Oracle TNS
Last updated
Last updated
Port: TCP/1521 Directory in Kali: /opt/odat
The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks. Initially introduced as part of the software suite, TNS supports various networking protocols between Oracle databases and client applications, such as IPX/SPX and TCP/IP protocol stacks. As a result, it has become a preferred solution for managing large, complex databases in the healthcare, finance, and retail industries. In addition, its built-in encryption mechanism ensures the security of data transmitted, making it an ideal solution for enterprise environments where data security is paramount.
Over time, TNS has been updated to support newer technologies, including IPv6 and SSL/TLS encryption which makes it more suitable for the following purposes:
Furthermore, it enables encryption between client and server communication through an additional layer of security over the TCP/IP protocol layer. This feature helps secure the database architecture from unauthorized access or attacks that attempt to compromise the data on the network traffic. Besides, it provides advanced tools and capabilities for database administrators and developers since it offers comprehensive performance monitoring and analysis tools, error reporting and logging capabilities, workload management, and fault tolerance through database services.
Furthermore, it enables encryption between client and server communication through an additional layer of security over the TCP/IP protocol layer. This feature helps secure the database architecture from unauthorized access or attacks that attempt to compromise the data on the network traffic. Besides, it provides advanced tools and capabilities for database administrators and developers since it offers comprehensive performance monitoring and analysis tools, error reporting and logging capabilities, workload management, and fault tolerance through database services.
The default configuration of the Oracle TNS server varies depending on the version and edition of Oracle software installed. However, some common settings are usually configured by default in Oracle TNS. By default, the listener listens for incoming connections on the TCP/1521 port. However, this default port can be changed during installation or later in the configuration file. The TNS listener is configured to support various network protocols, including TCP/IP, UDP, IPX/SPX, and AppleTalk. The listener can also support multiple network interfaces and listen on specific IP addresses or all available network interfaces. By default, Oracle TNS can be remotely managed in Oracle 8i/9i but not in Oracle 10g/11g.
The default configuration of the TNS listener also includes a few basic security features. For example, the listener will only accept connections from authorized hosts and perform basic authentication using a combination of hostnames, IP addresses, and usernames and passwords. Additionally, the listener will use Oracle Net Services to encrypt the communication between the client and the server. The configuration files for Oracle TNS are called tnsnames.ora and listener.ora and are typically located in the $ORACLE_HOME/network/admin directory. The plain text file contains configuration information for Oracle database instances and other network services that use the TNS protocol.
Oracle TNS is often used with other Oracle services like Oracle DBSNMP, Oracle Databases, Oracle Application Server, Oracle Enterprise Manager, Oracle Fusion Middleware, web servers, and many more. There have been made many changes for the default installation of Oracle services. For example, Oracle 9 has a default password, CHANGE_ON_INSTALL, whereas Oracle 10 has no default password set. The Oracle DBSNMP service also uses a default password, dbsnmp that we should remember when we come across this one. Another example would be that many organizations still use the finger service together with Oracle, which can put Oracle's service at risk and make it vulnerable when we have the required knowledge of a home directory.
Here we can see a service called ORCL, which is listening on port TCP/1521 on the IP address 10.129.11.102. Clients should use the service name orcl when connecting to the service. However, the tnsnames.ora file can contain many such entries for different databases and services. The entries can also include additional information, such as authentication details, connection pooling settings, and load balancing configurations.
On the other hand, the listener.ora file is a server-side configuration file that defines the listener process's properties and parameters, which is responsible for receiving incoming client requests and forwarding them to the appropriate Oracle database instance.
In short, the client-side Oracle Net Services software uses the tnsnames.ora file to resolve service names to network addresses, while the listener process uses the listener.ora file to determine the services it should listen to and the behavior of the listener.
