rubyfu 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (151) hide show
  1. checksums.yaml +7 -0
  2. data/README.md +96 -0
  3. data/Rakefile +1 -0
  4. data/_book/beginners.html +1299 -0
  5. data/_book/contribution.html +1350 -0
  6. data/_book/contributors/Ruby_Loves_Us.jpg +0 -0
  7. data/_book/contributors/index.html +1294 -0
  8. data/_book/contributors/todo.html +1293 -0
  9. data/_book/cover.jpg +0 -0
  10. data/_book/faqs/index.html +1308 -0
  11. data/_book/files/module03/dns_spoofing_dns-query.pcap +0 -0
  12. data/_book/files/module03/dns_spoofing_dns-req_res.pcap.pcapng +0 -0
  13. data/_book/files/module06/ftp.pcap +0 -0
  14. data/_book/files/module06/packets.pcap +0 -0
  15. data/_book/gitbook/app.js +25001 -0
  16. data/_book/gitbook/fonts/fontawesome/FontAwesome.otf +0 -0
  17. data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.eot +0 -0
  18. data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.svg +504 -0
  19. data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.ttf +0 -0
  20. data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.woff +0 -0
  21. data/_book/gitbook/images/apple-touch-icon-precomposed-152.png +0 -0
  22. data/_book/gitbook/images/favicon.ico +0 -0
  23. data/_book/gitbook/plugins/gitbook-plugin-addcssjs/README.md +19 -0
  24. data/_book/gitbook/plugins/gitbook-plugin-addcssjs/index.js +57 -0
  25. data/_book/gitbook/plugins/gitbook-plugin-addcssjs/package.json +47 -0
  26. data/_book/gitbook/plugins/gitbook-plugin-anchors/plugin.css +26 -0
  27. data/_book/gitbook/plugins/gitbook-plugin-book-summary-scroll-position-saver/book-summary-scroll-position-saver.js +30 -0
  28. data/_book/gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.css +28 -0
  29. data/_book/gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.js +68 -0
  30. data/_book/gitbook/plugins/gitbook-plugin-fontsettings/buttons.js +151 -0
  31. data/_book/gitbook/plugins/gitbook-plugin-fontsettings/website.css +291 -0
  32. data/_book/gitbook/plugins/gitbook-plugin-highlight/ebook.css +131 -0
  33. data/_book/gitbook/plugins/gitbook-plugin-highlight/website.css +426 -0
  34. data/_book/gitbook/plugins/gitbook-plugin-search/lunr.min.js +7 -0
  35. data/_book/gitbook/plugins/gitbook-plugin-search/search.css +27 -0
  36. data/_book/gitbook/plugins/gitbook-plugin-search/search.js +135 -0
  37. data/_book/gitbook/plugins/gitbook-plugin-sharing/buttons.js +93 -0
  38. data/_book/gitbook/plugins/gitbook-plugin-splitter/splitter.css +22 -0
  39. data/_book/gitbook/plugins/gitbook-plugin-splitter/splitter.js +122 -0
  40. data/_book/gitbook/style.css +9 -0
  41. data/_book/googlec55db2d603c3da8b.html +1 -0
  42. data/_book/images/module02/Cryptography__wiringdiagram.png +0 -0
  43. data/_book/images/module02/packaging__ocra1.png +0 -0
  44. data/_book/images/module03/dns_spoofing_wireshark1.png +0 -0
  45. data/_book/images/module03/dns_spoofing_wireshark2.png +0 -0
  46. data/_book/images/module04/webfu__post_form1.png +0 -0
  47. data/_book/images/module04/webfu__proxy2.png +0 -0
  48. data/_book/images/module04/webfu__twitterAPI1.png +0 -0
  49. data/_book/images/module04/webfu__xmlrpc1.png +0 -0
  50. data/_book/images/module05/msf_template1.png +0 -0
  51. data/_book/images/module06/win-foren__winreg1.png +0 -0
  52. data/_book/images/other/Ruby_Loves_Us.jpg +0 -0
  53. data/_book/images/other/cover.jpg +0 -0
  54. data/_book/images/other/cover_small.jpg +0 -0
  55. data/_book/images/other/logo.png +0 -0
  56. data/_book/images/other/rubyfu.png +0 -0
  57. data/_book/images/other/rubyfu1.png +0 -0
  58. data/_book/images/other/rubyfu3.png +0 -0
  59. data/_book/images/other/rubyfu4.png +0 -0
  60. data/_book/images/other/rubyfu_.png +0 -0
  61. data/_book/index.html +1284 -0
  62. data/_book/module_0x1__basic_ruby_kung_fu/array.html +1297 -0
  63. data/_book/module_0x1__basic_ruby_kung_fu/conversion.html +1386 -0
  64. data/_book/module_0x1__basic_ruby_kung_fu/extraction.html +1346 -0
  65. data/_book/module_0x1__basic_ruby_kung_fu/index.html +1367 -0
  66. data/_book/module_0x1__basic_ruby_kung_fu/string.html +1451 -0
  67. data/_book/module_0x2__system_kung_fu/command_execution.html +1348 -0
  68. data/_book/module_0x2__system_kung_fu/cryptography.html +1396 -0
  69. data/_book/module_0x2__system_kung_fu/email.html +1352 -0
  70. data/_book/module_0x2__system_kung_fu/file_manipulation.html +1371 -0
  71. data/_book/module_0x2__system_kung_fu/index.html +1557 -0
  72. data/_book/module_0x2__system_kung_fu/ncatrb.html +1424 -0
  73. data/_book/module_0x2__system_kung_fu/packaging.md +1 -0
  74. data/_book/module_0x2__system_kung_fu/packaging__ocra1.png +0 -0
  75. data/_book/module_0x2__system_kung_fu/parsing_html,_xml,_json.html +1395 -0
  76. data/_book/module_0x2__system_kung_fu/rce_as_a_service.html +1336 -0
  77. data/_book/module_0x2__system_kung_fu/smtp_enumeration.html +1308 -0
  78. data/_book/module_0x2__system_kung_fu/system_shell.html +1299 -0
  79. data/_book/module_0x2__system_kung_fu/virustotal.html +1318 -0
  80. data/_book/module_0x3__network_kung_fu/Remote_shell.md +19 -0
  81. data/_book/module_0x3__network_kung_fu/arp_spoofing.html +1420 -0
  82. data/_book/module_0x3__network_kung_fu/dns.html +1315 -0
  83. data/_book/module_0x3__network_kung_fu/dns_bruteforce.md +49 -0
  84. data/_book/module_0x3__network_kung_fu/dns_enumeration.html +1371 -0
  85. data/_book/module_0x3__network_kung_fu/dns_spoofing.html +1694 -0
  86. data/_book/module_0x3__network_kung_fu/dns_spoofing_wireshark2.png +0 -0
  87. data/_book/module_0x3__network_kung_fu/ftp.html +1287 -0
  88. data/_book/module_0x3__network_kung_fu/index.html +1392 -0
  89. data/_book/module_0x3__network_kung_fu/network_scanning.html +1339 -0
  90. data/_book/module_0x3__network_kung_fu/network_traffic_analysis.html +1356 -0
