Oracle TNS
(Oracle Transparent Network Substrate)
Port: 1521,1522 (can be changed)
About
The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks.
TNS supports various networking protocols between Oracle databases and client applications, such as IPX/SPX
and TCP/IP
protocol stacks.
It is a popular opinion in managing large and complex databases. In addition to the security it has a encryption mechanism ensuringing security of the data transmitted. Over time, TNS has been updated to support newer technologies, including IPv6
and SSL/TLS
encryption
Oracle TNS is often used with other Oracle services like Oracle DBSNMP, Oracle Databases, Oracle Application Server, Oracle Enterprise Manager, Oracle Fusion Middleware, web servers, and many more.
Footprinting
The TNS inclued a few basic security futures such as username/password authentication, and the listener will use Oracle Net Services to encrypt the communication between the client and the server.
The configuration files for TNS are tnsnames.ora and listener.ora. which are tippicaly located in $ORACLE_HOME/network/admin
.
tnsnames.ora file contains the necessary information for clients to connect to the service.
listener.ora file is a server-side configuration file that defines the listener process's properties and parameters, which is responsible for receiving incoming client requests and forwarding them to the appropriate Oracle database instance.
In short, the client-side Oracle Net Services software uses the tnsnames.ora
file to resolve service names to network addresses, while the listener process uses the listener.ora
file to determine the services it should listen to and the behavior of the listener.
The oracle databases can be protected by using a so called so-called PL/SQL Exclusion List (PlsqlExclusionList). Whitch is basically a user-defined blacklist that needs to be placed in $ORACLE_HOME/sqldeveloper.
Vulnerabilities
There have been made many changes for the default installation of Oracle services. For example, Oracle 9 has a default password, CHANGE_ON_INSTALL
, whereas Oracle 10 has no default password set. The Oracle DBSNMP service also uses a default password, dbsnmp
. Another example would be that many organizations still use the finger
service together with Oracle, which can put Oracle's service at risk and make it vulnerable when we have the required knowledge of a home directory.
A nice to have tool for Oracle TNS is ODAT (Oracle Database Attacking Tool), a pentest enumeration tool for oracle databases.
Here is a nice lil bash script to download the ODAT
#!/bin/bash
sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete
Enumeration
nmap scan
sudo nmap -p1521 -sV 10.129.204.235 --open
nmap scan with NDE script
sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute
usage of ALL modules from odat tool
./odat.py all -s 10.129.204.235
To connect to a oracle sql we use SQL Plus. Here is the syntax for connecting using sqlplus:
sqlplus username/password@ip_address/SID
To navigate through a database we will need to know some commands:
Last updated