Backtrack Oracle Tutorial
The following short tutorial explains how to do a (limited) pentest against Oracle (8.1.7.4 –
10.2.0.2). This tutorial will be extended in the future…
The following tutorial explains how to do an Oracle pentest with Backtrack 2.0. I want to
thank the entire Backtrack-Team for this great collection of security tools and Max for the
collaboration.
Nowadays there are many Oracle 10g databases around. Oracle did a good job (but not a
perfect) hardening the database out of the box. Most tutorials still describe how to break older
8i/9i databases. Most of the older tools are not working against the new 10g listener. We will
show how to connect to an Oracle database, decrypt Oracle passwords, hack the TNS listener
and escalate privileges.
Questions and comments are welcome.
Nov. 2006 - http://www.red-database-security.com 1 / 19
Backtrack Oracle Tutorial 1.10a
At a glance:
1. Find the Oracle database + port of the listener (with nmap/amap)
nmap –v <IP-ADDRESS>
2. Get the version number of the database (with tnscmd)
tnscmd10g.pl version –h <IP-ADDRESS>
3. Get the SID/servicename (with tnscmd or sidguess)
tnscmd10g.pl status –h <IP_ADDRESS> (unprotected listener)
sidguess host=<IP-ADDRESS> port=<PORT> sidfile=sid.txt
4. Connect to the database (with sqlplus)
sqlplus user/password@//<IP_ADDRESS>:<PORT>/<SID>
5. Check the database for weak passwords(with checkpwd)
checkpwd user/password@//<IP_ADDRESS>:<PORT>/<SID>
default_password.txt
6. Hacking the TNS Listener with tnscmd10g.pl
7. Escalating Privileges via sqlplus
a. dbms_export_extension
b. more coming soon.
Nov. 2006 - http://www.red-database-security.com 2 / 19
Backtrack Oracle Tutorial 1.10a
Find TNS Listener Port
The first step in doing an Oracle security pentest is to identify the TNS Listener Port of the
Oracle database. By default this port is 1521 (sometimes also 1526) but for security reasons
some DBAs are changing the default port to a different port. From my experience most TNS
listeners are listening on port 1521.
We can use nmap or amap to identify the port where the TNS listener is running. Both tools
are installed on the Backtrack CD.
nmap –v <IP-ADDRESS>
Get the Oracle version
To identify the version and operating system we can get the version string from the Oracle
TNS Listener. This version string contains the Version, Patchlevel and Operating System of
the TNS Listener. This string will always (also 10g) be returned even if the listener is
password protected.
tnscmd10g.pl version –h <IP-ADDRESS>
1Get the status of the listener
Get SID/Servicename
In Oracle 7- 9i Rel. 2 the listener always returned the SID/Servicename of the registered
Oracle databases via the listener status command. Since Patchset 9.2.0.6 (with passwordprotection)
or in Oracle 10g the listener does no longer return these values.
The name of the SID/Service_name is mandatory for connecting to the database via OCI.
Without the knowledge of the SID it is not possible to connect to Oracle.
In unprotected 8i/9i environments the easiest way to get this information is the status
command. This status command returns a lot of useful information like version number, OS,
installation patch, SID, port, …
The status command can be submitted with the following command:
tnscmd10g.pl status –h <IP_ADDRESS>
jbhj
Now we know:
Version: 9.2.0.1
Operating System: Windows
Oracle_Home: c:\oracle\ora92
Extproc installed: YES
Ports: 1521 (TNS), 2100 (FTP), 8080 (HTTP)
Nov.
SID: ora9201
Now we know that the SID is ora9201. We can use this value to connect to the Oracle
database using sqlplus or checkpwd.
If the Oracle 9i Listener is password protected we are getting the following error message
from the status command
In case of an Oracle 10g database (protected with local OS authentication) we are getting a
different error message from the status command
For security reasons Oracle is blocking status requests from external IP addresses in Oracle
10g or password protected 9i databases. In this case we can try to bruteforce / or dictionary
attack the SID by using sidguess
sidguess host=<IP-ADDRESS> port=<PORT> sidfile=sid.txt
Now we know that the SID of this database is XE and we have all the information which is
necessary to connect to the database. OK, we still need an Oracle account.