  91. data/_book/module_0x3__network_kung_fu/nmap.html +1355 -0
  92. data/_book/module_0x3__network_kung_fu/oracle_tns_enum1.png +0 -0
  93. data/_book/module_0x3__network_kung_fu/packet_manipulation.html +1386 -0
  94. data/_book/module_0x3__network_kung_fu/ruby_socket.html +1553 -0
  95. data/_book/module_0x3__network_kung_fu/snmp_enumeration.html +1314 -0
  96. data/_book/module_0x3__network_kung_fu/ssh.html +1461 -0
  97. data/_book/module_0x3__network_kung_fu/ssid_finder.html +1324 -0
  98. data/_book/module_0x3__network_kung_fu/tns_enumeration.html +1505 -0
  99. data/_book/module_0x4__web_kung_fu/browser_manipulation.html +1630 -0
  100. data/_book/module_0x4__web_kung_fu/databases.html +1531 -0
  101. data/_book/module_0x4__web_kung_fu/extending_burpsuite.html +1303 -0
  102. data/_book/module_0x4__web_kung_fu/index.html +1536 -0
  103. data/_book/module_0x4__web_kung_fu/interacting_with_apis.html +1271 -0
  104. data/_book/module_0x4__web_kung_fu/ruby2javascript.html +1303 -0
  105. data/_book/module_0x4__web_kung_fu/sql_injection_scanner.html +1489 -0
  106. data/_book/module_0x4__web_kung_fu/twitter_api.html +1328 -0
  107. data/_book/module_0x4__web_kung_fu/web_servcies_and_apis.html +1291 -0
  108. data/_book/module_0x4__web_kung_fu/web_server_and_proxy.html +1370 -0
  109. data/_book/module_0x4__web_kung_fu/web_services.html +1394 -0
  110. data/_book/module_0x4__web_kung_fu/webfu__burp-ext1.png +0 -0
  111. data/_book/module_0x4__web_kung_fu/webfu__burp-ext2.png +0 -0
  112. data/_book/module_0x4__web_kung_fu/webfu__burp_setenv1.png +0 -0
  113. data/_book/module_0x4__web_kung_fu/webfu__proxy2.png +0 -0
  114. data/_book/module_0x4__web_kung_fu/webfu__twitterAPI1.png +0 -0
  115. data/_book/module_0x4__web_kung_fu/webfu__xmlrpc1.png +0 -0
  116. data/_book/module_0x4__web_kung_fu/wordpress_api.html +1543 -0
  117. data/_book/module_0x5__exploitation_kung_fu/MSF-struct.png +0 -0
  118. data/_book/module_0x5__exploitation_kung_fu/auxiliary_module.html +1870 -0
  119. data/_book/module_0x5__exploitation_kung_fu/exploit_module.html +1523 -0
  120. data/_book/module_0x5__exploitation_kung_fu/extensions.html +1466 -0
  121. data/_book/module_0x5__exploitation_kung_fu/fuzzer.html +1325 -0
  122. data/_book/module_0x5__exploitation_kung_fu/index.html +1319 -0
  123. data/_book/module_0x5__exploitation_kung_fu/metasm.html +1322 -0
  124. data/_book/module_0x5__exploitation_kung_fu/metasploit.html +1441 -0
  125. data/_book/module_0x5__exploitation_kung_fu/meterpreter.html +1327 -0
  126. data/_book/module_0x5__exploitation_kung_fu/meterpreter_scripting.html +1318 -0
  127. data/_book/module_0x5__exploitation_kung_fu/msf_meter_railgun1.png +0 -0
  128. data/_book/module_0x5__exploitation_kung_fu/msf_template1.png +0 -0
  129. data/_book/module_0x5__exploitation_kung_fu/railgun_api_extension.html +1300 -0
  130. data/_book/module_0x6__forensic/android_forensic.html +1356 -0
  131. data/_book/module_0x6__forensic/index.html +1332 -0
  132. data/_book/module_0x6__forensic/parsing_log_files.html +1375 -0
  133. data/_book/module_0x6__forensic/win-foren__winreg1.png +0 -0
  134. data/_book/module_0x6__forensic/windows_forensic.html +1289 -0
  135. data/_book/package.json +5 -0
  136. data/_book/references/index.html +1338 -0
  137. data/_book/required_gems.html +1342 -0
  138. data/_book/rubyfu_.png +0 -0
  139. data/_book/search_index.json +1 -0
  140. data/_book/styles/ebook.css +1 -0
  141. data/_book/styles/epub.css +1 -0
  142. data/_book/styles/header.js +5 -0
  143. data/_book/styles/mobi.css +1 -0
  144. data/_book/styles/pdf.css +1 -0
  145. data/_book/styles/website.css +41 -0
  146. data/bin/rubyfu +48 -0
  147. data/lib/rubyfu.rb +36 -0
  148. data/lib/rubyfu/browse.rb +35 -0
  149. data/lib/rubyfu/version.rb +3 -0
  150. data/lib/rubyfu/webserver.rb +30 -0
  151. metadata +210 -0
data/_book/module_0x3__network_kung_fu/tns_enumeration.html ADDED
@@ -0,0 +1,1505 @@
1
+ <!DOCTYPE HTML>
2
+ <html lang="en" >
3
+
4
+ <head>
5
+
6
+ <meta charset="UTF-8">
7
+ <meta http-equiv="X-UA-Compatible" content="IE=edge" />
8
+ <title>Oracle TNS Enumeration | RubyFu</title>
9
+ <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
10
+ <meta name="description" content="">
11
+ <meta name="generator" content="GitBook 2.6.2">
12
+
13
+
14
+ <meta name="HandheldFriendly" content="true"/>
15
+ <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
16
+ <meta name="apple-mobile-web-app-capable" content="yes">
17
+ <meta name="apple-mobile-web-app-status-bar-style" content="black">
18
+ <link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
19
+ <link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">
20
+
21
+ <link rel="stylesheet" href="../gitbook/style.css">
22
+
23
+
24
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-anchors/plugin.css">
25
+
26
+
27
+
28
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-splitter/splitter.css">
29
+
30
+
31
+
32
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.css">
33
+
34
+
35
+
36
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-highlight/website.css">
37
+
38
+
39
+
40
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-search/search.css">
41
+
42
+
43
+
44
+ <link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-fontsettings/website.css">
45
+
46
+
47
+
48
+ <link rel="stylesheet" href="../styles/website.css">
49
+
50
+
51
+
52
+
53
+
54
+ <link rel="next" href="../module_0x3__network_kung_fu/packet_manipulation.html" />
55
+
56
+
57
+ <link rel="prev" href="../module_0x3__network_kung_fu/snmp_enumeration.html" />
58
+
59
+
60
+ <script type="text/javascript" src="../styles/header.js"></script>
61
+ </head>
62
+ <body>
63
+
64
+
65
+ <div class="book"
66
+ data-level="3.9"
67
+ data-chapter-title="Oracle TNS Enumeration"
68
+ data-filepath="module_0x3__network_kung_fu/tns_enumeration.md"
69
+ data-basepath=".."
