TNSCmd

Tnscmd can be used to communicate directly with Oracle's TNS listener, (no client is needed).  Unlike the Oracle

listener control utility LSNRCTL.exe, TNSCmd.pl does not need any connection strings and a direct

bi-directional conversation can be immediately established.

TNSCmd.pl available from here:

tnscmd by default will ping the stated host if no commands are supplied.

[root@localhost tnscmd]# perl tnscmd.pl -h 192.168.0.1

sending (CONNECT_DATA=(COMMAND=ping)) to 192.168.0.1:1521

writing 87 bytes

reading

......."..=(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER))

The three stages that have occured are:

• the TNS command itself: ((CONNECT_DATA=(COMMAND=ping)
• the raw TNS packet sent to the TNS listener: writing 87 bytes
• the raw TNS reply packet from the TNS listener: "..=(DESCRIPTION=(T etc.

The VSNNUM is the Oracle version no. in decimal, which can be converted from hex to give the version = 9.2

(which was actually 9.1i)

[root@localhost tnscmd]# perl tnscmd.pl version -h 192.168.0.1

sending (CONNECT_DATA=(COMMAND=version)) to 192.168.0.1:1521

writing 90 bytes

reading

.M.......6.........-. ..........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0))..........TNSLSNR

for 32-bit Windows: Version 9.2.0.1.0 - Production..TNS for 32-bit Windows: Version 9.2.0.1.0 - Production..Oracle Bequeath NT Protocol Adapter for 32-bit Windows: Version 9.2.0.1.0 - Production..

Windows NT Named Pipes NT Protocol Adapter for 32-bit Windows: Version 9.2.0.1.0 - Production..

Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 9.2.0.1.0 – Production,,.........@

[root@localhost tnscmd]# perl tnscmd.pl status -h 192.168.0.1

sending (CONNECT_DATA=(COMMAND=status)) to 192.168.0.1:1521

writing 89 bytes

reading

. .......6.........S. ...........]........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=

LISTENER)(SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production)(START_DATE=05-DEC200509:36:12)(SIDNUM=1)(LOGFILE=C:\oracle\ora92\

network\log\listener.log) (PRMFILE=C:\oracle\ora92\network\admin\listener.ora)(TRACING=off)

(UPTIME=3508960369)(SNMP=OFF)(PID=808)).a........(ENDPOINT=(HANDLER=(HANDLER_

MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=0309991

D7055-491B-9C9467FF511E869)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=

(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC0ipc))))),,ENDPOINT=(HANDLER=

(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)

(HANDLER_ID=01AAF1D856D6-4DFB-987D-

See how confusing this is to read you should also pass the --indent option at the end of the command and proper formatting in human readable format will be carried out. 

The above is just a small part of the results but the data highlighted tells us we are dealing with an Oracle 9i installation on Windows, SNMP is turned off and the location of the log file and with it the $ORACLE_HOME directory which may help in a future attack.  It will also normally tell you the hostname and also other ports that are running Oracle process i.e. Port 2100 FTP etc.

Another command that could be tried that may provide details such as usernames is the following:

[root@localhost tnscmd]# perl tnscmd.pl -h 192.168.0.1 --cmdsize 40

This may return data from previous tns packets as the listener doesn't always clear its buffers as effectively as it should do.  If the above is successful try incrementing the cmdsize up to say 200 and maybe more will be returned.  This vulnerability is present in early versions of Oracle and may not work on the current versions in use today.  It's still worth a try though.