Oracle databases can be protected by using so-called PL/SQL Exclusion List (PlsqlExclusionList). It is a user-created text file that needs to be placed in the $ORACLE_HOME/sqldeveloper directory, and it contains the names of PL/SQL packages or types that should be excluded from execution. Once the PL/SQL Exclusion List file is created, it can be loaded into the database instance. It serves as a blacklist that cannot be accessed through the Oracle Application Server.
Setting
Description
DESCRIPTION
A descriptor that provides a name for the database and its connection type.
ADDRESS
The network address of the database, which includes the hostname and port number.
PROTOCOL
The network protocol used for communication with the server
PORT
The port number used for communication with the server
CONNECT_DATA
Specifies the attributes of the connection, such as the service name or SID, protocol, and database instance identifier.
INSTANCE_NAME
The name of the database instance the client wants to connect.
SERVICE_NAME
The name of the service that the client wants to connect to.
SERVER
The type of server used for the database connection, such as dedicated or shared.
USER
The username used to authenticate with the database server.
PASSWORD
The password used to authenticate with the database server.
SECURITY
The type of security for the connection.
VALIDATE_CERT
Whether to validate the certificate using SSL/TLS.
SSL_VERSION
The version of SSL/TLS to use for the connection.
CONNECT_TIMEOUT
The time limit in seconds for the client to establish a connection to the database.
RECEIVE_TIMEOUT
The time limit in seconds for the client to receive a response from the database.
SEND_TIMEOUT
The time limit in seconds for the client to send a request to the database.
SQLNET.EXPIRE_TIME
The time limit in seconds for the client to detect a connection has failed.
TRACE_LEVEL
The level of tracing for the database connection.
TRACE_DIRECTORY
The directory where the trace files are stored.
TRACE_FILE_NAME
The name of the trace file.
LOG_FILE
The file where the log information is stored.
Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools for our Pwnbox instance in case it does not have these already. Here is a Bash script that does all of that:
After that, we can try to determine if the installation was successful by running the following command:
Located in /opt/odat/
Oracle Database Attacking Tool (ODAT) is an open-source penetration testing tool written in Python and designed to enumerate and exploit vulnerabilities in Oracle databases. It can be used to identify and exploit various security flaws in Oracle databases, including SQL injection, remote code execution, and privilege escalation.
Let's now use nmap to scan the default Oracle TNS listener port.
We can see that the port is open, and the service is running. In Oracle RDBMS, a System Identifier (SID) is a unique name that identifies a particular database instance. It can have multiple instances, each with its own System ID. An instance is a set of processes and memory structures that interact to manage the database's data. When a client connects to an Oracle database, it specifies the database's SID along with its connection string. The client uses this SID to identify which database instance it wants to connect to. Suppose the client does not specify a SID. Then, the default value defined in the tnsnames.ora file is used.
The SIDs are an essential part of the connection process, as it identifies the specific instance of the database the client wants to connect to. If the client specifies an incorrect SID, the connection attempt will fail. Database administrators can use the SID to monitor and manage the individual instances of a database. For example, they can start, stop, or restart an instance, adjust its memory allocation or other configuration parameters, and monitor its performance using tools like Oracle Enterprise Manager.
There are various ways to enumerate, or better said, guess SIDs. Therefore we can use tools like nmap, hydra, odat, and others. Let us use nmap first.
We can use the odat.py tool to perform a variety of scans to enumerate and gather information about the Oracle database services and its components. Those scans can retrieve database names, versions, running processes, user accounts, vulnerabilities, misconfigurations, etc. Let us use the all option and try all modules of the odat.py tool.
$ python3 ./odat.py all -s 10.129.205.19
In this example, we found valid credentials for the user scott and his password tiger. After that, we can use the tool sqlplus to connect to the Oracle database and interact with it.