70
+ data-revision="Wed Jan 27 2016 09:00:51 GMT+0300 (AST)"
71
+ data-innerlanguage="">
72
+
73
+
74
+ <div class="book-summary">
75
+ <nav role="navigation">
76
+ <ul class="summary">
77
+
78
+
79
+
80
+
81
+
82
+
83
+
84
+
85
+
86
+ <li class="chapter " data-level="0" data-path="index.html">
87
+
88
+
89
+ <a href="../index.html">
90
+
91
+ <i class="fa fa-check"></i>
92
+
93
+ Module 0x0 | Introduction
94
+ </a>
95
+
96
+
97
+ <ul class="articles">
98
+
99
+
100
+ <li class="chapter " data-level="0.1" data-path="contribution.html">
101
+
102
+
103
+ <a href="../contribution.html">
104
+
105
+ <i class="fa fa-check"></i>
106
+
107
+ <b>0.1.</b>
108
+
109
+ Contribution
110
+ </a>
111
+
112
+
113
+ </li>
114
+
115
+ <li class="chapter " data-level="0.2" data-path="beginners.html">
116
+
117
+
118
+ <a href="../beginners.html">
119
+
120
+ <i class="fa fa-check"></i>
121
+
122
+ <b>0.2.</b>
123
+
124
+ Beginners
125
+ </a>
126
+
127
+
128
+ </li>
129
+
130
+ <li class="chapter " data-level="0.3" data-path="required_gems.html">
131
+
132
+
133
+ <a href="../required_gems.html">
134
+
135
+ <i class="fa fa-check"></i>
136
+
137
+ <b>0.3.</b>
138
+
139
+ Required Gems
140
+ </a>
141
+
142
+
143
+ </li>
144
+
145
+
146
+ </ul>
147
+
148
+ </li>
149
+
150
+ <li class="chapter " data-level="1" data-path="module_0x1__basic_ruby_kung_fu/index.html">
151
+
152
+
153
+ <a href="../module_0x1__basic_ruby_kung_fu/index.html">
154
+
155
+ <i class="fa fa-check"></i>
156
+
157
+ <b>1.</b>
158
+
159
+ Module 0x1 | Basic Ruby Kung Fu
160
+ </a>
161
+
162
+
163
+ <ul class="articles">
164
+
165
+
166
+ <li class="chapter " data-level="1.1" data-path="module_0x1__basic_ruby_kung_fu/string.html">
167
+
168
+
169
+ <a href="../module_0x1__basic_ruby_kung_fu/string.html">
170
+
171
+ <i class="fa fa-check"></i>
172
+
173
+ <b>1.1.</b>
174
+
175
+ String
176
+ </a>
177
+
178
+
179
+ <ul class="articles">
180
+
181
+
182
+ <li class="chapter " data-level="1.1.1" data-path="module_0x1__basic_ruby_kung_fu/conversion.html">
183
+
184
+
185
+ <a href="../module_0x1__basic_ruby_kung_fu/conversion.html">
186
+
187
+ <i class="fa fa-check"></i>
188
+
189
+ <b>1.1.1.</b>
190
+
191
+ Conversion
192
+ </a>
193
+
194
+
195
+ </li>
196
+
197
+ <li class="chapter " data-level="1.1.2" data-path="module_0x1__basic_ruby_kung_fu/extraction.html">
198
+
199
+
200
+ <a href="../module_0x1__basic_ruby_kung_fu/extraction.html">
201
+
202
+ <i class="fa fa-check"></i>
203
+
204
+ <b>1.1.2.</b>
205
+
206
+ Extraction
207
+ </a>
208
+
209
+
210
+ </li>
211
+
212
+
213
+ </ul>
214
+
215
+ </li>
216
+
217
+ <li class="chapter " data-level="1.2" data-path="module_0x1__basic_ruby_kung_fu/array.html">
218
+
219
+
220
+ <a href="../module_0x1__basic_ruby_kung_fu/array.html">
221
+
222
+ <i class="fa fa-check"></i>
223
+
224
+ <b>1.2.</b>
225
+
226
+ Array
227
+ </a>
228
+
229
+
230
+ </li>
231
+
232
+
233
+ </ul>
234
+
235
+ </li>
236
+
237
+ <li class="chapter " data-level="2" data-path="module_0x2__system_kung_fu/index.html">
238
+
239
+
240
+ <a href="../module_0x2__system_kung_fu/index.html">
241
+
242
+ <i class="fa fa-check"></i>
243
+
244
+ <b>2.</b>
245
+
246
+ Module 0x2 | System Kung Fu
247
+ </a>
248
+
249
+
250
+ <ul class="articles">
251
+
252
+
253
+ <li class="chapter " data-level="2.1" data-path="module_0x2__system_kung_fu/command_execution.html">
254
+
255
+
256
+ <a href="../module_0x2__system_kung_fu/command_execution.html">
257
+
258
+ <i class="fa fa-check"></i>
259
+
260
+ <b>2.1.</b>
261
+
262
+ Command Execution
263
+ </a>
264
+
265
+
266
+ </li>
267
+
268
+ <li class="chapter " data-level="2.2" data-path="module_0x2__system_kung_fu/file_manipulation.html">
269
+
270
+
271
+ <a href="../module_0x2__system_kung_fu/file_manipulation.html">
272
+
273
+ <i class="fa fa-check"></i>
274
+
275
+ <b>2.2.</b>
276
+
277
+ File manipulation
278
+ </a>
279
+
280
+
281
+ <ul class="articles">
282
+
283
+
284
+ <li class="chapter " data-level="2.2.1" data-path="module_0x2__system_kung_fu/parsing_html,_xml,_json.html">
285
+
286
+
287
+ <a href="../module_0x2__system_kung_fu/parsing_html,_xml,_json.html">
288
+
289
+ <i class="fa fa-check"></i>
290
+
291
+ <b>2.2.1.</b>
292
+
293
+ Parsing HTML, XML, JSON
294
+ </a>
295
+
296
+
297
+ </li>
298
+
299
+
300
+ </ul>
301
+
302
+ </li>
303
+
304
+ <li class="chapter " data-level="2.3" data-path="module_0x2__system_kung_fu/cryptography.html">
305
+
306
+
307
+ <a href="../module_0x2__system_kung_fu/cryptography.html">
308
+
309
+ <i class="fa fa-check"></i>
310
+
311
+ <b>2.3.</b>
312
+
313
+ Cryptography
314
+ </a>
315
+
316
+
317
+ </li>
318
+
319
+ <li class="chapter " data-level="2.4" data-path="module_0x2__system_kung_fu/system_shell.html">
320
+
321
+
322
+ <a href="../module_0x2__system_kung_fu/system_shell.html">
323
+
324
+ <i class="fa fa-check"></i>
325
+
326
+ <b>2.4.</b>
327
+
328
+ Remote Shell
329
+ </a>
330
+
331
+
332
+ <ul class="articles">
333
+
334
+
335
+ <li class="chapter " data-level="2.4.1" data-path="module_0x2__system_kung_fu/ncatrb.html">
336
+
337
+
338
+ <a href="../module_0x2__system_kung_fu/ncatrb.html">
339
+
340
+ <i class="fa fa-check"></i>
341
+
342
+ <b>2.4.1.</b>
343
+
344
+ Ncat.rb
345
+ </a>
346
+
347
+
348
+ </li>
349
+
350
+ <li class="chapter " data-level="2.4.2" data-path="module_0x2__system_kung_fu/rce_as_a_service.html">
351
+
352
+
353
+ <a href="../module_0x2__system_kung_fu/rce_as_a_service.html">
354
+
355
+ <i class="fa fa-check"></i>
356
+
357
+ <b>2.4.2.</b>
358
+
359
+ RCE as a Service
360
+ </a>
361
+
362
+
363
+ </li>
364
+
365
+
366
+ </ul>
367
+
368
+ </li>
369
+
370
+ <li class="chapter " data-level="2.5" data-path="module_0x2__system_kung_fu/virustotal.html">
371
+
372
+
373
+ <a href="../module_0x2__system_kung_fu/virustotal.html">
374
+
375
+ <i class="fa fa-check"></i>
376
+
377
+ <b>2.5.</b>
378
+
379
+ VirusTotal
380
+ </a>
381
+
382
+
383
+ </li>
384
+
385
+
386
+ </ul>
387
+
388
+ </li>
389
+
390
+ <li class="chapter " data-level="3" data-path="module_0x3__network_kung_fu/index.html">
391
+
392
+
393
+ <a href="../module_0x3__network_kung_fu/index.html">
394
+
395
+ <i class="fa fa-check"></i>
396
+
397
+ <b>3.</b>
398
+
399
+ Module 0x3 | Network Kung Fu
400
+ </a>
401
+
402
+
403
+ <ul class="articles">
404
+
405
+
406
+ <li class="chapter " data-level="3.1" data-path="module_0x3__network_kung_fu/ruby_socket.html">
407
