Tools:

bullet

Database Security

bullet

DBVisualiser

bullet

MatriXay

bullet

     MS SQL Server

bullet

           forceSQL

bullet

           piggy

bullet

           SQLat

bullet

           SQLdict

bullet

           SQLlhf

bullet

           SQLPing

bullet

           SQLPing2

bullet

           SQLPoke

bullet

           SQLRecon

bullet

           SQLVer

bullet

Oracle

bullet

           breakable

bullet

           check password

bullet

           Default Passwords

bullet

           DNS/HTTP enumeration

bullet

           LSNR Check

bullet

           OAK

bullet

           Oracle Auditing Tool

bullet

           Oracle Client

bullet

           Oracle Security Check

bullet

           OracSec

bullet

           Oscanner

bullet

           Orabf

bullet

           Oracle TNSLSNR

bullet

           scuba

bullet

           Service Register

bullet

           SIDGuess

bullet

           sidguesser

bullet

           sqlinjector

bullet

           SQL Plus

bullet

           TCP Scan

bullet

           TNSCmd

bullet

           TNSVer

bullet

           Winsid

bullet

SQL Injection    

bullet

     Sybase

bullet

           NGS Squirrel for Sybase

 

Pen Testing Framework:

bullet

Pen Test Framework  (html)

bullet

    Source  (FreeMind .mm format)

bullet

    PDF       (zip format)

bullet

Framework Poster available

bullet

Pre-site Template (html)

bullet

Pre-site Template (pdf)

bullet

Report Template (html)

bullet

Report Template (pdf)

bullet

Compliance Testing

 

Information:

bullet

IT Threats

bullet

RSS Feed


 
      

 

TNSCmd

 

Tnscmd can be used to communicate directly with Oracle's TNS listener, (no client is needed).  Unlike the Oracle

listener control utility LSNRCTL.exe, TNSCmd.pl does not need any connection strings and a direct

bi-directional conversation can be immediately established.

TNSCmd.pl available from here:

tnscmd by default will ping the stated host if no commands are supplied.

[root@localhost tnscmd]# perl tnscmd.pl -h 192.168.0.1

sending (CONNECT_DATA=(COMMAND=ping)) to 192.168.0.1:1521

writing 87 bytes

reading

......."..=(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER))

 

The three stages that have occured are:

  • the TNS command itself: ((CONNECT_DATA=(COMMAND=ping)
  • the raw TNS packet sent to the TNS listener: writing 87 bytes
  • the raw TNS reply packet from the TNS listener: "..=(DESCRIPTION=(T etc.

 

The VSNNUM is the Oracle version no. in decimal, which can be converted from hex to give the version = 9.2

(which was actually 9.1i)

 

[root@localhost tnscmd]# perl tnscmd.pl version -h 192.168.0.1

sending (CONNECT_DATA=(COMMAND=version)) to 192.168.0.1:1521

writing 90 bytes

reading

.M.......6.........-. ..........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0))..........TNSLSNR

for 32-bit Windows: Version 9.2.0.1.0 - Production..TNS for 32-bit Windows: Version 9.2.0.1.0 - Production..Oracle Bequeath NT Protocol Adapter for 32-bit Windows: Version 9.2.0.1.0 - Production..

Windows NT Named Pipes NT Protocol Adapter for 32-bit Windows: Version 9.2.0.1.0 - Production..

Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 9.2.0.1.0 Production,,.........@

 

[root@localhost tnscmd]# perl tnscmd.pl status -h 192.168.0.1

 

sending (CONNECT_DATA=(COMMAND=status)) to 192.168.0.1:1521

writing 89 bytes

reading

. .......6.........S. ...........]........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=

LISTENER)(SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production)(START_DATE=05-DEC200509:36:12)(SIDNUM=1)(LOGFILE=C:\oracle\ora92\

network\log\listener.log) (PRMFILE=C:\oracle\ora92\network\admin\listener.ora)(TRACING=off)

(UPTIME=3508960369)(SNMP=OFF)(PID=808)).a........(ENDPOINT=(HANDLER=(HANDLER_

MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=0309991

D7055-491B-9C9467FF511E869)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=

(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC0ipc))))),,ENDPOINT=(HANDLER=

(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)

(HANDLER_ID=01AAF1D856D6-4DFB-987D-

 

See how confusing this is to read you should also pass the --indent option at the end of the command and proper formatting in human readable format will be carried out. 

 

The above is just a small part of the results but the data highlighted tells us we are dealing with an Oracle 9i installation on Windows, SNMP is turned off and the location of the log file and with it the $ORACLE_HOME directory which may help in a future attack.  It will also normally tell you the hostname and also other ports that are running Oracle process i.e. Port 2100 FTP etc.

 

Another command that could be tried that may provide details such as usernames is the following:

[root@localhost tnscmd]# perl tnscmd.pl -h 192.168.0.1 --cmdsize 40

This may return data from previous tns packets as the listener doesn't always clear its buffers as effectively as it should do.  If the above is successful try incrementing the cmdsize up to say 200 and maybe more will be returned.  This vulnerability is present in early versions of Oracle and may not work on the current versions in use today.  It's still worth a try though.

 

  VulnerabilityAssessment.co.uk            Thursday May 17, 2007
hit counter
html hit counter