Metasploit provide one useful and additional Oracle database auxiliary module who will permit you to gather informations.

You can find all these auxiliary modules through the Metasploit search command.

To invoke this auxiliary module just type the following command :

This module will scan the Oracle database server to gather different informations :

  • Oracle version (select * from v$version)
  • All values from v$parameter (select name,value from v$parameter)
  • If database audit trail is enabled or not
  • If database sys operations audit is enabled or not
  • If SQL92 security restriction on SELECT is enabled or not
  • If link encryption for logins is enabled or not
  • Provide you the UTL directory access configuration
  • Provide you the audit log directory configuration
  • Provide you the current account lockout time from the password policy
  • Provide you the number of authorized failed logins value before an account is locked from the password policy
  • Provide you the password grace time value from the password policy
  • Provide you the password lifetime value from the password policy
  • Provide you the the number of times a password can be reused from the password policy
  • Provide you the maximun number of times a password needs to be changed before it can be reused from the password policy
  • Check if the password complexity is enabled or not
  • Provide you a list of all active accounts in format Username, Hash and Spare4
  • Provide you a list of all expired or locked accounts in format Username, Hash and Spare4
  • Provide you a list of all accounts with DBA privileges in format Username and Hash
  • Provide you a list of all accounts with ALTER, JAVA ADMIN, CREATE LIBRARY, CREATE ANY.
  • Check default password are setup on the database.