+
408
+
409
+ <a href="../module_0x3__network_kung_fu/ruby_socket.html">
410
+
411
+ <i class="fa fa-check"></i>
412
+
413
+ <b>3.1.</b>
414
+
415
+ Ruby Socket
416
+ </a>
417
+
418
+
419
+ </li>
420
+
421
+ <li class="chapter " data-level="3.2" data-path="module_0x3__network_kung_fu/ssid_finder.html">
422
+
423
+
424
+ <a href="../module_0x3__network_kung_fu/ssid_finder.html">
425
+
426
+ <i class="fa fa-check"></i>
427
+
428
+ <b>3.2.</b>
429
+
430
+ SSID Finder
431
+ </a>
432
+
433
+
434
+ </li>
435
+
436
+ <li class="chapter " data-level="3.3" data-path="module_0x3__network_kung_fu/ftp.html">
437
+
438
+
439
+ <a href="../module_0x3__network_kung_fu/ftp.html">
440
+
441
+ <i class="fa fa-check"></i>
442
+
443
+ <b>3.3.</b>
444
+
445
+ FTP
446
+ </a>
447
+
448
+
449
+ </li>
450
+
451
+ <li class="chapter " data-level="3.4" data-path="module_0x3__network_kung_fu/ssh.html">
452
+
453
+
454
+ <a href="../module_0x3__network_kung_fu/ssh.html">
455
+
456
+ <i class="fa fa-check"></i>
457
+
458
+ <b>3.4.</b>
459
+
460
+ SSH
461
+ </a>
462
+
463
+
464
+ </li>
465
+
466
+ <li class="chapter " data-level="3.5" data-path="module_0x2__system_kung_fu/email.html">
467
+
468
+
469
+ <a href="../module_0x2__system_kung_fu/email.html">
470
+
471
+ <i class="fa fa-check"></i>
472
+
473
+ <b>3.5.</b>
474
+
475
+ Email
476
+ </a>
477
+
478
+
479
+ <ul class="articles">
480
+
481
+
482
+ <li class="chapter " data-level="3.5.1" data-path="module_0x2__system_kung_fu/smtp_enumeration.html">
483
+
484
+
485
+ <a href="../module_0x2__system_kung_fu/smtp_enumeration.html">
486
+
487
+ <i class="fa fa-check"></i>
488
+
489
+ <b>3.5.1.</b>
490
+
491
+ SMTP Enumeration
492
+ </a>
493
+
494
+
495
+ </li>
496
+
497
+
498
+ </ul>
499
+
500
+ </li>
501
+
502
+ <li class="chapter " data-level="3.6" data-path="module_0x3__network_kung_fu/network_scanning.html">
503
+
504
+
505
+ <a href="../module_0x3__network_kung_fu/network_scanning.html">
506
+
507
+ <i class="fa fa-check"></i>
508
+
509
+ <b>3.6.</b>
510
+
511
+ Network Scanning
512
+ </a>
513
+
514
+
515
+ <ul class="articles">
516
+
517
+
518
+ <li class="chapter " data-level="3.6.1" data-path="module_0x3__network_kung_fu/nmap.html">
519
+
520
+
521
+ <a href="../module_0x3__network_kung_fu/nmap.html">
522
+
523
+ <i class="fa fa-check"></i>
524
+
525
+ <b>3.6.1.</b>
526
+
527
+ Nmap
528
+ </a>
529
+
530
+
531
+ </li>
532
+
533
+
534
+ </ul>
535
+
536
+ </li>
537
+
538
+ <li class="chapter " data-level="3.7" data-path="module_0x3__network_kung_fu/dns.html">
539
+
540
+
541
+ <a href="../module_0x3__network_kung_fu/dns.html">
542
+
543
+ <i class="fa fa-check"></i>
544
+
545
+ <b>3.7.</b>
546
+
547
+ DNS
548
+ </a>
549
+
550
+
551
+ <ul class="articles">
552
+
553
+
554
+ <li class="chapter " data-level="3.7.1" data-path="module_0x3__network_kung_fu/dns_enumeration.html">
555
+
556
+
557
+ <a href="../module_0x3__network_kung_fu/dns_enumeration.html">
558
+
559
+ <i class="fa fa-check"></i>
560
+
561
+ <b>3.7.1.</b>
562
+
563
+ DNS Enumeration
564
+ </a>
565
+
566
+
567
+ </li>
568
+
569
+
570
+ </ul>
571
+
572
+ </li>
573
+
574
+ <li class="chapter " data-level="3.8" data-path="module_0x3__network_kung_fu/snmp_enumeration.html">
575
+
576
+
577
+ <a href="../module_0x3__network_kung_fu/snmp_enumeration.html">
578
+
579
+ <i class="fa fa-check"></i>
580
+
581
+ <b>3.8.</b>
582
+
583
+ SNMP Enumeration
584
+ </a>
585
+
586
+
587
+ </li>
588
+
589
+ <li class="chapter active" data-level="3.9" data-path="module_0x3__network_kung_fu/tns_enumeration.html">
590
+
591
+
592
+ <a href="../module_0x3__network_kung_fu/tns_enumeration.html">
593
+
594
+ <i class="fa fa-check"></i>
595
+
596
+ <b>3.9.</b>
597
+
598
+ Oracle TNS Enumeration
599
+ </a>
600
+
601
+
602
+ </li>
603
+
604
+ <li class="chapter " data-level="3.10" data-path="module_0x3__network_kung_fu/packet_manipulation.html">
605
+
606
+
607
+ <a href="../module_0x3__network_kung_fu/packet_manipulation.html">
608
+
609
+ <i class="fa fa-check"></i>
610
+
611
+ <b>3.10.</b>
612
+
613
+ Packet manipulation
614
+ </a>
615
+
616
+
617
+ <ul class="articles">
618
+
619
+
620
+ <li class="chapter " data-level="3.10.1" data-path="module_0x3__network_kung_fu/arp_spoofing.html">
621
+
622
+
623
+ <a href="../module_0x3__network_kung_fu/arp_spoofing.html">
624
+
625
+ <i class="fa fa-check"></i>
626
+
627
+ <b>3.10.1.</b>
628
+
629
+ ARP Spoofing
630
+ </a>
631
+
632
+
633
+ </li>
634
+
635
+ <li class="chapter " data-level="3.10.2" data-path="module_0x3__network_kung_fu/dns_spoofing.html">
636
+
637
+
638
+ <a href="../module_0x3__network_kung_fu/dns_spoofing.html">
639
+
640
+ <i class="fa fa-check"></i>
641
+
642
+ <b>3.10.2.</b>
643
+
644
+ DNS Spoofing
645
+ </a>
646
+
647
+
648
+ </li>
649
+
650
+
651
+ </ul>
652
+
653
+ </li>
654
+
655
+
656
+ </ul>
657
+
658
+ </li>
659
+
660
+ <li class="chapter " data-level="4" data-path="module_0x4__web_kung_fu/index.html">
661
+
662
+
663
+ <a href="../module_0x4__web_kung_fu/index.html">
664
+
665
+ <i class="fa fa-check"></i>
666
+
667
+ <b>4.</b>
668
+
669
+ Module 0x4 | Web Kung Fu
670
+ </a>
671
+
672
+
673
+ <ul class="articles">
674
+
675
+
676
+ <li class="chapter " data-level="4.1" data-path="module_0x4__web_kung_fu/sql_injection_scanner.html">
677
+
678
+
679
+ <a href="../module_0x4__web_kung_fu/sql_injection_scanner.html">
680
+
681
+ <i class="fa fa-check"></i>
682
+
683
+ <b>4.1.</b>
684
+
685
+ SQL Injection Scanner
686
+ </a>
687
+
688
+
689
+ </li>
690
+
691
+ <li class="chapter " data-level="4.2" data-path="module_0x4__web_kung_fu/databases.html">
692
+
693
+
694
+ <a href="../module_0x4__web_kung_fu/databases.html">
695
+
696
+ <i class="fa fa-check"></i>
697
+
698
+ <b>4.2.</b>
699
+
700
+ Databases
701
+ </a>
702
+
703
+
704
+ </li>
705
+
706
+ <li class="chapter " data-level="4.3" data-path="module_0x4__web_kung_fu/extending_burpsuite.html">
707
+
708
+
709
+ <a href="../module_0x4__web_kung_fu/extending_burpsuite.html">
710
+
711
+ <i class="fa fa-check"></i>
712
+
713
+ <b>4.3.</b>
714
+
715
+ Extending Burp Suite
716
+ </a>
717
+
718
+
719
+ </li>
720
+
721
+ <li class="chapter " data-level="4.4" data-path="module_0x4__web_kung_fu/browser_manipulation.html">
722
+
723
+
724
+ <a href="../module_0x4__web_kung_fu/browser_manipulation.html">
725
+
726
+ <i class="fa fa-check"></i>
727
+
728
+ <b>4.4.</b>
729
+
730
+ Browser Manipulation
731
+ </a>
732
+
