Home

This wiki explains how to use ODAT (Oracle Database Attacking Tool) during security assessments.

Explanations and examples are organized by ODAT module in this Wiki (see on the right).

The -h option can be used to get the ODAT help menu:

./odat.py -h

The all module is the first module that should be used when you meet an Oracle Database. For example, you can use this command for starting:

./odat.py all -s 192.168.1.254 -p 1521

You can give the SID if you know it:

./odat.py all -s 192.168.1.254 -p 1521 -d ORCL

If you know a valid account, you can give it to this module:

./odat.py all -s 192.168.1.254 -p 1521 -d ORCL -U SYS -P password

See all for more details about this module.

For each module (i.e. sidguesser), you can use -v, -vv or -vvv for enabling verbosity and understanding how or what the module is doing. For example:

./odat.py all -s 192.168.1.254 -vvv

Before to use a specific command of a module, the --test-module should be used first for knowing if you can use it (target is vulnerable, Oracle account has enough privileges, etc). For example:

./odat.py tnspoison -s 192.168.1.254 -p 1521 -d ORCL --test-module

Quentin HARDY: quentin.hardy@bt.com or qhardyfr@gmail.com

Modules:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Home

Clone this wiki locally