A protocol that facilitates comm bet Oracle DB's/apps over networks
TNS supports various protocols bet client apps, such as IPX/SPX and TCP/IP protocol stacks
It has become a solution for large, complex db's healthcare, finance, and retail industries
Its built-in encryption mechanism ensures the sec of data transmitted
Ideal solution for enterprise envs where data sec is paramount
TNS now has support IPv6/SSL/TLS encryption which makes suitable for the following:
Name resolution, Connection management, Load balancing, Security Default Config
Default: The listener listens for incoming connections on port 1521
The TNS listener is config to support TCP/IP, UDP, IPX/SPX, and AppleTalk
Can support multiple network ints and listen on specific IP's
Default: Can be remotely managed in Oracle 8i/9i but not in 10g/11g
Security features of the listener:
Will only accept connections from auth hosts/basic auth using hostnames/IP's, usernames/passwds
Will use Oracle Net Services to encrypt comm bet client/server
Config files for Oracle TNS are called tnsnames.ora/listener.ora
Typically located in $ORACLE_HOME/network/admin dir
The plain text file contains config info for Oracle db instances/network services that use TNS TNS: Used with other services like DBSNMP, DB's, App Server, Enterprise Manager, Fusion Middleware, etc...
Oracle 9 has a default passwd, CHANGE_ON_INSTALL
Oracle 10 has no default password set
Oracle DBSNMP service also uses a default password, dbsnmp
Many orgs use finger with Oracle, which can put it at risk/make it vuln when we have the home dir Tnsnames.ora
Oracle Net Services software uses tnsnames.ora to resolve service names to network addresses
Listener process uses listener.ora to determine services it should listen to/behavior of the listener
Oracle db's can be protected by using PlsqlExclusionList: PL/SQL Exclusion List
User-created txt file that needs to be placed in $ORACLE_HOME/sqldeveloper dir
Contains the names of PL/SQL packages/types that should be excluded from exec
Once PL/SQL Exclusion List is created: It can be loaded into the db instance
It serves as a blacklist that can't be accessed through the Oracle App Server
connect_data# attributes of connection, service name, sid, protocol, db instance idinstance_name# name of db instance clientservice_name# name of service client wants to connect to security# security type for connectionsconnect_timeout# time limit in seconds for client to establish a connection to dbreceive_timeout# time limit in seconds for client to receive a response from dbsend_timeout# time limit in seconds for client to send request to dbsqlnet.expire_time# time limit in seconds for client to detect connection failedtrace_level# tracing for db connectiontrace_directory# dir where trace files storedtrace_file_name# name of trace filelog_file# log info
Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools for our Pwnbox instance in case it does not have these already.
# oracle-tools-setup.sh #!/bin/bashsudoapt-getinstalllibaio1python3-devalien-ygitclonehttps://github.com/quentinhardy/odat.gitgitsubmoduleinitgitsubmoduleupdatewgethttps://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zipunzipinstantclient-basic-linux.x64-21.12.0.0.0dbru.zipwgethttps://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zipunzipinstantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zipexport LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH export PATH=$LD_LIBRARY_PATH:$PATH pip3installcx_Oraclesudoapt-getinstallpython3-scapy-ysudopip3installcolorlogtermcolorpycryptopasslibpython-libnmapsudopip3installargcomplete&&sudoactivate-global-python-argcomplete./odat.py-husage:odat.py [-h] [--version]_______/ \| \ / \|__| ( o ) o ) o |||\_/|__/|_n_||_|-------------------------------------------_______/ \ |\/ \ |__|( o ) o ) o |||\_/racle|__/atabase|_n_|ttacking|_|ool-------------------------------------------
ODAT: Oracle DB Attacking Tool:
Open-source pentesting tool written in Python/designed to enum/exploit vulns
Can be used to id, exploit, including SQLi, RCE, and privesc
In Oracle RDBMS, a SID: System Id is a unique name that id's a particular db instance
It can have multiple instances, each with its own SID
Instance: A set of procs/mem structures that interact to manage the db's data
When a client connects to an Oracle db, it specifies the SID, with its connection str
The client uses this SID to id which db instance it wants to connect to
If not specified: The default value defined in the tnsnames.ora file is used
The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. If the client specifies an incorrect SID, the connection attempt will fail. Database administrators can use the SID to monitor and manage the individual instances of a database. For example, they can start, stop, or restart an instance, adjust its memory allocation or other configuration parameters, and monitor its performance using tools like Oracle Enterprise Manager.
There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap, hydra, odat, and others. Let us use nmap first.
We can use odat.py to perform a variety of scans to for info about Oracle db services/components
Scans can retrieve db names, ver, running procs, user accts, vulns, misconfigs, etc. ODAT
./odat.pyall-s10.129.204.235
In this example, we found valid creds for scott and his password tiger
Now we can use the tool sqlplus to connect to the Oracle db/interact with it SQLplus - Log In
sqlplusscott/tiger@10.129.204.235/XESQL*Plus:Release21.0.0.0.0-ProductiononMonMar611:19:212023Version21.4.0.0.0Copyright (c) 1982, 2021, Oracle. All rights reserved.SQL>
If you come across the following error: sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, please exec below, taken from here