733
+
734
+ </li>
735
+
736
+ <li class="chapter " data-level="4.5" data-path="module_0x4__web_kung_fu/web_servcies_and_apis.html">
737
+
738
+
739
+ <a href="../module_0x4__web_kung_fu/web_servcies_and_apis.html">
740
+
741
+ <i class="fa fa-check"></i>
742
+
743
+ <b>4.5.</b>
744
+
745
+ Web Services and APIs
746
+ </a>
747
+
748
+
749
+ <ul class="articles">
750
+
751
+
752
+ <li class="chapter " data-level="4.5.1" data-path="module_0x4__web_kung_fu/web_services.html">
753
+
754
+
755
+ <a href="../module_0x4__web_kung_fu/web_services.html">
756
+
757
+ <i class="fa fa-check"></i>
758
+
759
+ <b>4.5.1.</b>
760
+
761
+ Interacting with Web Services
762
+ </a>
763
+
764
+
765
+ </li>
766
+
767
+ <li class="chapter " data-level="4.5.2" data-path="module_0x4__web_kung_fu/interacting_with_apis.html">
768
+
769
+
770
+ <a href="../module_0x4__web_kung_fu/interacting_with_apis.html">
771
+
772
+ <i class="fa fa-check"></i>
773
+
774
+ <b>4.5.2.</b>
775
+
776
+ Interacting with APIs
777
+ </a>
778
+
779
+
780
+ <ul class="articles">
781
+
782
+
783
+ <li class="chapter " data-level="4.5.2.1" data-path="module_0x4__web_kung_fu/wordpress_api.html">
784
+
785
+
786
+ <a href="../module_0x4__web_kung_fu/wordpress_api.html">
787
+
788
+ <i class="fa fa-check"></i>
789
+
790
+ <b>4.5.2.1.</b>
791
+
792
+ WordPress API
793
+ </a>
794
+
795
+
796
+ </li>
797
+
798
+ <li class="chapter " data-level="4.5.2.2" data-path="module_0x4__web_kung_fu/twitter_api.html">
799
+
800
+
801
+ <a href="../module_0x4__web_kung_fu/twitter_api.html">
802
+
803
+ <i class="fa fa-check"></i>
804
+
805
+ <b>4.5.2.2.</b>
806
+
807
+ Twitter API
808
+ </a>
809
+
810
+
811
+ </li>
812
+
813
+
814
+ </ul>
815
+
816
+ </li>
817
+
818
+
819
+ </ul>
820
+
821
+ </li>
822
+
823
+ <li class="chapter " data-level="4.6" data-path="module_0x4__web_kung_fu/ruby2javascript.html">
824
+
825
+
826
+ <a href="../module_0x4__web_kung_fu/ruby2javascript.html">
827
+
828
+ <i class="fa fa-check"></i>
829
+
830
+ <b>4.6.</b>
831
+
832
+ Ruby 2 JavaScript
833
+ </a>
834
+
835
+
836
+ </li>
837
+
838
+ <li class="chapter " data-level="4.7" data-path="module_0x4__web_kung_fu/web_server_and_proxy.html">
839
+
840
+
841
+ <a href="../module_0x4__web_kung_fu/web_server_and_proxy.html">
842
+
843
+ <i class="fa fa-check"></i>
844
+
845
+ <b>4.7.</b>
846
+
847
+ Web Server and Proxy
848
+ </a>
849
+
850
+
851
+ </li>
852
+
853
+
854
+ </ul>
855
+
856
+ </li>
857
+
858
+ <li class="chapter " data-level="5" data-path="module_0x5__exploitation_kung_fu/index.html">
859
+
860
+
861
+ <a href="../module_0x5__exploitation_kung_fu/index.html">
862
+
863
+ <i class="fa fa-check"></i>
864
+
865
+ <b>5.</b>
866
+
867
+ Module 0x5 | Exploitation Kung Fu
868
+ </a>
869
+
870
+
871
+ <ul class="articles">
872
+
873
+
874
+ <li class="chapter " data-level="5.1" data-path="module_0x5__exploitation_kung_fu/fuzzer.html">
875
+
876
+
877
+ <a href="../module_0x5__exploitation_kung_fu/fuzzer.html">
878
+
879
+ <i class="fa fa-check"></i>
880
+
881
+ <b>5.1.</b>
882
+
883
+ Fuzzer
884
+ </a>
885
+
886
+
887
+ </li>
888
+
889
+ <li class="chapter " data-level="5.2" data-path="module_0x5__exploitation_kung_fu/metasploit.html">
890
+
891
+
892
+ <a href="../module_0x5__exploitation_kung_fu/metasploit.html">
893
+
894
+ <i class="fa fa-check"></i>
895
+
896
+ <b>5.2.</b>
897
+
898
+ Metasploit
899
+ </a>
900
+
901
+
902
+ <ul class="articles">
903
+
904
+
905
+ <li class="chapter " data-level="5.2.1" data-path="module_0x5__exploitation_kung_fu/auxiliary_module.html">
906
+
907
+
908
+ <a href="../module_0x5__exploitation_kung_fu/auxiliary_module.html">
909
+
910
+ <i class="fa fa-check"></i>
911
+
912
+ <b>5.2.1.</b>
913
+
914
+ Auxiliary module
915
+ </a>
916
+
917
+
918
+ </li>
919
+
920
+ <li class="chapter " data-level="5.2.2" data-path="module_0x5__exploitation_kung_fu/exploit_module.html">
921
+
922
+
923
+ <a href="../module_0x5__exploitation_kung_fu/exploit_module.html">
924
+
925
+ <i class="fa fa-check"></i>
926
+
927
+ <b>5.2.2.</b>
928
+
929
+ Exploit module
930
+ </a>
931
+
932
+
933
+ </li>
934
+
935
+ <li class="chapter " data-level="5.2.3" data-path="module_0x5__exploitation_kung_fu/meterpreter.html">
936
+
937
+
938
+ <a href="../module_0x5__exploitation_kung_fu/meterpreter.html">
939
+
940
+ <i class="fa fa-check"></i>
941
+
942
+ <b>5.2.3.</b>
943
+
944
+ Meterpreter
945
+ </a>
946
+
947
+
948
+ <ul class="articles">
949
+
950
+
951
+ <li class="chapter " data-level="5.2.3.1" data-path="module_0x5__exploitation_kung_fu/extensions.html">
952
+
953
+
954
+ <a href="../module_0x5__exploitation_kung_fu/extensions.html">
955
+
956
+ <i class="fa fa-check"></i>
957
+
958
+ <b>5.2.3.1.</b>
959
+
960
+ API and Extensions
961
+ </a>
962
+
963
+
964
+ </li>
965
+
966
+ <li class="chapter " data-level="5.2.3.2" data-path="module_0x5__exploitation_kung_fu/meterpreter_scripting.html">
967
+
968
+
969
+ <a href="../module_0x5__exploitation_kung_fu/meterpreter_scripting.html">
970
+
971
+ <i class="fa fa-check"></i>
972
+
973
+ <b>5.2.3.2.</b>
974
+
975
+ Meterpreter Scripting
976
+ </a>
977
+
978
+
979
+ </li>
980
+
981
+ <li class="chapter " data-level="5.2.3.3" data-path="module_0x5__exploitation_kung_fu/railgun_api_extension.html">
982
+
983
+
984
+ <a href="../module_0x5__exploitation_kung_fu/railgun_api_extension.html">
985
+
986
+ <i class="fa fa-check"></i>
987
+
988
+ <b>5.2.3.3.</b>
989
+
990
+ Railgun API Extension
991
+ </a>
992
+
993
+
994
+ </li>
995
+
996
+
997
+ </ul>
998
+
999
+ </li>
1000
+
1001
+
1002
+ </ul>
1003
+
1004
+ </li>
1005
+
1006
+ <li class="chapter " data-level="5.3" data-path="module_0x5__exploitation_kung_fu/metasm.html">
1007
+
1008
+
1009
+ <a href="../module_0x5__exploitation_kung_fu/metasm.html">
1010
+
1011
+ <i class="fa fa-check"></i>
1012
+
1013
+ <b>5.3.</b>
1014
+
1015
+ metasm
1016
+ </a>
1017
+
1018
+
1019
+ </li>
1020
+
1021
+
1022
+ </ul>
1023
+
1024
+ </li>
1025
+
1026
+ <li class="chapter " data-level="6" data-path="module_0x6__forensic/index.html">
1027
+
1028
+
1029
+ <a href="../module_0x6__forensic/index.html">
1030
+
1031
+ <i class="fa fa-check"></i>
1032
+
1033
+ <b>6.</b>
1034
+
1035
+ Module 0x6 | Forensic Kung Fu
1036
+ </a>
1037
+
1038
+
1039
+ <ul class="articles">
1040
+
1041
+
1042
+ <li class="chapter " data-level="6.1" data-path="module_0x6__forensic/windows_forensic.html">
1043
+
1044
+
1045
