Monthly Archives: August 2011

Oracle query support in Nmap

I’ve just committed an updated version of the TNS library to Nmap, adding support for running Oracle database queries from Nmap scripts. I’ve put a considerable amount of work into trying to understand how the protocol works, due to the lack of documentation, and think that I’ve finally succeeded.

In addition I’ve posted two new scripts to the nmap-dev mailing list that make use of this new functionality:

  • oracle-query – runs a given query against the Oracle database server and returns the results
  • oracle-hash-dump – dumps the password hashes from an Oracle database server

In case you have the possibility to test this new code against Oracle 10g and 11g, please let me know how it works out. I’ll hopefully commit the two scripts to Nmap within the next few days.

I’ve ported mbenum to Nmap

Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.

Mbenum or the Nmap script smb-mbenum relies on being able to query the master browser for a particular domain or workgroup. You can find the master browser by sending a netbios query for the __MSBROWSE__  name. The Nmap script broadcast-netbios-master-browser can be used to identify the master browser for your broadcast domain by sending a netbios query to the broadcast address.