Re: Sniffer Tool?

From: Pete Finnigan <>
Date: Wed, 18 Mar 2009 15:41:52 +0000
Message-ID: <>

Hi Guys,

I agree with Jared, be careful before contemplating a port scan, you will have trouble if you do not have permission.

The trouble with a port scan is that it will not find all databases as some could be not visible to the network at large or more simply to the scanning PC. If you have segregated networks then scanning means that you need to fully understand the network architecture first to ensure that you *can* scan all of the network. Also you will not find databases that are simply not running. Also; scanning will find listeners not database instances. You would need to then query all listeners found and find the database services being listened for on each listener.

As you may have guessed this is not a foolproof possibility and you may not find all databases.

I would suggest the following approach:

  1. ensure you are scanning from somewhere that can see the whole of the network. Involve the network guys
  2. scan more than once to ensure that you capture any machines that may have been down the first time
  3. use nmap and find live hosts, then use amap to identify running services
  4. isolate Oracle services - then query the listeners to find the databases served. This may prove difficult if they are 10g as it cannot be then done remotely. You could use integrigy's listener tool - link on my tools page to help with this -
  5. It may be necessary to connect to the srevers to test the listener.

Tim Gorman had a simple script called tnsprobe - there is a link on my tools page - that did a simple check for databases using tnsping and a shell script. There are commercial tools that can scan for Oracle databases but the license costs would not be justified for this task. You could also use something like Nessus but beware that this tool could also bring down the databases.

good luck.



Jared Still wrote:
> On Mon, Mar 16, 2009 at 1:00 PM, Manjula Krishnan <>wrote:

>> Hi Guys:
>> Is there a tool out there that would sniff out my network and find all the
>> oracle installs, versions, hardware info on the servers etc?

> You could use nmap (linux) to find ports being used in the range that
> Oracle uses, typically 1521-1529 would find something if Oracle
> is being used.
> I've used a perl script called pcan to do this.
> However you go about it, talk to your security folks before you
> start a port scan on the network.
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist

Pete Finnigan
Director Limited

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7742 114223
site :

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940 6681 14

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

Received on Wed Mar 18 2009 - 10:41:52 CDT

Original text of this message