+ <a href="../module_0x6__forensic/windows_forensic.html">
1046
+
1047
+ <i class="fa fa-check"></i>
1048
+
1049
+ <b>6.1.</b>
1050
+
1051
+ Windows Forensic
1052
+ </a>
1053
+
1054
+
1055
+ </li>
1056
+
1057
+ <li class="chapter " data-level="6.2" data-path="module_0x6__forensic/android_forensic.html">
1058
+
1059
+
1060
+ <a href="../module_0x6__forensic/android_forensic.html">
1061
+
1062
+ <i class="fa fa-check"></i>
1063
+
1064
+ <b>6.2.</b>
1065
+
1066
+ Android Forensic
1067
+ </a>
1068
+
1069
+
1070
+ </li>
1071
+
1072
+ <li class="chapter " data-level="6.3" data-path="module_0x3__network_kung_fu/network_traffic_analysis.html">
1073
+
1074
+
1075
+ <a href="../module_0x3__network_kung_fu/network_traffic_analysis.html">
1076
+
1077
+ <i class="fa fa-check"></i>
1078
+
1079
+ <b>6.3.</b>
1080
+
1081
+ Network Traffic Analysis
1082
+ </a>
1083
+
1084
+
1085
+ </li>
1086
+
1087
+ <li class="chapter " data-level="6.4" data-path="module_0x6__forensic/parsing_log_files.html">
1088
+
1089
+
1090
+ <a href="../module_0x6__forensic/parsing_log_files.html">
1091
+
1092
+ <i class="fa fa-check"></i>
1093
+
1094
+ <b>6.4.</b>
1095
+
1096
+ Parsing Log Files
1097
+ </a>
1098
+
1099
+
1100
+ </li>
1101
+
1102
+
1103
+ </ul>
1104
+
1105
+ </li>
1106
+
1107
+ <li class="chapter " data-level="7" data-path="references/index.html">
1108
+
1109
+
1110
+ <a href="../references/index.html">
1111
+
1112
+ <i class="fa fa-check"></i>
1113
+
1114
+ <b>7.</b>
1115
+
1116
+ References
1117
+ </a>
1118
+
1119
+
1120
+ </li>
1121
+
1122
+ <li class="chapter " data-level="8" data-path="faqs/index.html">
1123
+
1124
+
1125
+ <a href="../faqs/index.html">
1126
+
1127
+ <i class="fa fa-check"></i>
1128
+
1129
+ <b>8.</b>
1130
+
1131
+ FAQs
1132
+ </a>
1133
+
1134
+
1135
+ </li>
1136
+
1137
+ <li class="chapter " data-level="9" data-path="contributors/index.html">
1138
+
1139
+
1140
+ <a href="../contributors/index.html">
1141
+
1142
+ <i class="fa fa-check"></i>
1143
+
1144
+ <b>9.</b>
1145
+
1146
+ Contributors
1147
+ </a>
1148
+
1149
+
1150
+ <ul class="articles">
1151
+
1152
+
1153
+ <li class="chapter " data-level="9.1" data-path="contributors/todo.html">
1154
+
1155
+
1156
+ <a href="../contributors/todo.html">
1157
+
1158
+ <i class="fa fa-check"></i>
1159
+
1160
+ <b>9.1.</b>
1161
+
1162
+ TODO
1163
+ </a>
1164
+
1165
+
1166
+ </li>
1167
+
1168
+
1169
+ </ul>
1170
+
1171
+ </li>
1172
+
1173
+
1174
+
1175
+
1176
+ <li class="divider"></li>
1177
+ <li>
1178
+ <a href="https://www.gitbook.com" target="blank" class="gitbook-link">
1179
+ Published with GitBook
1180
+ </a>
1181
+ </li>
1182
+
1183
+ </ul>
1184
+ </nav>
1185
+ </div>
1186
+
1187
+ <div class="book-body">
1188
+ <div class="body-inner">
1189
+ <div class="book-header" role="navigation">
1190
+ <!-- Actions Left -->
1191
+
1192
+
1193
+ <!-- Title -->
1194
+ <h1>
1195
+ <i class="fa fa-circle-o-notch fa-spin"></i>
1196
+ <a href="../" >RubyFu</a>
1197
+ </h1>
1198
+ </div>
1199
+
1200
+ <div class="page-wrapper" tabindex="-1" role="main">
1201
+ <div class="page-inner">
1202
+
1203
+
1204
+ <section class="normal" id="section-">
1205
+
1206
+ <h1 id="oracle-tns-enumeration"><a name="oracle-tns-enumeration" class="plugin-anchor" href="#oracle-tns-enumeration"><span class="fa fa-link"></span></a>Oracle TNS Enumeration</h1>
1207
+ <p>The practical way to understand how to a specific protocol works is to use it&apos;s client tools and monitor its packets. </p>
1208
+ <p>If you take a look to pure connection of SQL*plus client to a TNS listener from Wireshark, you&apos;ll find the first connect packet as bellow </p>
1209
+ <table>
1210
+ <thead>
1211
+ <tr>
1212
+ <th style="text-align:center"><img src="oracle_tns_enum1.png" alt="Wireshark"></th>
1213
+ </tr>
1214
+ </thead>
1215
+ <tbody>
1216
+ <tr>
1217
+ <td style="text-align:center"><strong>Figure 1.</strong> TNS Packet</td>
1218
+ </tr>
1219
+ </tbody>
1220
+ </table>
1221
+ <ul>
1222
+ <li>TNS Packet Description <pre><code>Transparent Network Substrate Protocol
1223
+ Packet Length: 224
1224
+ Packet Checksum: 0x0000
1225
+ Packet Type: Connect (1) 0x01
1226
+ Reserved Byte: 00
1227
+ Header Checksum: 0x0000
1228
+ Connect
1229
+ Version: 315
1230
+ Version (Compatible): 300
1231
+ Service Options: 0x0c41
1232
+ Session Data Unit Size: 8192
1233
+ Maximum Transmission Data Unit Size: 65535
1234
+ NT Protocol Characteristics: 0x7f08
1235
+ Line Turnaround Value: 0
1236
+ Value of 1 in Hardware: 0100
1237
+ Length of Connect Data: 154
1238
+ Offset to Connect Data: 70
1239
+ Maximum Receivable Connect Data: 2048
1240
+ Connect Flags 0: 0x41
1241
+ Connect Flags 1: 0x41
1242
+ Trace Cross Facility Item 1: 0x00000000
1243
+ Trace Cross Facility Item 2: 0x00000000
1244
+ Trace Unique Connection ID: 0x0000000000000000
1245
+ Connect Data: (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=XE)(CID=(PROGRAM=sqlplus@Archer)(HOST=Archer)(USER=KING)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.13)(PORT=1521)))
1246
+ </code></pre></li>
1247
+ </ul>
1248
+ <ul>
1249
+ <li>TNS Packet Hexdump <pre><code>0000 08 00 27 3a fb 1d 3c 77 e6 68 66 e9 08 00 45 00 ..&apos;:..&lt;w.hf...E.
1250
+ 0010 01 14 65 4f 40 00 40 06 53 28 c0 a8 00 0f c0 a8 ..eO@.@.S(......
1251
+ 0020 00 0d 81 32 05 f1 04 d7 76 08 c9 98 31 e3 80 18 ...2....v...1...
1252
+ 0030 00 e5 0f 40 00 00 01 01 08 0a 0d 8a 13 4a 05 44 ...@.........J.D
1253
+ 0040 03 b3 00 e0 00 00 01 00 00 00 01 3b 01 2c 0c 41 ...........;.,.A
1254
+ 0050 20 00 ff ff 7f 08 00 00 01 00 00 9a 00 46 00 00 ............F..
1255
+ 0060 08 00 41 41 00 00 00 00 00 00 00 00 00 00 00 00 ..AA............
1256
+ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 .............. .
1257
+ 0080 00 20 00 00 00 00 00 00 28 44 45 53 43 52 49 50 . ......(DESCRIP
1258
+ 0090 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f 44 41 TION=(CONNECT_DA
1259
+ 00a0 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 4d 45 TA=(SERVICE_NAME
1260
+ 00b0 3d 58 45 29 28 43 49 44 3d 28 50 52 4f 47 52 41 =XE)(CID=(PROGRA
1261
+ 00c0 4d 3d 73 71 6c 70 6c 75 73 40 41 72 63 68 65 72 M=sqlplus@Archer
1262
+ 00d0 29 28 48 4f 53 54 3d 41 72 63 68 65 72 29 28 55 )(HOST=Archer)(U
1263
+ 00e0 53 45 52 3d 4b 49 4e 47 29 29 29 28 41 44 44 52 SER=KING)))(ADDR
1264
+ 00f0 45 53 53 3d 28 50 52 4f 54 4f 43 4f 4c 3d 54 43 ESS=(PROTOCOL=TC
1265
+ 0100 50 29 28 48 4f 53 54 3d 31 39 32 2e 31 36 38 2e P)(HOST=192.168.
