Oracle TNS-poison attack

The TNS Poison attack is a type of man-in-the-middle attack. With this attack an attacker can hijack a session and can send SQL commands to database from this session. If the hijacked session user has some critical privileges ( like DBA roles )  the attacker can completely manipulate Oracle database.


At this note, I will show you; how you can check that an Oracle database has this vulnerability and the solution for Oracle databases at Oracle 11.2 version.


With nmap ( at Kali ) we can check The TNS Poison attack.   We can use; oracle-tns-poison.nse nmap script .This script has not been included in standard distribution. Therefore we add this script into nmap environment and after updating nmap we can use it

First; get oracle-tns-poison.nse script from   link.

Nmap is a free and open source (license) utility for network discovery and security auditing. That’s why you can get all source from github .

Get the script and put it in a file called oracle-tns-poison.nse  at /usr/share/nmap directory.



And update nmap with this new script


Now we are ready to use; oracle-tns-poison.nse script.

But first I will show you the target database which has this vulnerability. This is an Oracle database; at standard installation all databases have this vulnerability.  And the solution for this vulnerability is to change the listener configuration

Therefore the initial configuration of the listener are given below.


Now check the vulnerability with this command;

nmap –script=oracle-tns-poison.nse -p 1521

As you see we have the vulnerability at this site.


The solution for this is to use Valid Node Checking For Registration for the all listeners ; (Metalink Doc ID 1600630.1)

Simply add this parameter for all listeners ( we have one listener only )




And rebounce the listener

lsnrctl stop

lsnrctl start



Now check the vulnerability again



It is done, It is not vulnerable.


If  there was a scan listener  In this case ; we would use below configuration








For Oracle 12c database there is no tns-poison vulnerability. Therefore all the time we advise DBAs to upgrade databases for the sake of security.

I will make the same test with Oracle 12c database without any configuration;



And the listener.ora file


Check the vulnerability against this database.

nmap –script=oracle-tns-poison.nse -p 1521


As you see ; Oracle 12c  is not vulnerable.

Simply ; If you have Oracle 11g database and below , you have tns-poison vulnerability from the beginning. To protect your database ;  use Valid Node Checking For Registration  for Oracle 11g .

if your version is Oracle 10g the solution is different and very  complicated. I do not want to mention the solution here.  Do not stay at Oracle 10g version ;  the solution is upgrade your database to 11g .

If you have Oracle 12c ; you have nothing to do. You are secure againt tns-poision attack from the beginning   .


Anıl Akduygu



One thought on “Oracle TNS-poison attack”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s