Scanning for Oracle Servers

Finding an Oracle database server on the network is best achieved by doing a TCP port scan, unless of course you already know where it is. Oracle and its peripheral processes listen on so many different ports, chances are that one of them will be on the default port even if most of them aren't. The following list details some common Oracle processes and what ports they can be found listening on.

Common Ports

The common ports are

  • 199 agntsvc
  • 1520-1530 tnslsnr
  • 1748 dbsnmp
  • 1754 dbsnmp
  • 1809 dbsnmp
  • 1808 dbsnmp
  • 1810 java — oracle enterprise manager web service
  • 1830 emagent
  • 1831 emagent
  • 1850 java ORMI
  • 2030 omtsreco
  • 2100 tnslsnr
  • 2481 tnslsnr
  • 2482 tnslsnr
  • 3025 ocssd
  • 3026 ocssd
  • 4696 ocssd
  • 6003 opmn
  • 6004 opmn
  • 6200 opmn
  • 6201 opmn
  • 7777 Apache - OAS
  • 8080 tnslsnr
  • 9090 tnslsnr

The TNS Listener

Once the Oracle database server has been discovered the first port of call is the TNS Listener. You need to get some information before continuing, such as the version, the OS, and database services. The Listener control utility can be used to get this information. Run the utility from a command line and as the first command set the Listener you want to connect to:

LSNRCTL> set current_listener 10.1.1.1

This will direct all commands to the TNS Listener at IP address 10.1.1.1. Once set, run the version command:

LSNRCTL> version Connecting to (DESCRIPTION=(CONNECT_DATA=(SID=*)(SERVICE_NAME=10.1.1.1))(ADDRESS=(PROTOCOL=TCP)(HOST=10.1.1.1)(PORT=1521))) TNSLSNR for 32-bit Windows: ...

Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.