OScanner

OScanner is an Oracle database assessment framework designed to identify security vulnerabilities, misconfigurations, and weaknesses in Oracle database instances. It performs comprehensive scans across multiple security domains including user privileges, default accounts, and audit settings.

Installation

Linux/Unix Installation

# Download OScanner
wget http://www.cqure.net/tools/oscanner/oscanner110611.tar.gz

# Extract the archive
tar -xzf oscanner110611.tar.gz
cd oscanner

# Set execute permissions
chmod +x oscanner

# Verify installation
./oscanner -h

Prerequisites

• Java Runtime Environment (JRE) 1.6 or higher
• Network connectivity to target Oracle database
• Valid database credentials (preferably with DBA role)
• Oracle JDBC drivers (included in most distributions)

macOS Installation

# Install Java if not present
brew install openjdk

# Download and extract
wget http://www.cqure.net/tools/oscanner/oscanner110611.tar.gz
tar -xzf oscanner110611.tar.gz
cd oscanner

# Make executable
chmod +x oscanner

Basic Concepts

Target Connection Methods

OScanner connects to Oracle databases using:

• Direct connection: TCP/IP connection to database listener
• Connection string: Standard Oracle connection format
• Authentication: Username/password or OS authentication

Scan Types

• User scanning: Identify privileged accounts and weak passwords
• Privilege analysis: Detect excessive user privileges
• Default account detection: Find unchanged default credentials
• Audit configuration: Review and identify audit gaps
• Server misconfiguration: Identify parameter weaknesses

Basic Commands

Command	Description
oscanner -h	Display help message
oscanner -s <host>:<port>:<SID>	Scan specific database instance
oscanner -u <user> -p <pass>	Specify authentication credentials
oscanner -f <file>	Load targets from file
oscanner -v <level>	Set verbosity level (0-3)

Database Connection

Scan Single Database

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager

Scan with TNS Connection String

./oscanner \
  -s orcl.example.com:1521:ORCL \
  -u system \
  -p manager \
  -v 2

Batch Scanning from File

Create targets.txt:

192.168.1.100:1521:ORCL:system:manager
192.168.1.101:1521:PROD:system:password123
192.168.1.102:1521:TEST:scott:tiger

Then scan:

./oscanner -f targets.txt -v 2

Connect with OS Authentication

./oscanner -s 192.168.1.100:1521:ORCL \
  -u / \
  -p / \
  -w 5

Advanced Scanning Options

Customize Scan Checks

# Run only user privilege checks
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -checks privilege

# Run only default account checks
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -checks default_accounts

Increase Scan Depth

# Full comprehensive scan with maximum verbosity
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -v 3 \
  -depth full \
  -timeout 300

Network Timeout Configuration

# Set connection timeout (seconds)
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -timeout 30 \
  -retry 3

Security Assessment Tasks

Identify Weak User Accounts

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -check_weak_passwords \
  -output weak_accounts.txt

Audit Privilege Escalation Risks

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -analyze privileges \
  -report privilege_report.html

Check Default Account Status

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -scan_defaults \
  -list_inactive

Audit Role Assignments

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -enumerate roles \
  -export roles.csv

Output and Reporting

Generate HTML Report

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -report assessment.html \
  -format html

CSV Export for Analysis

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -export findings.csv \
  -format csv

Verbose Output with Timestamps

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -v 3 \
  -log oscanner_$(date +%Y%m%d_%H%M%S).log

Authentication and Authorization

Check User Privilege Escalation

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -analyze_privs \
  -escalation_check

Identify Excessive DBA Accounts

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -list dba_users \
  -filter privileged

Role Permission Analysis

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -enumerate role_privs \
  -detailed

Vulnerability Assessment

Comprehensive Security Scan

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -full_scan \
  -include_defaults \
  -check_cve

Version-Specific Vulnerabilities

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -version_check \
  -vuln_database \
  -patch_level

Password Policy Assessment

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -check_pwd_policy \
  -test_complexity

Performance and Optimization

Parallel Scanning

# Scan multiple databases in parallel
./oscanner -f targets.txt \
  -parallel 4 \
  -v 2

Timeout Settings

./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -connect_timeout 20 \
  -query_timeout 60

Troubleshooting

Connection Issues

# Test connectivity first
tnsping ORCL

# Verbose connection debugging
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -debug connection

Memory Issues

# Increase Java heap size
export JAVA_OPTS="-Xmx1024m"
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager

Credential Problems

# Test credentials separately
sqlplus system/manager@ORCL

# Then run scanner with verified credentials
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -test_creds

Best Practices

Pre-Scan Checklist

• Obtain written authorization before scanning
• Document baseline database configuration
• Verify network connectivity to target
• Confirm credential validity and permissions
• Review scan scope with database administrator
• Schedule scans during maintenance windows

Scan Configuration

# Recommended comprehensive scan
./oscanner -s target.example.com:1521:PROD \
  -u system \
  -p $(read -sp "Password: " && echo $REPLY) \
  -v 2 \
  -timeout 300 \
  -full_scan \
  -report assessment_$(date +%Y%m%d).html

Post-Scan Analysis

• Review findings for false positives
• Prioritize critical vulnerabilities
• Document remediation steps
• Track remediation progress
• Re-scan after fixes applied
• Maintain historical records

Common Findings and Remediation

Default Accounts Detected

Account	Risk	Action
SCOTT/TIGER	High	Change password or lock account
SYSTEM/MANAGER	High	Strengthen password
SYS/	Critical	Immediate remediation required
DBSNMP/DBSNMP	Medium	Change default password

Privilege Issues

# Audit specific user privileges
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -audit_user scott \
  -list_privs

Audit Configuration

# Check audit settings
./oscanner -s 192.168.1.100:1521:ORCL \
  -u system \
  -p manager \
  -check_audit \
  -verify_settings

Legal and Ethical Considerations

OScanner should only be used:

• On systems you own or have explicit authorization to test
• As part of authorized security assessments
• Within scope of penetration testing engagement
• With documented approval from system owners
• In compliance with applicable laws and regulations

Always maintain detailed records of:

• Scan scope and authorization
• Findings and recommendations
• Remediation efforts
• Follow-up assessment results
• Time and date of all activities

Resources

• Official OScanner documentation: http://www.cqure.net/tools/oscanner/
• Oracle security best practices guide
• OWASP database security testing guidelines
• CIS Oracle Database benchmark
• Oracle security update notifications