Oracle EBS Penetration testing tool

Nobody will argue that IT security is vital in our modern world, particularly for businesses. Cybercrime is getting worse and systems become more vulnerable with time, making organizations more susceptible to cyberattacks and financial losses. That’s why the topic of cybercrime demands more attention and cyber-awareness.

ERP security is a separate part of IT security. Nowadays ERP stands for a huge range of various tools and services written on the base of different technologies. It’s critical to possess proper knowledge in the security field and convenient tools for managing.

When we were exploring Oracle E-Business Suite security, we noticed an absence of present-day convenient and free security tools on the market that can help simplify security assessment. There were bunches of various modules or scripts to check one or two issues narrowly. We started developing our own solution, first free Oracle E-Business Suite security scanner – ERPSCAN EBS Pentesting tool.

What is it? It is a ‘wrapper’ for multiple EBS exploits developed by our research team. All modules are represented in the python language. Currently, there are four main modules (1 of them uses EBS Users’ passwords decryptor):

  • EBS DB Users brute-force;
  • EBS Users brute-force;
  • EBS Java Serialization test;
  • EBS XML Serialization test.

For now, we have published just four of them. If this tool becomes popular, we will continue this project and release more our private modules.

Pentesting Oracle EBS Database

Oracle EBS DB users brute-force

Script brutes standard DB users with pre-defined passwords. Also, it can grab EBS users’ passwords from APPS.fnd_user table and if password hashing is not on, it decrypts them with the ebsDecrypt.py module. All findings will be saved in dbCheckResults.txt file.

Help

You should install cx_Oracle for working.

Usage

Oracle EBS password decryption

Script can decrypt EBS users passwords if apps user passwords is known. It handles new (SHA-1 + 3DES) and old (SHA-1-like + ARC4) encryptions.

Help

You should install pyjks for working.

Usage

apps user password should be uppercase.

Pentesting Oracle EBS application

EBS Users brute-force

Script brutes EBS default users with predefined passwords. It handles two types of auth version (don’t mix with SSO!).

Help

Usage

Oracle EBS Java Serialization test

EBS python script for Java Serialization sleep payloads testing based on Apache Commons Collections 3. It sends special sleep payloads and checks the response time value. If the response time value is more than 10 seconds, thus the testing host is potentially vulnerable to Java Deserialization attacks.

Help

Usage

Oracle WebLogic Level Checks

Oracle EBS XML Serialization test

Python script for XML Serialization sleep payload testing based on CVE-2017-3506 & 10271. It sends special sleep payloads and checks the response time value. If the response time value is more than 10 seconds, thus the testing host is potentially vulnerable to XML Deserialization attacks.

Help

Usage

That’s all for today. Download our free ERPScan EBS Pentesting Tool and share it on Twitter.
Keep in touch and follow us on Twitter, Facebook, and LinkedIn and get more information from our ERPScan Research team.

Do you want more?

Subscribe me to your mailing list