Connect to the database (with sqlplus)
After collecting the IP-Address, port and SID/Servicename we are now able to connect to the
Oracle database. The easiest way to do this is the (free) command line interface sqlplus.
Typical default username/password-combinations are:
dbsnmp/dbsnmp (nearly DBA)
outln/outln (nearly DBA)
scott/tiger (normal user with some create privileges)
system/manager (DBA)
sys/change_on_install (DBA)
sqlplus user/password@//<IP_ADDRESS>:<PORT>/<SID>
At the prompt we can run all SQL commands (according to our privileges)
select * from v$version;
select username from all_users;
select * from session_roles;
select username,password from dba_users;
(DBA only)
show parameter
We can leave sqlplus with the quit command.
khn
Check the database for weak passwords
Check the quality of the passwords with checkpwd. To get better results you can use a
larger dictionary file. The file default_passwords.txt contains only 600+ default
passwords.
Checkpwd automatically checks also for username=password.
checkpwd system/alexora1@//192.168.2.232/ora9201
default_passwords.txt
Nov.
Oracle 9.2.0.6 and higher with password protected listener
Check the version of the listener with the version command
tnscmd10g.pl version –h 192.168.2.232
Get the status of the listener
tnscmd10g.pl version –h 192.168.2.232
nbh
Oracle 10g
Check the version of the listener with the version command
tnscmd10g.pl version –h 192.168.2.234
Get the status of the listener
tnscmd10g.pl version –h 192.168.2.234
In Oracle 10g (with listener OS authentication), the listener returns an error message.
Guess and/or bruteforce the SID
sidguess host=<IP-ADDRESS> port=<PORT> sidfile=sid.txt
Connect with sqlplus and the guessed SID
Check
Check the passwords with checkpwd
checkpwd system/alexora1@//192.168.2.234/xe
default_passwords.txt
The following short tutorial explains how to do a (limited) pentest against Oracle (8.1.7.4 –
10.2.0.2). This tutorial will be extended in the future…
The following tutorial explains how to do an Oracle pentest with Backtrack 2.0. I want to
thank the entire Backtrack-Team for this great collection of security tools and Max for the
collaboration.
Nowadays there are many Oracle 10g databases around. Oracle did a good job (but not a
perfect) hardening the database out of the box. Most tutorials still describe how to break older
8i/9i databases. Most of the older tools are not working against the new 10g listener. We will
show how to connect to an Oracle database, decrypt Oracle passwords, hack the TNS listener
and escalate privileges.
Questions and comments are welcome.
Nov. 2006 - http://www.red-database-security.com 1 / 19
Backtrack Oracle Tutorial 1.10a
At a glance:
1. Find the Oracle database + port of the listener (with nmap/amap)
nmap –v <IP-ADDRESS>
2. Get the version number of the database (with tnscmd)
tnscmd10g.pl version –h <IP-ADDRESS>
3. Get the SID/servicename (with tnscmd or sidguess)
tnscmd10g.pl status –h <IP_ADDRESS> (unprotected listener)
sidguess host=<IP-ADDRESS> port=<PORT> sidfile=sid.txt
4. Connect to the database (with sqlplus)
sqlplus user/password@//<IP_ADDRESS>:<PORT>/<SID>
5. Check the database for weak passwords(with checkpwd)
checkpwd user/password@//<IP_ADDRESS>:<PORT>/<SID>
default_password.txt
6. Hacking the TNS Listener with tnscmd10g.pl
7. Escalating Privileges via sqlplus
a. dbms_export_extension
b. more coming soon.
Nov. 2006 - http://www.red-database-security.com 2 / 19
Backtrack Oracle Tutorial 1.10a
Find TNS Listener Port
The first step in doing an Oracle security pentest is to identify the TNS Listener Port of the
Oracle database. By default this port is 1521 (sometimes also 1526) but for security reasons
some DBAs are changing the default port to a different port. From my experience most TNS
listeners are listening on port 1521.
