Oracle TNS Enumeration

    If you take a look to pure connection of SQL*plus client to a TNS listener from Wireshark, you’ll find the first connect packet as bellow

    • TNS Packet Description
    • TNS Packet Hexdump 
      2. 0010   01 14 65 4f 40 00 40 06 53 28 c0 a8 00 0f c0 a8  ..eO@.@.S(......
      3. 0020   00 0d 81 32 05 f1 04 d7 76 08 c9 98 31 e3 80 18  ...2....v...1...
      4. 0030   00 e5 0f 40 00 00 01 01 08 0a 0d 8a 13 4a 05 44  ...@.........J.D
      5. 0040   03 b3 00 e0 00 00 01 00 00 00 01 3b 01 2c 0c 41  ...........;.,.A
      6. 0050   20 00 ff ff 7f 08 00 00 01 00 00 9a 00 46 00 00   ............F..
      7. 0060   08 00 41 41 00 00 00 00 00 00 00 00 00 00 00 00  ..AA............
      8. 0080   00 20 00 00 00 00 00 00 28 44 45 53 43 52 49 50  . ......(DESCRIP
      9. 0090   54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f 44 41  TION=(CONNECT_DA
      11. 00b0   3d 58 45 29 28 43 49 44 3d 28 50 52 4f 47 52 41  =XE)(CID=(PROGRA
      12. 00c0   4d 3d 73 71 6c 70 6c 75 73 40 41 72 63 68 65 72  M=sqlplus@Archer
      13. 00d0   29 28 48 4f 53 54 3d 41 72 63 68 65 72 29 28 55  )(HOST=Archer)(U
      14. 00e0   53 45 52 3d 4b 49 4e 47 29 29 29 28 41 44 44 52  SER=KING)))(ADDR
      15. 00f0   45 53 53 3d 28 50 52 4f 54 4f 43 4f 4c 3d 54 43  ESS=(PROTOCOL=TC
      16. 0100   50 29 28 48 4f 53 54 3d 31 39 32 2e 31 36 38 2e  P)(HOST=192.168.
      17. 0110   30 2e 31 33 29 28 50 4f 52 54 3d 31 35 32 31 29  0.13)(PORT=1521)
      18. 0120   29 29                                            ))

    Now base on our understanding, let’s to build an equivalent request using ruby.

    • SID Request 
    2.   connect_data = "(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{host})(PORT=#{port})))"
    3.   pkt = tns_packet(connect_data)
    4. end

    Now we have everything to send our packet, let’s to build a simple tns brute force to enumerate the exist tns listeners. The default behavior for oracle 11g is to reply with nothing if listener exist, and reply with error if it doesn’t, the error similar to this g"[(DESCRIPTION=(TMP=)(VSNNUM=186647040)(ERR=12505)(ERROR_STACK=(ERROR=(CODE=12505)(EMFI=4)))).

    Let’s to warp everything together by build a SID brute force script

    Run it 

    1. ruby tns_brute.rb 192.168.0.13 1521
    3. [+] Found SID: PLSExtProc
    4. [+] Found SID: XE

    Notes:

    • This script will work on Oracle 11g and before
    • Notice # -*- coding: binary -*- at the top of the script because we are working on pure binary data that may not mean anything to the language.
    • Metasploit | sid_brute auxiliary module