When preparing for the Planboard symposium in Utrecht last Tuesday, I decided to use tools like Nmap and Metasploit to show how these tools can be used against an Oracle database server. I have worked with Nmap before, but I’m learning new tricks all the time.
Recently I read about the -sV option in “Nmap 6 – Network Exploration and Security Auditing Cookbook” by Calderon Pale Paulino. It enables service detection. And you can use it to find the Oracle version. That’s actually pretty useful.
nmap -sV 10.10.10.11
Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-02 13:39 West-Europa (zomertijd)
Nmap scan report for 10.10.10.11
Host is up (0.00038s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
111/tcp open rpcbind 2 (RPC #100000)
765/tcp open status 1 (RPC #100024)
1521/tcp open oracle-tns Oracle TNS Listener 11.1.0.6.0 (for Linux)
MAC Address: 00:1A:12:12:1A:12 (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds
So now we know the Oracle version. But what if I change the listener port? I’ve tried this before without the -sV option. If the Oracle listener isn’t on port 1521, Nmap just ignores it.
So for this example I changed the port number to 1526 and ran Nmap with the same settings.
Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-02 13:41 West-Europa (zomertijd)
Nmap scan report for 10.10.10.11
Host is up (0.000011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
111/tcp open rpcbind 2 (RPC #100000)
765/tcp open status 1 (RPC #100024)
MAC Address: 00:1A:12:12:1A:12 (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds
And Nmap didn’t find my listener on port 1526. So changing your listener port number looks like a good idea. At least you are bringing up an extra hurdle for hackers, because DBA’s rarely change the listener port. But it doesn’t mean Nmap can’t find the listener port at all. Because if I very specifically scan a port with the -sV option, Nmap does find the listener and gives me the listener version:
nmap -sV -p 1526 10.10.10.11
Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-02 13:37 West-Europa (zomertijd)
Nmap scan report for 192.168.174.129
Host is up (0.00s latency).
PORT STATE SERVICE VERSION
1526/tcp open oracle-tns Oracle TNS Listener 11.1.0.6.0 (for Linux)
MAC Address: 00:1A:12:12:1A:12 (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.58 seconds
And I can do scans against port ranges too. In this example I scan port numbers 1 to 60000:
nmap -sV -p 1-60000 10.10.10.11
Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-02 13:53 West-Europa (zomertijd)
Nmap scan report for 10.10.10.11
Host is up (0.000014s latency).
Not shown: 59995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
111/tcp open rpcbind 2 (RPC #100000)
765/tcp open status 1 (RPC #100024)
1526/tcp open oracle-tns Oracle TNS Listener 11.1.0.6.0 (for Linux)
3790/tcp open http nginx
MAC Address: 00:1A:12:12:1A:12 (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.33 seconds
I was expecting this run to take longer, but actually it ran about just as long. So there you have it. You can change the listener port number, but it doesn’t mean your listener can never be found.
Pingback: NMap 7 is out | Marcel-Jan's Oracle Blog