To connect to the backend Oracle database you need to know the Oracle
Instance Name (SID), this was not a problem before Oracle 10g as the
listener could be directly queried and the SID very easily enumerated.
Oracle 10g came along and changed his with added protection for the
Attempts to manually guess
the SID are therefore greeted with the following error "ORA-12505: TNS:listener does not currently know of SID given in connect descriptor.
Alexander Kornbrust from RedBase Security came up with a dictionary based SID enumerator.
It is similar to the sidguesser tool released
by Patrik at cqure.net.
The advantage of this tool is
that it is almost twice as fast as this version. Sidguess checks 190 SIDs per second. This allows you to check every 4 character SID in
approx 3 hours and 5 character SIDS in approx 4 days. (Obviously
the most important thing for this tool is the dictionary you have
defined in the first place).
It is available from here.
Extract the executable.
You must ensure that you have
the following dll on the testing machine: -oci.dll otherwise the tool
will not work. This can be obtained from a number of sources
(Google is a good start) A copy of it is here.
Usage: repscan param_name1=param_value1 param_nameN=param_valueN
The following parameters are
host=<host_name> - the name or ip address of the computer running
DB port=<port> - port for
sidfile=<file_name> - file with the SID names to use broot=generate SIDs instead of using SID list file
Minor Note:- You will notice
by pressing return the following help is displayed which alludes to a
totally different tool (also offered by Red-Base) , hopefully this will
be altered in the next iteration.
C:\Documents and Settings\hacker\Desktop>sidguess.exe host=22.214.171.124
The Tool correctly
brute-forced the SID of the 10g database I tested it on. The tool
is easy to use and comes from a reliable company which also offers a
good deal of Oracle exploit code (and training if you require it).
Note: - The testing XP SP2
machine had Oracle Client 9.2 installed and the use of the tool produced
an sqlnet.log file listing a number of bad connections.