Oracle servers have SID names, and penetration testers need to find them. Thanks to Nmap we can attempt to list them by performing a dictionary attack against the TNS listener.
This recipe shows how to brute force Oracle SID names by using Nmap.
To brute force Oracle SID names, use the following Nmap command:
$ nmap -sV --script oracle-sid-brute <target>
All of the SIDs found will be included in the NSE script output section for oracle-sid-brute
:
PORT STATE SERVICE REASON 1521/tcp open oracle syn-ack | oracle-sid-brute: | orcl | prod |_ devel
The argument -sV --script oracle-sid-brute
tells Nmap to initiate service detection (-sV
) and use the NSE script oracle-sid-brute
.
The NSE script oracle-sid-brute
was submitted by Patrik Karlsson to help penetration testers enumerate Oracle SIDs by performing a dictionary attack against Oracle's TNS. This script will be executed if a host has a running service oracle-tns
, or has port 1521 open.
By default, the script uses the dictionary located at nselib/data/oracle-sids
but you can specify a different file by setting the script argument oraclesids
:
$ nmap -sV --script oracle-sid-brute --script-args oraclesids=/home/pentest/sids.txt <target>
3.138.200.66