Pete Finnigan's Oracle Security Weblog

This is an interesting subject that was raised some time back on one c.d.o.* newsgroups. The original post asked the question about how to find all Oracle databases on the posters company network.

This is possible to do and is worth doing for all companies. You will have a certain number of production, development and test databases but do you know about those extra databases created when testing something, those installed by power users on their PC's or those installed by technically minded employees that use the space on a company PC to try out Oracle in their lunch hour or what about the DBA's, developers, admin staff who have created databases for personal testing, development or whatever. It’s quite common to find rogue databases in your company networks.

This is an issue for security. If these databases are not patched then they can be used to exploit the whole network either through known vulnerabilities or via known configuration issues. It is important to find them and protect them or remove them.

I posted a reply to the original poster that detailed some ideas on how to find databases. Most of my ideas are Unix centric but could be used on Windows hosts as well. Here is my post to the thread:

~~~~my post~~~~

You are right about the network configuration. It may not be possible to
find all hosts from one network location but if you are scanning your
own company it should be possible to understand the network and scan
from one place or multiple points to check all hosts. because you can do
it internally doesn't mean an external hacker could do it. Employees are
a different prospect though..:-) It can be done quite simply and there
are a number of ways to do it. You are not searching for database though
but listeners remember!. You can find listeners though and then query
them to find out what services they support and then try and connect and
see if the database is up. Some ideas:

o - Some of the commercial tools support finding databases such as
Application security Inc's AppDetective. Check out the others as well,
links to most Oracle security products can be found on my site
/tools.htm

o - You can use OEM in discovery mode to find listeners that have SNMP /
intelligent agent configured. So this would not find all databases.

o - You can use the fping / gping pair to find all nodes on your network
or even tools such as nmap. There are many more that will do ICMP_ECHO
packet sweeps. When you have a list o IP addresses in your network then
feed this into a port scan sweep for each box. This can be done with a
shell script looping though all ports and using tnsping or you can again
use a port mapper such as nmap.

o - a free script called tnsprobe.sh written by Tim Gorman is a good
start for the above process. Its a shell script that uses tnsping and
loops through all ports for a particular IP. It then tries to log in and
use another script to perform some audit checks. You would want to alter
this script to prevent this if you want to look only.

o - A free tool called getsids.exe can be found on Patrik Karlssons web
site www.cqure.net. This does a similar job to the listener control
utility lsnrctl and tnsprobe.sh.

In summary, find all IP Addresses, port map each box and look for
listeners, use tnsprobe.sh or tnsping, or even lsnrctl status and
capture the results. Then attempt to connect to each to see if the
database is up.

The above checks will be very "noisy" in network terms and will involve
programming simple shell scripts. I am not aware of a complete free
solution, maybe i will create one some time if i get chance. Also you
could consider the commercial solution.

hth

Kind regards

Pete

~~~~my post~~~~

Yong Huang also posted a reply to the thread which was very useful that suggested some Windows centric ideas on the same subject. Yong said

"Hi, Pete,

I'd like to add to your excellent message since you apparently focus
on UNIX. On Windows, if you're an administrator in the domain, you
*can* check for Oracle instances, not just listeners. The simplest way
is to use resource kit tools such as

sclist \\remotehost | find /i "oracle" <-- "OracleService" may be
better
or
pulist \\remotehost | find /i "oracle" <-- "OracleService" may be
better

It's easy to write a simple WMI script. My pstats.hta
(http://rootshell.be/~yong321/freeware/pstats.html) can also do it
although its purpose is really for remote performance monitoring.

The beauty of sclist or a WMI script is that it can list Windows
services even if they're not up and running. I understand the OP only
wants to list running instances. But just for the record, on UNIX, you
can get a hint on whether a remote host has Oracle databases on it,
regardless whether the instance is up or listener is up or not, by
looking at /var/opt/oracle/oratab and /etc/oratab. But it's not nearly
as reliable as checking whether a Windows host has a service named
like OracleServiceXXX.

Yong Huang"

Use some of the ideas here and regularly check your own networks for rogue Oracle databases. The threat is real.