Script oracle-brute

Script types: portrule
Categories: intrusive, brute

Script Summary

Performs brute force password auditing against Oracle servers.

Running it in default mode it performs an audit against a list of common Oracle usernames and passwords. The mode can be changed by supplying the argument oracle-brute.nodefault at which point the script will use the username- and password- lists supplied with Nmap. Custom username- and password- lists may be supplied using the userdb and passdb arguments. The default credential list can be changed too by using the brute.credfile argument. In case the userdb or passdb arguments are supplied, the script assumes that it should run in the nodefault mode.

In modern versions of Oracle password guessing speeds decrease after a few guesses and remain slow, due to connection throttling.

WARNING: The script makes no attempt to discover the amount of guesses that can be made before locking an account. Running this script may therefor result in a large number of accounts being locked out on the database server.

See also:

Script Arguments


- the instance against which to perform password guessing


- do not attempt to guess any Oracle default accounts

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.


See the documentation for the creds library.


See the documentation for the tns library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <host>

Script Output

1521/tcp open  oracle  syn-ack
| oracle-brute:
|   Accounts
|     system:powell => Account locked
|     haxxor:haxxor => Valid credentials
|   Statistics
|_    Perfomed 157 guesses in 8 seconds, average tps: 19



  • Patrik Karlsson

License: Same as Nmap--See