1266
+ 0110 30 2e 31 33 29 28 50 4f 52 54 3d 31 35 32 31 29 0.13)(PORT=1521)
1267
+ 0120 29 29 ))
1268
+ </code></pre></li>
1269
+ </ul>
1270
+ <p>Now base on our understanding, let&apos;s to build an equivalent request using ruby.</p>
1271
+ <ul>
1272
+ <li>TNS packet builder</li>
1273
+ </ul>
1274
+ <pre><code class="lang-ruby"><span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">tns_packet</span><span class="hljs-params">(connect_data)</span></span>
1275
+
1276
+ <span class="hljs-comment">#=&gt; Transparent Network Substrate Protocol</span>
1277
+ <span class="hljs-comment"># Packet Length</span>
1278
+ pkt = [<span class="hljs-number">58</span> + connect_data.length].pack(<span class="hljs-string">&apos;n&apos;</span>)
1279
+ <span class="hljs-comment"># Packet Checksum</span>
1280
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00&quot;</span>
1281
+ <span class="hljs-comment"># Packet Type: Connect(1)</span>
1282
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x01&quot;</span>
1283
+ <span class="hljs-comment"># Reserved Byte</span>
1284
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00&quot;</span>
1285
+ <span class="hljs-comment"># Header Checksum</span>
1286
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00&quot;</span>
1287
+ <span class="hljs-comment">#=&gt; Connect</span>
1288
+ <span class="hljs-comment"># Version</span>
1289
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x01\x36&quot;</span>
1290
+ <span class="hljs-comment"># Version (Compatible)</span>
1291
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x01\x2C&quot;</span>
1292
+ <span class="hljs-comment"># Service Options</span>
1293
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00&quot;</span>
1294
+ <span class="hljs-comment"># Session Data Unit Size</span>
1295
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x08\x00&quot;</span>
1296
+ <span class="hljs-comment"># Maximum Transmission Data Unit Size</span>
1297
+ pkt &lt;&lt; <span class="hljs-string">&quot;\xFF\xFF&quot;</span>
1298
+ <span class="hljs-comment"># NT Protocol Characteristics</span>
1299
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x7F\x08&quot;</span>
1300
+ <span class="hljs-comment"># Line Turnaround Value</span>
1301
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00&quot;</span>
1302
+ <span class="hljs-comment"># Value of 1 in Hardware</span>
1303
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x01&quot;</span>
1304
+ <span class="hljs-comment"># Length of Connect Data</span>
1305
+ pkt &lt;&lt; [connect_data.length].pack(<span class="hljs-string">&apos;n&apos;</span>)
1306
+ <span class="hljs-comment"># Offset to Connect Data</span>
1307
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x3A&quot;</span>
1308
+ <span class="hljs-comment"># Maximum Receivable Connect Data</span>
1309
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x00\x00&quot;</span>
1310
+ <span class="hljs-comment"># Connect Flags 0</span>
1311
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00&quot;</span>
1312
+ <span class="hljs-comment"># Connect Flags 1</span>
1313
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00&quot;</span>
1314
+ <span class="hljs-comment"># Trace Cross Facility Item 1</span>
1315
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x00\x00&quot;</span>
1316
+ <span class="hljs-comment"># Trace Cross Facility Item 2</span>
1317
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x00\x00&quot;</span>
1318
+ <span class="hljs-comment"># Trace Unique Connection ID</span>
1319
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x34\xE6\x00\x00\x00\x01&quot;</span>
1320
+ <span class="hljs-comment"># Connect Data</span>
1321
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x00\x00\x00\x00\x00\x00&quot;</span>
1322
+ pkt &lt;&lt; connect_data
1323
+
1324
+ <span class="hljs-keyword">return</span> pkt
1325
+
1326
+ <span class="hljs-keyword">end</span>
1327
+ </code></pre>
1328
+ <ul>
1329
+ <li>SID Request </li>
1330
+ </ul>
1331
+ <p>There is a data structure for interacting with the TNS which is similar to the following <code>(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{host})(PORT=#{port})))</code></p>
1332
+ <pre><code class="lang-ruby"><span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">sid_request</span><span class="hljs-params">(sid,host, port)</span></span>
1333
+ connect_data = <span class="hljs-string">&quot;(DESCRIPTION=(CONNECT_DATA=(SID=<span class="hljs-subst">#{sid}</span>)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=<span class="hljs-subst">#{host}</span>)(PORT=<span class="hljs-subst">#{port}</span>)))&quot;</span>
1334
+ pkt = tns_packet(connect_data)
1335
+ <span class="hljs-keyword">end</span>
1336
+ </code></pre>
1337
+ <p>Now we have everything to send our packet, let&apos;s to build a simple tns brute force to enumerate the exist tns listeners. The default behavior for oracle 11g is to reply with nothing if listener exist, and reply with error if it doesn&apos;t, the error similar to this <code>g&quot;[(DESCRIPTION=(TMP=)(VSNNUM=186647040)(ERR=12505)(ERROR_STACK=(ERROR=(CODE=12505)(EMFI=4))))</code>.</p>
1338
+ <p>Let&apos;s to warp everything together by build a SID brute force script</p>
1339
+ <h3 id="sid-brute-force"><a name="sid-brute-force" class="plugin-anchor" href="#sid-brute-force"><span class="fa fa-link"></span></a>SID Brute Force</h3>
1340
+ <p><strong>tns_brute.rb</strong></p>
1341
+ <pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
1342
+ <span class="hljs-comment"># -*- coding: binary -*-</span>
1343
+ <span class="hljs-keyword">require</span> <span class="hljs-string">&apos;socket&apos;</span>
1344
+
1345
+ <span class="hljs-keyword">if</span> <span class="hljs-constant">ARGV</span>.size &lt; <span class="hljs-number">1</span>
1346
+ puts <span class="hljs-string">&quot;Usage:\n<span class="hljs-subst">#{__FILE_<span class="hljs-number">_</span>}</span> &lt;IP ADDRESS&gt; [PORT]&quot;</span>
1347
+ exit <span class="hljs-number">0</span>
1348
+ <span class="hljs-keyword">else</span>
1349
+ host = <span class="hljs-constant">ARGV</span>[<span class="hljs-number">0</span>]
1350
+ port = <span class="hljs-constant">ARGV</span>[<span class="hljs-number">1</span>] || <span class="hljs-number">1521</span>
1351
+ <span class="hljs-keyword">end</span>
1352
+ sid = <span class="hljs-constant">ARGV</span>[<span class="hljs-number">2</span>] || <span class="hljs-string">&apos;PLSExtProc&apos;</span>
1353
+
1354
+ <span class="hljs-comment">#</span>
1355
+ <span class="hljs-comment"># Build TNS Packet</span>
1356
+ <span class="hljs-comment">#</span>
1357
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">tns_packet</span><span class="hljs-params">(connect_data)</span></span>
1358
+
1359
+ <span class="hljs-comment">#=&gt; Transparent Network Substrate Protocol</span>
1360
+ <span class="hljs-comment"># Packet Length</span>
1361
+ pkt = [<span class="hljs-number">58</span> + connect_data.length].pack(<span class="hljs-string">&apos;n&apos;</span>)
1362
+ <span class="hljs-comment"># Packet Checksum</span>
1363
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00&quot;</span>
1364
+ <span class="hljs-comment"># Packet Type: Connect(1)</span>
1365
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x01&quot;</span>
1366
+ <span class="hljs-comment"># Reserved Byte</span>
1367
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00&quot;</span>
1368
+ <span class="hljs-comment"># Header Checksum</span>
1369
