Discovering Oracle Accounts With Nmap

If we are conducting an infrastructure penetration test and we have discover an Oracle database during the information gathering stage then we can use Nmap to perform some checks that will help us to obtain potentially the accounts that exists on the database. These checks can be executed with two scripts that Nmap contains in his scripting engine.Specifically the scripts that we will need to use are the following:

  • oracle-sid-brute
  • oracle-brute

Oracle databases are running on port 1521 so in most of the cases we can identify them just by checking if this port is open on our target host.The next step is to use the script oracle-sid-brute which will try to brute force common oracle SID’s.The next image is showing the use of this script and that has successfully identified that the SID is XE.

Brute Forcing Oracle SID's - Nmap
Brute Forcing Oracle SID’s – Nmap


Now that we know the SID of the Oracle database we can use the oracle-brute script to discover the valid specifying the SID name

Discovering Oracle Accounts
Discovering Oracle Accounts



With these two scripts we can perform security audits against an Oracle database with Nmap.However the drawback as the above image indicates is that we can lock the accounts as the script doesn’t have a check about the number of tries that will execute in order to prevent the account lockout.From the other hand it is a very fast approach for detecting oracle accounts through Nmap during the information gathering.