Oracle Security checks with nmap


Nmap is open -source utility to discover and check network security. Normally nmap is developed for network security. Many  externel scripts were added to nmap to check databases, web servers and other systems at IT infrastructure.

At this note; I will present nmap scripts which are developed to check Oracle databases. I will explain all details  with samples. For this note; I used two virtual machines ; one of it as you expected is Kali the other machine is Oracle Linux which runs Oracle 11g database.

Start with guessing Oracle SID

Guess Oracle SID

oracle-sid-brute script guesses Oracle instance/SID names.

/usr/share/nmap/nselib/data/oracle-sids file includes some Oracle SIDs . By this list nmap makes brute force to find Oracle SIDs



Now try to find Oracle-SID at localhost7  with nmap oracle-sid-brute script.


nmap –script=oracle-sid-brute -p 1521-1900 localhost7

Not shown: 359 filtered ports
1521/tcp open oracle
| oracle-sid-brute:
1522/tcp open rna-lm
1523/tcp open cichild-lm
1530/tcp open unknown
1545/tcp open vistium-share
1555/tcp open unknown
1556/tcp open veritas_pbx
1557/tcp open unknown
1560/tcp open asci-val
1563/tcp open unknown
1575/tcp open unknown
1585/tcp open unknown
1591/tcp open unknown
1621/tcp open unknown
1681/tcp open unknown
1731/tcp open unknown
1733/tcp open unknown
1831/tcp open unknown
1890/tcp open unknown
1898/tcp open unknown
1899/tcp open unknown


Gotcha we found it DB2TEST. If you have your own Oracle -SID list at /path/sidfile you can use it like this.

nmap –script=oracle-sid-brute –script-args=oraclesids=/path/sidfile -p 1521-1800 <hostname>

Now we will try to guess Oracle usernames and passwords.

Password guess Brute Force

oracle-brute script checks common Oracle usernames and passwords. The list of common Oracle username and passwords can be found at /usr/share/nmap/nselib/data/oracle-default-accounts.lst file.


nmap -p1521 –script oracle-brute –script-args oracle-brute.sid=DB11G

Starting Nmap 6.49BETA4 ( ) at 2016-07-02 10:19 EDT
Nmap scan report for
Host is up (0.0010s latency).
1521/tcp open oracle
| oracle-brute:
| Accounts:
| DIP:DIP – Account is locked
| XDB:CHANGE_ON_INSTALL – Account is locked
|_ Statistics: Performed 695 guesses in 13 seconds, average tps: 53

Nmap done: 1 IP address (1 host up) scanned in 30.89 second


As you see two users are found but they are locked. Our database passed this test. But If the administrators had forgotten these common usernames this script would help us to find these usernames.

If you have some special usernames and passwords list at a special  path; you can use below command

nmap -sV –script oracle-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>


To quit after finding one valid account, use the argument brute.firstOnly:
nmap -sV –script oracle-brute –script-args brute.firstOnly <target>

To set a different timeout limit, use the argument unpwd.timelimit. To run it
indefinitely, set it to 0:

nmap -sV –script oracle-brute –script-args unpwdb.timelimit=0 <target>$ nmap -sV –script oracle-brute –script-args unpwdb.timelimit=60m <target>

Brute modes

user: For each user listed in userdb, every password in passdb will be tried
nmap –script oracle-brute –script-args brute.mode=user <target>

pass: For each password listed in passdb, every user in userdb will be tried
nmap –script oracle-brute –script-args brute.mode=pass <target>

For Oracle tns poison attack you can read my another article

Now this is the end of this note.

I hope this note will give you a new perspective for Oracle Database security.

Anıl Akduygu



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s