Oracle TNS

Port: TCP/1521

The TNS listener is configured to support various network protocols, including TCP/IP, UDP, IPX/SPX, and AppleTalk

The configuration files for Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the $ORACLE_HOME/network/admin directory

Oracle 9 has a default password, CHANGE_ON_INSTALL, whereas Oracle 10 has no default password set

Oracle DBSNMP service also uses a default password, dbsnmp

Each database or service has a unique entry in the tnsnames.ora file

In Oracle RDBMS, a System Identifier (SID) is a unique name that identifies a particular database instance

The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to.

There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap, hydra, odat, and others.

Tools

./odat.py -h

If not installed, see Pentesting Machine

Nmap - SID Bruteforcing

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

ODAT - More information, user bruteforcing included

SQLplus - Log In

In case of error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory execute: sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

SQLplus commands:

Database Enumeration

possible to try known credentials to use the System Databse Admin sysdba:

Then list current user privs:

From this point, we could retrieve the password hashes from the sys.user$ and try to crack them offline:

Oracle RDBMS - File Upload

PreviousMSSQLNextIPMI

Last updated