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00&quot;</span>
1370
+ <span class="hljs-comment">#=&gt; Connect</span>
1371
+ <span class="hljs-comment"># Version</span>
1372
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x01\x36&quot;</span>
1373
+ <span class="hljs-comment"># Version (Compatible)</span>
1374
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x01\x2C&quot;</span>
1375
+ <span class="hljs-comment"># Service Options</span>
1376
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00&quot;</span>
1377
+ <span class="hljs-comment"># Session Data Unit Size</span>
1378
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x08\x00&quot;</span>
1379
+ <span class="hljs-comment"># Maximum Transmission Data Unit Size</span>
1380
+ pkt &lt;&lt; <span class="hljs-string">&quot;\xFF\xFF&quot;</span>
1381
+ <span class="hljs-comment"># NT Protocol Characteristics</span>
1382
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x7F\x08&quot;</span>
1383
+ <span class="hljs-comment"># Line Turnaround Value</span>
1384
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00&quot;</span>
1385
+ <span class="hljs-comment"># Value of 1 in Hardware</span>
1386
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x01&quot;</span>
1387
+ <span class="hljs-comment"># Length of Connect Data</span>
1388
+ pkt &lt;&lt; [connect_data.length].pack(<span class="hljs-string">&apos;n&apos;</span>)
1389
+ <span class="hljs-comment"># Offset to Connect Data</span>
1390
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x3A&quot;</span>
1391
+ <span class="hljs-comment"># Maximum Receivable Connect Data</span>
1392
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x00\x00&quot;</span>
1393
+ <span class="hljs-comment"># Connect Flags 0</span>
1394
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00&quot;</span>
1395
+ <span class="hljs-comment"># Connect Flags 1</span>
1396
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00&quot;</span>
1397
+ <span class="hljs-comment"># Trace Cross Facility Item 1</span>
1398
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x00\x00&quot;</span>
1399
+ <span class="hljs-comment"># Trace Cross Facility Item 2</span>
1400
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x00\x00&quot;</span>
1401
+ <span class="hljs-comment"># Trace Unique Connection ID</span>
1402
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x34\xE6\x00\x00\x00\x01&quot;</span>
1403
+ <span class="hljs-comment"># Connect Data</span>
1404
+ pkt &lt;&lt; <span class="hljs-string">&quot;\x00\x00\x00\x00\x00\x00\x00\x00&quot;</span>
1405
+ pkt &lt;&lt; connect_data
1406
+
1407
+ <span class="hljs-keyword">return</span> pkt
1408
+
1409
+ <span class="hljs-keyword">end</span>
1410
+
1411
+ <span class="hljs-comment">#</span>
1412
+ <span class="hljs-comment"># SID Request Data</span>
1413
+ <span class="hljs-comment">#</span>
1414
+ <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">sid_request</span><span class="hljs-params">(sid,host, port)</span></span>
1415
+ connect_data = <span class="hljs-string">&quot;(DESCRIPTION=(CONNECT_DATA=(SID=<span class="hljs-subst">#{sid}</span>)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=<span class="hljs-subst">#{host}</span>)(PORT=<span class="hljs-subst">#{port}</span>)))&quot;</span>
1416
+ pkt = tns_packet(connect_data)
1417
+ <span class="hljs-keyword">end</span>
1418
+
1419
+
1420
+ sids = [ <span class="hljs-string">&apos;N00TEXIST&apos;</span>, <span class="hljs-string">&apos;PLSExtProc&apos;</span>, <span class="hljs-string">&apos;ORACLE&apos;</span>, <span class="hljs-string">&apos;ORA&apos;</span>, <span class="hljs-string">&apos;ORA1&apos;</span>, <span class="hljs-string">&apos;ORA2&apos;</span>, <span class="hljs-string">&apos;XE&apos;</span>, <span class="hljs-string">&apos;SOA&apos;</span>, <span class="hljs-string">&apos;SOA1&apos;</span>, <span class="hljs-string">&apos;SOA2&apos;</span>, <span class="hljs-string">&apos;DBA1&apos;</span>, <span class="hljs-string">&apos;DBA2&apos;</span> <span class="hljs-string">&apos;HR&apos;</span>, <span class="hljs-string">&apos;HR1&apos;</span>, <span class="hljs-string">&apos;HR2&apos;</span>,<span class="hljs-string">&apos;SAP&apos;</span>, <span class="hljs-string">&apos;TEST&apos;</span>]
1421
+
1422
+ sids.each <span class="hljs-keyword">do</span> |sid|
1423
+ s = <span class="hljs-constant">TCPSocket</span>.new host, port.to_i
1424
+ s.send sid_request(sid, host, port), <span class="hljs-number">0</span>
1425
+ response = s.recv(<span class="hljs-number">1000</span>)
1426
+ puts <span class="hljs-string">&quot;[+] Found SID: &quot;</span> + sid <span class="hljs-keyword">if</span> response.scan(<span class="hljs-regexp">/ERROR/</span>).empty?
1427
+ <span class="hljs-comment"># puts &quot;[+] No SID: &quot; + sid , response unless response.scan(/ERROR/).empty?</span>
1428
+ s.close
1429
+ <span class="hljs-keyword">end</span>
1430
+ </code></pre>
1431
+ <p>Run it </p>
1432
+ <pre><code>ruby tns_brute.rb 192.168.0.13 1521
1433
+
1434
+ [+] Found SID: PLSExtProc
1435
+ [+] Found SID: XE
1436
+ </code></pre><p><strong>Notes:</strong></p>
1437
+ <ul>
1438
+ <li>This script will work on Oracle 11g and before </li>
1439
+ <li>Notice <code># -*- coding: binary -*-</code> at the top of the script because we are working on pure binary data that may not mean anything to the language.</li>
1440
+ </ul>
1441
+ <h2 id=""><a name="" class="plugin-anchor" href="#"><span class="fa fa-link"></span></a><br><br><br></h2>
1442
+ <ul>
1443
+ <li><a href="https://thesprawl.org/research/oracle-tns-protocol/" target="_blank">Research Oracle TNS Protocol</a> </li>
1444
+ <li>Metasploit | sid_brute auxiliary module</li>
1445
+ </ul>
1446
+
1447
+
1448
+ </section>
1449
+
1450
+
1451
+ </div>
1452
+ </div>
1453
+ </div>
1454
+
1455
+
1456
+ <a href="../module_0x3__network_kung_fu/snmp_enumeration.html" class="navigation navigation-prev " aria-label="Previous page: SNMP Enumeration"><i class="fa fa-angle-left"></i></a>
1457
+
1458
+
1459
+ <a href="../module_0x3__network_kung_fu/packet_manipulation.html" class="navigation navigation-next " aria-label="Next page: Packet manipulation"><i class="fa fa-angle-right"></i></a>
1460
+
1461
+ </div>
1462
+ </div>
1463
+
1464
+
1465
+ <script src="../gitbook/app.js"></script>
1466
+
1467
+
1468
+ <script src="../gitbook/plugins/gitbook-plugin-splitter/splitter.js"></script>
1469
+
1470
+
1471
+
1472
+ <script src="../gitbook/plugins/gitbook-plugin-book-summary-scroll-position-saver/book-summary-scroll-position-saver.js"></script>
1473
+
1474
+
1475
+
1476
+ <script src="../gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.js"></script>
1477
+
1478
+
1479
+
1480
+ <script src="../gitbook/plugins/gitbook-plugin-search/lunr.min.js"></script>
1481
+
1482
+
1483
+
1484
+ <script src="../gitbook/plugins/gitbook-plugin-search/search.js"></script>
1485
+
1486
+
1487
+
1488
+ <script src="../gitbook/plugins/gitbook-plugin-sharing/buttons.js"></script>
1489
+
1490
+
1491
+
1492
+ <script src="../gitbook/plugins/gitbook-plugin-fontsettings/buttons.js"></script>
1493
+
1494
+
1495
+ <script>
1496
+ require(["gitbook"], function(gitbook) {
1497
+ var config = {"addcssjs":{"js":["styles/header.js"]},"anchors":{},"todo":{},"splitter":{},"book-summary-scroll-position-saver":{},"expandable-chapters":{},"highlight":{},"search":{"maxIndexSize":1000000},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2}};
1498
+ gitbook.start(config);
1499
+ });
1500
+ </script>
1501
+
1502
+
1503
+ </body>
1504
+
1505
+ </html>