Nmap database scanning

October 14, 2012

This is a very short tutorial that provides some guidance on how to run Nmap scripts against Oracle databases.

Let's say you are running the Nmap script oracle-sid-brute.nse against an Oracle database server that's running Oracle on a non-standard port (we'll use port 1555 as an example), but the output is not producing any SIDs even though you know for a fact that your SID file has a matching SID for that target Oracle database:

nmap --script oracle-sid-brute --script-args oraclesids=sids.txt -p1555 db.example.com

Nmap scan report for db.example.com (192.0.2.7)
PORT     STATE SERVICE
1555/tcp open  support

There are a few things we can do to get things working. The first would be to open or edit the script (typically located in /usr/share/nmap/scripts/) to confirm what are the requirements. For oracle-sid-brute.nse, there is a row that shows the following:

portrule = shortport.port_or_service(1521, 'oracle-tns')

This means that in order for this script to run, Nmap needs to detect either that port 1521 on the target is in an open state (1521 being the default port for Oracle) or alternatively that the service "oracle-tns" is detected on the open port(s).

Given that in our case the Oracle service on db.example.com is running on port 1555 and not 1521, and also that the service on port 1555 was identified by Nmap as "unknown" and not "oracle-tns", the oracle-sid-brute.nse script will never produce the results that you would expect if performing a standard Nmap scan.

One solution is to edit the actual script (/usr/share/nmap/scripts/oracle-sid-brute.nse) and change the portrule section to specify port 1555 instead of port 1521:

portrule = shortport.port_or_service(1555, 'oracle-tns')

This however isn't exactly versatile and will need to be changed each time we encounter an Oracle database running on a port other than 1555, but it is a simple way to get the script to run. Another thing we could do instead would be to run Nmap with a service scan by adding the parameter -sV so that it actually probes the service on a given port and correctly identifies the service on port 1555 as oracle-tns:

nmap --script oracle-sid-brute --script-args oraclesids=sids.txt -sV -p1555 db.example.com

Nmap scan report for db.example.com (192.0.2.7)
PORT     STATE SERVICE    VERSION
1555/tcp open  oracle-tns Oracle TNS Listener
| oracle-sid-brute:
|_  ORACDB01

This has the advantage of not requiring modifications to the script, however service scans take longer to complete due to the number of additional crafted packets that it needs to send.

The third option would be to force the script to run regardless of what service is detected on the port (i.e. to ignore the portrule) by adding a plus (+) symbol at the front of the script name. This option requires Nmap version 5.61TEST4 or later:

nmap --script +oracle-sid-brute --script-args oraclesids=sids.txt -p1555 db.example.com

Nmap scan report for db.example.com (192.0.2.7)
PORT     STATE SERVICE
1555/tcp open  support
| oracle-sid-brute:
|_  ORACDB01

Other things to note about Nmap scripts

Some of the scripts which use the http library will send the Nmap-identifying user-agent string "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)" to the system that you are scanning, which is something that you may wish to avoid sending along. This value is set in the file /usr/share/nmap/nselib/http.lua as the variable USER_AGENT. You can make Nmap spoof its user-agent by passing a script argument called "http.useragent" as shown below in which we spoof the user-agent to simply be "Mozilla/4.0":

nmap --script http-date --script-args http.useragent="Mozilla/4.0" -PN -p80 192.0.2.0/24

You can also interact with Nmap while it is performing a scan in order to help determine what it is doing. Below are the special keys which do so. Lowercase increase the amount of printing, and uppercase letters decrease:

     ?
         Print a runtime interaction help screen

     v / V
         Increase / decrease the verbosity level

     d / D
         Increase / decrease the debugging Level

     p / P
         Turn on / off packet tracing

     (Any other key)
         Print Nmap status message

A complete list of Nmap scripts can be found here. Keep in mind that certain scripts require root privileges to run, and certain scripts such as those in the external category can send data to external systems.