We can use nmap or amap to identify the port where the TNS listener is running. Both tools
are installed on the Backtrack CD.
nmap –v <IP-ADDRESS>
Get the Oracle version
To identify the version and operating system we can get the version string from the Oracle
TNS Listener. This version string contains the Version, Patchlevel and Operating System of
the TNS Listener. This string will always (also 10g) be returned even if the listener is
password protected.
tnscmd10g.pl version –h <IP-ADDRESS>
1Get the status of the listener
Get SID/Servicename
In Oracle 7- 9i Rel. 2 the listener always returned the SID/Servicename of the registered
Oracle databases via the listener status command. Since Patchset 9.2.0.6 (with passwordprotection)
or in Oracle 10g the listener does no longer return these values.
The name of the SID/Service_name is mandatory for connecting to the database via OCI.
Without the knowledge of the SID it is not possible to connect to Oracle.
In unprotected 8i/9i environments the easiest way to get this information is the status
command. This status command returns a lot of useful information like version number, OS,
installation patch, SID, port, …
The status command can be submitted with the following command:
tnscmd10g.pl status –h <IP_ADDRESS>
jbhjNow we know:
Version: 9.2.0.1
Operating System: Windows
Oracle_Home: c:\oracle\ora92
Extproc installed: YES
Ports: 1521 (TNS), 2100 (FTP), 8080 (HTTP)
Nov.
SID: ora9201
Now we know that the SID is ora9201. We can use this value to connect to the Oracle
database using sqlplus or checkpwd.
If the Oracle 9i Listener is password protected we are getting the following error message
from the status command
In case of an Oracle 10g database (protected with local OS authentication) we are getting a
different error message from the status command
For security reasons Oracle is blocking status requests from external IP addresses in Oracle
10g or password protected 9i databases. In this case we can try to bruteforce / or dictionary
attack the SID by using sidguess
sidguess host=<IP-ADDRESS> port=<PORT> sidfile=sid.txt
Now we know that the SID of this database is XE and we have all the information which is
necessary to connect to the database. OK, we still need an Oracle account.
Connect to the database (with sqlplus)
After collecting the IP-Address, port and SID/Servicename we are now able to connect to the
Oracle database. The easiest way to do this is the (free) command line interface sqlplus.
Typical default username/password-combinations are:
dbsnmp/dbsnmp (nearly DBA)
outln/outln (nearly DBA)
scott/tiger (normal user with some create privileges)
system/manager (DBA)
sys/change_on_install (DBA)
sqlplus user/password@//<IP_ADDRESS>:<PORT>/<SID>
At the prompt we can run all SQL commands (according to our privileges)
select * from v$version;
select username from all_users;
select * from session_roles;
select username,password from dba_users;
(DBA only)
show parameter
We can leave sqlplus with the quit command.
khnCheck the database for weak passwords
Check the quality of the passwords with checkpwd. To get better results you can use a
larger dictionary file. The file default_passwords.txt contains only 600+ default
passwords.
Checkpwd automatically checks also for username=password.
checkpwd system/alexora1@//192.168.2.232/ora9201
default_passwords.txt
Nov.
Oracle 9.2.0.6 and higher with password protected listener
Check the version of the listener with the version command
tnscmd10g.pl version –h 192.168.2.232
Get the status of the listener
tnscmd10g.pl version –h 192.168.2.232
nbhOracle 10g
Check the version of the listener with the version command
tnscmd10g.pl version –h 192.168.2.234
Get the status of the listener
tnscmd10g.pl version –h 192.168.2.234
In Oracle 10g (with listener OS authentication), the listener returns an error message.
Guess and/or bruteforce the SID
sidguess host=<IP-ADDRESS> port=<PORT> sidfile=sid.txt
Connect with sqlplus and the guessed SIDCheck
Check the passwords with checkpwd
checkpwd system/alexora1@//192.168.2.234/xe
default_passwords.txt
2 comments:
Thank you for this useful information.
Oracle course in Chennai | Oracle dba training in chennai
Thanks for the update admin, eagerly waiting for the next session of your blog.
DOT NET Training in Chennai
Hadoop Training in Chennai
Android Training in Chennai
Selenium Training in Chennai
JAVA Training in Chennai
German Classes in chennai
Big Data Training in Chennai
Big Data Training
Post a Comment