DZone
Performance Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Performance Zone > Oracle EBS Penetration Testing Tool

Oracle EBS Penetration Testing Tool

In exploring different cybersecurity options, Oracle discovered that there was a lack of security assessment tools and made their own.

Alexander Polyakov user avatar by
Alexander Polyakov
·
Apr. 06, 18 · Performance Zone · Tutorial
Like (1)
Save
Tweet
6.20K Views

Join the DZone community and get the full member experience.

Join For Free

Nobody will argue that IT security is vital in our modern world, particularly for businesses. Cybercrime is getting worse and systems become more vulnerable with time, making organizations more susceptible to cyberattacks and financial losses. That's why the topic of cybercrime demands more attention and cyber-awareness.

ERP security is a separate part of IT security. Nowadays ERP encompasses a huge range of various tools and services written on the base of different technologies. It's critical to possess proper knowledge in the security field and convenient tools for managing.

When we were exploring Oracle E-Business Suite security, we noticed an absence of present-day convenient and free security tools on the market that can help simplify security assessment. There were bunches of various modules or scripts to check one or two issues narrowly. We started developing our own solution, the  first free Oracle E-Business Suite security scanner—ERPSCAN EBS Pentesting tool.

What is it? It is a "wrapper" for multiple EBS exploits developed by our research team. All modules are represented in the Python language. Currently, there are four main modules (1 of them uses EBS Users' passwords decryptor):

  • EBS DB Users brute-force;
  • EBS Users brute-force;
  • EBS Java Serialization test;
  • EBS XML Serialization test.

For now, we have published just four of them. If this tool becomes popular, we will continue this project and release more our private modules.

Pentesting Oracle EBS Database

Oracle EBS DB Users Brute-Force

Script brutes standard DB users with pre-defined passwords. Also, it can grab EBS users' passwords from APPS.fnd_user table and if password hashing is not on, it decrypts them with the ebsDecrypt.py module. All findings will be saved in dbCheckResults.txt file.

Help

You should install cx_Oracle for working.

usage: dbUsersBforce.py [-h] [-H HOST] [-P PORT] [-s SID] [-d DEC] [-v]

EBS DB Users brute-force Python Script. It tests for default DB users with the predefined passwords. Also it can check
whether any bruted DB user can decrypt EBS Users passwords (of course if Password Hashing is not implemented).

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  DB host (default: 127.0.0.1). Example: ebs.example.com
  -P PORT, --port PORT  DB port (default: 1521)
  -s SID, --sid SID     DB SID (default: EBSDB)
  -d DEC, --dec DEC     Try to decrypt EBS Users Passwords? Y/N
  -v, --verbose         verbose mode


Usage

$ dbUsersBrutforce.py -H ebs.example.com -s EBSDB -d Y


Oracle EBS Password Decryption

Script can decrypt EBS users passwords if apps user passwords is known. It handles new (SHA-1 + 3DES) and old (SHA-1-like + ARC4) encryptions.

Help

You should install pyjks for working.

usage: ebsDecrypt.py [-h] [-k KEY] [-d DATA]

Script can decrypt EBS users' passwords in case `apps` user passwords is known.
It handles `new` (SHA-1 + triple-DES) and `old` (SHA-1-like + RC4) encryption.

optional arguments:
  -h, --help            show this help message and exit
  -k KEY, --key KEY     APPS user password (default: APPS
  -d DATA, --data DATA  Decrypted data (test value: C4E9B591098EA0)


Usage

apps user password should be uppercase.

$ decrypt.py -k APPS -d ZH4715DC7E9C2213F7CD56D44CE1CB8625FB71D0F4935EFEAE5B8CA66117B9C2D6A1E733BA80005F4CD19706A03218E8C5E4


Pentesting Oracle EBS Application

EBS Users Brute-Force

Script brutes EBS default users with predefined passwords. It handles two types of authorization versions (don't mix with SSO!).

Help

usage: ebsUsersBforce.py [-h] [-H HOST] [-P PORT] [-s] [-t TIMEOUT] [-v]

EBS Users brute-force python script brutes EBS default users with predefined passwords.

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  EBS host (default: 127.0.0.1). Example: ebs.example.com
  -P PORT, --port PORT  EBS web port (default: 8000)
  -s, --ssl             enable SSL
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 10)
  -v, --verbose         verbose mode


Usage

$ ebsUsersBforce.py -H ebs.example.com -P 8000


Oracle EBS Java Serialization Test

EBS Python script for Java Serialization sleep payloads testing based on Apache Commons Collections 3. It sends special sleep payloads and checks the response time value. If the response time value is more than 10 seconds, then the testing host is potentially vulnerable to Java Deserialization attacks.

Help

usage: javaSerDetect.py [-h] [-H HOST] [-P PORT] [-u URL] [-s] [-t TIMEOUT]
                        [-v]

EBS python script for Java Serialization sleep payloads testing based on Apache Commons Collections 3.

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  EBS host (default: 127.0.0.1). Example: ebs.example.com
  -P PORT, --port PORT  EBS web port (default: 8000)
  -u URL, --url URL     EBS target URL (default: OA_HTML/iesRuntimeServlet)
  -s, --ssl             enable SSL
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 15)
  -v, --verbose         verbose mode


Usage

$ javaSerDetect.py -H ebs.example.com -P 8000


Oracle WebLogic Level Checks

Oracle EBS XML Serialization test

Python script for XML Serialization sleep payload testing based on CVE-2017-3506 & 10271. It sends special sleep payloads and checks the response time value. If the response time value is more than 10 seconds, then the testing host is potentially vulnerable to XML Deserialization attacks.

Help

usage: xmlSerDetect.py [-h] [-H HOST] [-P PORT] [-u URL] [-s] [-t TIMEOUT]
                       [-v]

EBS python script for XML Serialization sleep payload testing based on `CVE-2017-3506 & 10271`.

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  WebLogic host (default: 127.0.0.1). Example: ebs.example.com
  -P PORT, --port PORT  WebLogic port (default: 7001)
  -u URL, --url URL     WebLogic target URL (default: wls-wsat/CoordinatorPortType)
  -s, --ssl             enable SSL
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 15)
  -v, --verbose         verbose mode


Usage

$ xmlSerDetect.py -H ebs.example.com -P 7001


That's all for today. Download our free ERPScan EBS Pentesting Tool and share it on Twitter.
Keep in touch and follow us on Twitter, Facebook, and LinkedIn and get more information from our ERPScan Research team.

security

Published at DZone with permission of Alexander Polyakov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How To Evaluate Software Quality Assurance Success: KPIs, SLAs, Release Cycles, and Costs
  • Common Types Of Network Security Vulnerabilities In 2022
  • Building Reactive Java Applications with Spring Framework
  • What Are Microservices?

Comments

Performance Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo