Oracle TNS
Pentesting Oracle TNS - TCP Ports 1521,1522-1529
Theory
Oracle clients communicate with the database using the Transparent Network Substrate (TNS) protocol. When the listener receives a connection request (1521/TCP, -you may also get secondary listeners on 1522–1529-), it starts up a new database process and establishes a connection between the client and the Oracle database.
Practice
Enumerate version
Using nmap scripts, we can enumerate the version of the TNS-Listener
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>We can enumerate the TNS-Listener using the tnscmd10g tool
tnscmd10g version -p 1521 -h <IP>Commands & Brute-force
When enumerating Oracle the first step is to talk to the TNS-Listener
# Return the current status and variables used by the listener
tnscmd10g status -p 1521 -h <IP>
# Dump service data
tnscmd10g services -p 1521 -h <IP>
# Dump debugging information to the listener log
tnscmd10g debug -p 1521 -h <IP>
# Write the listener configuration file to a backup location
tnscmd10g save_config -p 1521 -h <IP>If you receive an error, could be because TNS versions are incompatible (Use the --10G parameter with tnscmd10) and if the error persist, the listener may be password protected
We can use hydra to brute-force TNS-Listener password
hydra -P rockyou.txt -t 32 -s 1521 <IP> oracle-listenerTargeting SID
The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.
In some old versions (in 9 it works) we can enumerate the SID using tnscmd10g
Targeting Accounts
Once we have found a valid SID, the next step is account enumeration. From this point, you can connect to the listener and brute-force credentials.
We can use Hydra or odat, or nmap to bruteforce accounts on a known SID
Here are mixed wordlists taken from hacktricks and some interesting other wordlists
Below are some of the default passwords associated with Oracle:
DBSNMP/DBSNMP — Intelligent Agent uses this to talk to the db server (its some work to change it)
SYS/CHANGE_ON_INSTALL — Default sysdba account before and including Oracle v9, as of version 10g this has to be different!
PCMS_SYS/PCMS_SYS — Default x account
WMSYS/WMSYS — Default x account
OUTLN/OUTLN — Default x account
SCOTT/TIGER — Default x account
Stealremotepwds - CVE-2012-3137
Using nmap we can retreive intercept the initial traffic during authorization phase and extract a hash to bruteforce it offline:
Also, we can use odat
Dump Oracle Hashes
Password hashes in Oracle are stored in the sys.users$ or dba_users tables. With permissions, we can extract them using odat
Logging into a Remote Database
To login using known credentials, we can use sqlplus
If an account has system database priviledges (sysdba) or system operator (sysop) you may wish to try the following:
Remote Code Execution
If an account has system database priviledges (sysdba) or system operator (sysop) you may add following args when using odat:
We can try to execute code using odat Java Stored Procedure
We can try to execute code using odat and Oracle Scheduler
We can try to execute code using odat and Oracle External Tables
Read/Write files
We can try to read/write files using odat and utlfile
We can try to read files using odat and Oracle External Tables
OracleSQL Privilege Escalation
We may use the privesc module from odat to escalate our privileges on the DB. On that link you will find several ways to escalate privileges using odat.
Automation Tools
An interesting tool is oscanner, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:
Another tool that will do all of this is odat
Resources
Last updated
Was this helpful?