Skip to content
quentinhardy edited this page Mar 24, 2016 · 15 revisions

This wiki explains how to use ODAT (Oracle Database Attacking Tool) during security assessments.

Explanations and examples are organized by ODAT module in this Wiki (see on the right).

The -h option can be used to get the ODAT help menu:

./odat.py -h

The all module is the first module that should be used when you meet an Oracle Database. For example, you can use this command for starting:

./odat.py all -s 192.168.1.254 -p 1521

You can give the SID if you know it:

./odat.py all -s 192.168.1.254 -p 1521 -d ORCL

If you know a valid account, you can give it to this module:

./odat.py all -s 192.168.1.254 -p 1521 -d ORCL -U SYS -P password

See all for more details about this module.

For each module (i.e. sidguesser), you can use -v, -vv or -vvv for enabling verbosity and understanding how or what the module is doing. For example:

./odat.py all -s 192.168.1.254 -vvv

Before to use a specific command of a module, the --test-module should be used first for knowing if you can use it (target is vulnerable, Oracle account has enough privileges, etc). For example:

./odat.py tnspoison -s 192.168.1.254 -p 1521 -d ORCL --test-module
Clone this wiki locally