Running Nmap against an Oracle listener

When preparing for the Planboard symposium in Utrecht last Tuesday, I decided to use tools like Nmap and Metasploit to show how these tools can be used against an Oracle database server. I have worked with Nmap before, but I’m learning new tricks all the time.

Recently I read about the -sV option in “Nmap 6 – Network Exploration and Security Auditing Cookbook” by Calderon Pale Paulino. It enables service detection. And you can use it to find the Oracle version. That’s actually pretty useful.

nmap -sV 10.10.10.11

Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-02 13:39 West-Europa (zomertijd)
Nmap scan report for 10.10.10.11
Host is up (0.00038s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.3 (protocol 2.0)
111/tcp  open  rpcbind    2 (RPC #100000)
765/tcp  open  status     1 (RPC #100024)
1521/tcp open  oracle-tns Oracle TNS Listener 11.1.0.6.0 (for Linux)
MAC Address: 00:1A:12:12:1A:12 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds

So now we know the Oracle version. But what if I change the listener port? I’ve tried this before without the -sV option. If the Oracle listener isn’t on port 1521, Nmap just ignores it.

So for this example I changed the port number to 1526 and ran Nmap with the same settings.

Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-02 13:41 West-Europa (zomertijd)
Nmap scan report for 10.10.10.11
Host is up (0.000011s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 4.3 (protocol 2.0)
111/tcp open  rpcbind 2 (RPC #100000)
765/tcp open  status  1 (RPC #100024)
MAC Address: 00:1A:12:12:1A:12 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds

And Nmap didn’t find my listener on port 1526. So changing your listener port number looks like a good idea. At least you are bringing up an extra hurdle for hackers, because DBA’s rarely change the listener port. But it doesn’t mean Nmap can’t find the listener port at all. Because if I very specifically scan a port with the -sV option, Nmap does find the listener and gives me the listener version:

nmap -sV -p 1526 10.10.10.11

Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-02 13:37 West-Europa (zomertijd)
Nmap scan report for 192.168.174.129
Host is up (0.00s latency).
PORT     STATE SERVICE    VERSION
1526/tcp open  oracle-tns Oracle TNS Listener 11.1.0.6.0 (for Linux)
MAC Address: 00:1A:12:12:1A:12 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.58 seconds

And I can do scans against port ranges too. In this example I scan port numbers 1 to 60000:

nmap -sV -p 1-60000 10.10.10.11

Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-02 13:53 West-Europa (zomertijd)
Nmap scan report for 10.10.10.11
Host is up (0.000014s latency).
Not shown: 59995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
111/tcp open rpcbind 2 (RPC #100000)
765/tcp open status 1 (RPC #100024)
1526/tcp open oracle-tns Oracle TNS Listener 11.1.0.6.0 (for Linux)
3790/tcp open http nginx
MAC Address: 00:1A:12:12:1A:12 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.33 seconds

I was expecting this run to take longer, but actually it ran about just as long. So there you have it. You can change the listener port number, but it doesn’t mean your listener can never be found.

Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Oracle security and tagged , , , , . Bookmark the permalink.

One Response to Running Nmap against an Oracle listener

  1. Pingback: NMap 7 is out | Marcel-Jan's Oracle Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s