Skip to content
PortsDB

Port reference

Port 1521 (TCP) – Oracle Database TNS Listener

Default Oracle TNS listener port for client connections to Oracle databases.

tcpRegisteredCommonly attacked

Default state

The TNS listener binds to 1521 on Oracle Database hosts by default. Often reachable across the LAN; legacy or unpatched listeners may allow unauthenticated administration.

Common attacks

  • SID and service-name brute force to discover databases
  • TNS poisoning / listener registration hijacking
  • Credential brute force against database accounts
  • Exploitation of unauthenticated listener administration on old versions

CVE-2012-1675

Hardening

  • Bind to a private interface; never expose 1521 to the internet
  • Set a listener password and enable valid-node checking (ACLs)
  • Apply the TNS poisoning fix (dynamic registration restrictions, CVE-2012-1675)
  • Enforce strong DB account passwords and account lockout
  • Require Oracle Native Network Encryption or TLS and patch promptly

nmap snippet

nmap -p1521 --script oracle-tns-version,oracle-sid-brute <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1521?

Port 1521 is the default for the Oracle TNS (Transparent Network Substrate) listener, the process that accepts incoming client connections and routes them to Oracle Database instances. Clients identify a target by SID or service name, and the listener brokers the session to the right instance. It is the front door to an Oracle estate.

Why it matters for security

The listener fronts databases that often hold critical enterprise data, so an open 1521 is a high-value target. Older or misconfigured listeners allowed remote administration without authentication, and even patched ones leak instance details that help an attacker plan further attacks. Knowing a valid SID plus weak credentials is frequently enough to reach the data.

How it's attacked

Attackers first run SID / service-name brute force to enumerate databases, then brute-force account credentials. The TNS poisoning flaw (CVE-2012-1675) lets an attacker register a rogue service and intercept or hijack client connections. Legacy listeners with no password could be administered remotely, allowing log redirection or denial of service.

Hardening checklist

Bind the listener to a private interface and keep 1521 off the internet, behind a firewall or VPN. Set a listener password, enable valid-node checking (ACLs), and apply Oracle's mitigation for TNS poisoning by restricting dynamic registration. Enforce strong DB passwords with lockout, require Native Network Encryption or TLS, and patch promptly. Use the nmap snippet above to fingerprint the listener and enumerate SIDs on hosts you are authorized to test.

Related ports

Port 1433Port 3306Port 5432Port 27017

Frequently asked questions

What is TNS poisoning?
A flaw (CVE-2012-1675) where an attacker registers a rogue service with the listener and intercepts or hijacks client traffic. Restrict dynamic registration and apply Oracle's mitigation.
Why brute-force the Oracle SID?
You must know a valid SID or service name to connect. Discovering it via brute force is the first step before attacking database credentials, so a private listener limits exposure.