search
πŸ“œ MediumπŸ›’ My ShopπŸ‘Ύ GithubπŸ“© Telegram πŸ“Ί YouTubeβœ– Twitter

Oracle TNS Listener - Port 1521,1522-1529

hashtag
Basic info

Oracle databases are widely used across industries for storing sensitive enterprise data. However, their exposure to the networkβ€Šβ€”β€Šespecially via the Transparent Network Substrate (TNS) listenerβ€Šβ€”β€Šcan introduce serious security risks. Oracle TNS operates over default port 1521, but in complex environments, you may encounter instances on 1522–1529 or even beyond. This article provides in-depth techniques for enumerating, exploiting, and securing Oracle TNS listeners, with real-world examples and practical commands.

hashtag
1. Understanding Oracle TNS and Default Ports

What is TNS?

TNS (Transparent Network Substrate) is Oracle’s proprietary protocol that enables communication between Oracle clients and databases across a network. It allows connections, sessions, and commands like CONNECT, DATA, RESOLVE, etc., to flow through Oracle listeners.

Default Ports

  • 1521β€Šβ€”β€ŠPrimary default listener port

  • 1522–1529β€Šβ€”β€ŠOften used for additional listeners, RAC (Real Application Clusters), or other configured services

In real-world Oracle deployments, multiple listener processes may be used for load balancing, high availability, or segregation of duties across applications.

hashtag
2. Common Vulnerabilities in TNS Listeners

2.1. CVE-2012–1675β€Šβ€”β€ŠTNS Poison Attack

Description: A critical vulnerability allowing attackers to hijack database sessions by registering rogue services with the listener.

Impact: MITM attacks, data exfiltration, and full control over database traffic.

Mitigation: Use VALID_NODE_CHECKING_REGISTRATION = YES and restrict registration IPs.

hashtag
2.2. No Listener Authentication

Many Oracle listeners are deployed with no password or authentication, allowing unauthenticated attackers to:

  • View service names

  • Stop, start, or reload the listener

  • Perform Denial-of-Service (DoS) attacks

hashtag
2.3. Information Disclosure via Listener STATUS

An attacker can request a STATUS command to retrieve:

  • Hostnames

  • Service names

  • Instance names

  • Database version

hashtag
3. Enumeration Techniques

3.1. Nmap Scanning

Start by identifying open ports and checking for Oracle services.

Use the Oracle-specific NSE script:

hashtag
3.2. Checking with Metasploit

Output reveals the listener version, hostname, and Oracle SID.

hashtag
3.3. Using TNSping

Oracle client installations come with tnsping:

Alternatively, simulate TNSping with Python or Netcat by sending crafted TNS packets.

hashtag
3.4. Manual Enumeration Using Telnet or Netcat

Send raw TNS packets:

You can script this using Python socket module to brute-force or enumerate SIDs.

hashtag
4. Exploitation Techniques

4.1. Exploiting TNS Poison Attack (CVE-2012–1675)

Metasploit Module:

Warning: This module may crash the listener or disrupt sessions. Use only in lab or authorized environments.

hashtag
4.2. Exploiting Unauthenticated Listener Control

If listener commands like STATUS, STOP, or RELOAD are unauthenticated:

You can perform a Denial-of-Service:

hashtag
5. Custom Python Script to Enumerate Listener Services

circle-check

Learn & practice For the OSCP.arrow-up-right

chevron-rightSupport VeryLazyTech πŸŽ‰hashtag
PreviousMSSQL (Microsoft SQL Server) - Port 1433NextPPTP - Port 1723

Last updated