Oracle TNS Listener - Port 1521,1522-1529
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
Visit our shop for e-books and courses. π
Support us and buy me a coffee. β
Basic info
Oracle databases are widely used across industries for storing sensitive enterprise data. However, their exposure to the networkβββespecially via the Transparent Network Substrate (TNS) listenerβββcan introduce serious security risks. Oracle TNS operates over default port 1521, but in complex environments, you may encounter instances on 1522β1529 or even beyond. This article provides in-depth techniques for enumerating, exploiting, and securing Oracle TNS listeners, with real-world examples and practical commands.
1. Understanding Oracle TNS and Default Ports
What is TNS?
TNS (Transparent Network Substrate) is Oracleβs proprietary protocol that enables communication between Oracle clients and databases across a network. It allows connections, sessions, and commands like CONNECT, DATA, RESOLVE, etc., to flow through Oracle listeners.
Default Ports
1521βββPrimary default listener port
1522β1529βββOften used for additional listeners, RAC (Real Application Clusters), or other configured services
In real-world Oracle deployments, multiple listener processes may be used for load balancing, high availability, or segregation of duties across applications.
2. Common Vulnerabilities in TNS Listeners
2.1. CVE-2012β1675βββTNS Poison Attack
Description: A critical vulnerability allowing attackers to hijack database sessions by registering rogue services with the listener.
Impact: MITM attacks, data exfiltration, and full control over database traffic.
Mitigation: Use VALID_NODE_CHECKING_REGISTRATION = YES and restrict registration IPs.
2.2. No Listener Authentication
Many Oracle listeners are deployed with no password or authentication, allowing unauthenticated attackers to:
View service names
Stop, start, or reload the listener
Perform Denial-of-Service (DoS) attacks
2.3. Information Disclosure via Listener STATUS
An attacker can request a STATUS command to retrieve:
Hostnames
Service names
Instance names
Database version
3. Enumeration Techniques
3.1. Nmap Scanning
Start by identifying open ports and checking for Oracle services.
Use the Oracle-specific NSE script:
3.2. Checking with Metasploit
Output reveals the listener version, hostname, and Oracle SID.
3.3. Using TNSping
Oracle client installations come with tnsping:
Alternatively, simulate TNSping with Python or Netcat by sending crafted TNS packets.
3.4. Manual Enumeration Using Telnet or Netcat
Send raw TNS packets:
You can script this using Python socket module to brute-force or enumerate SIDs.
4. Exploitation Techniques
4.1. Exploiting TNS Poison Attack (CVE-2012β1675)
Metasploit Module:
Warning: This module may crash the listener or disrupt sessions. Use only in lab or authorized environments.
4.2. Exploiting Unauthenticated Listener Control
If listener commands like STATUS, STOP, or RELOAD are unauthenticated:
You can perform a Denial-of-Service:
5. Custom Python Script to Enumerate Listener Services
Learn & practice For the OSCP.
Last updated
Was this helpful?