32 | true 33 | 34 | 35 | true 36 | full 37 | false 38 | bin\Debug\ 39 | DEBUG;TRACE 40 | prompt 41 | 4 42 | 43 | 44 | x64 45 | true 46 | bin\Release\ 47 | 48 | 49 | prompt 50 | 4 51 | false 52 | 53 | 54 | wodat.mainProgram 55 | 56 | 57 | 58 | ..\packages\Microsoft.Bcl.AsyncInterfaces.6.0.0\lib\net461\Microsoft.Bcl.AsyncInterfaces.dll 59 | False 60 | 61 | 62 | ..\packages\Oracle.ManagedDataAccess.21.6.1\lib\net462\Oracle.ManagedDataAccess.dll 63 | False 64 | 65 | 66 | 67 | ..\packages\System.Buffers.4.5.1\lib\net461\System.Buffers.dll 68 | False 69 | 70 | 71 | 72 | ..\packages\System.Memory.4.5.4\lib\net461\System.Memory.dll 73 | False 74 | 75 | 76 | 77 | ..\packages\System.Numerics.Vectors.4.5.0\lib\net46\System.Numerics.Vectors.dll 78 | False 79 | 80 | 81 | ..\packages\System.Runtime.CompilerServices.Unsafe.6.0.0\lib\net461\System.Runtime.CompilerServices.Unsafe.dll 82 | False 83 | 84 | 85 | ..\packages\System.Text.Encoding.CodePages.6.0.0\lib\net461\System.Text.Encoding.CodePages.dll 86 | False 87 | 88 | 89 | ..\packages\System.Text.Encodings.Web.6.0.0\lib\net461\System.Text.Encodings.Web.dll 90 | False 91 | 92 | 93 | ..\packages\System.Text.Json.6.0.0\lib\net461\System.Text.Json.dll 94 | False 95 | 96 | 97 | ..\packages\System.Threading.Tasks.Extensions.4.5.4\lib\net461\System.Threading.Tasks.Extensions.dll 98 | False 99 | 100 | 101 | ..\packages\System.ValueTuple.4.5.0\lib\net47\System.ValueTuple.dll 102 | False 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | False 132 | Microsoft .NET Framework 4.7 %28x86 and x64%29 133 | true 134 | 135 | 136 | False 137 | .NET Framework 3.5 SP1 138 | false 139 | 140 | 141 | 142 | 143 | 144 | 145 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}. 146 | 147 | 148 | 149 | --------------------------------------------------------------------------------