Log in to SQL*Plus
SQLPLUS [ [{username[/password][@connect_identifier] | / } [AS {SYSOPER | SYSDBA | SYSASM}][edition=value]] | /NOLOG ]
List help topics available in SQL*Plus
HELP [ INDEX | topic ]
Execute host commands
HOST [ command ]
Show SQL*Plus system variables or environment settings
SHOW { ALL | ERRORS | USER | system_variable [, system_variable] ...}
Alter SQL*Plus system variables or environment settings
SET system_variable value
Start up a database
STARTUP [ PFILE = filename ] [ MOUNT [ dbname ] | NOMOUNT ]
Connect to a database
CONNECT [{username[/password] [@connect_identifier] | / | proxy_user [ username ] [/password] [@connect_identifier]} [AS {SYSOPER | SYSDBA | SYSASM}] [edition=value] ] Note: Brackets in boldface are part of the syntax and do not imply optionality.
List column definitions for a table, view, or synonym, or specifications for a function or procedure
DESCRIBE [ schema. ] object
Edit contents of the SQL buffer or a file
EDIT [ filename [ .ext ] ]
Get a file and load its contents into the SQL buffer
GET filename [ .ext ] [ LIST | NOLLIST ]
Save contents of the SQL buffer to a file
SAVE filename [ .ext ] [ CREATE | REPLACE | APPEND ]
List contents of the SQL buffer
LIST [ n | n m | n LAST ]
Delete contents of the SQL buffer
DEL [ n | n m | n LAST ]
Add new lines following current line in the SQL buffer
INPUT [ text ]
Append text to end of current line in the SQL buffer
APPEND text
Find and replace first occurrence of a text string in current line of the SQL buffer
CHANGE sepchar old [ sepchar [ new [ sepchar ] ] ] sepchar can be any nonalphanumeric ASCII character such as "/" or "!"
Capture query results in a file and, optionally, send contents of file to default printer
SPOOL [ filename [ .ext ] [ CREATE | REPLACE | APPEND | OFF | OUT ]
Run SQL*Plus statements stored in a file
@ { url | filename [ .ext ] } [ arg ... ]START { url | filename [ .ext ] } [ arg ... ] ext can be omitted if the filename extension is .sql
Execute commands stored in the SQL buffer
/
List and execute commands stored in the SQL buffer
RUN
Execute a single PL/SQL statement or run a stored procedure
EXECUTE statement
Disconnect from a database
DISCONNECT
Shut down a database
SHUTDOWN [ ABORT | IMMEDIATE | NORMAL ]
Log out of SQL*Plus
{ EXIT | QUIT } [ SUCCESS | FAILURE | WARNING ] [ COMMIT | ROLLBACK ]
Here, the user scott has no administrative privileges. However, we can try using this account to log in as the System Database Admin (sysdba), giving us higher privileges. This is possible when the user scott has the appropriate privileges typically granted by the database administrator or used by the administrator him/herself.
We can follow many approaches once we get access to an Oracle database. It highly depends on the information we have and the entire setup. However, we can not add new users or make any modifications. From this point, we could retrieve the password hashes from the sys.user$ and try to crack them offline. The query for this would look like the following:
Another option is to upload a web shell to the target. However, this requires the server to run a web server, and we need to know the exact location of the root directory for the webserver. Nevertheless, if we know what type of system we are dealing with, we can try the default paths, which are:
OS
Path
Linux
/var/www/html
Windows
C:\inetpub\wwwroot
First, trying our exploitation approach with files that do not look dangerous for Antivirus or Intrusion detection/prevention systems is always important. Therefore, we create a text file with a string and use it to upload to the target system.
Finally, we can test if the file upload approach worked with curl. Therefore, we will use a GET http://<IP> request, or we can visit via browser.
Each database or service has a unique entry in the file, containing the necessary information for clients to connect to the service. The entry consists of a name for the service, the network location of the service, and the database or service name that clients should use when connecting to the service. For example, a simple tnsnames.ora file might look like this:
If you come across the following error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, please execute the below, taken from .
There are many that we can use to enumerate the database manually. For example, we can list all available tables in the current database or show us the privileges of the current user like the following:
