Find Oracle Databases with Nmap
This guide walks you through discovering Oracle database instances on your network using Nmap — a free, widely available network scanning tool. Use this process to audit your Oracle estate and identify any instances that may not be tracked in your asset register.
What you'll need
- A machine with Nmap installed (download here)
- Network access to the IP ranges you want to scan
- Administrator or root privileges on the scanning machine (required for the most effective scan type)
- The IP range(s) you want to scan — check with your network team if unsure
Understanding Oracle ports
Oracle databases advertise themselves via a TNS Listener process. By default this runs on specific network ports. Your scan needs to check all of them:
| Port | Protocol | Notes |
|---|---|---|
| 1521 Default | TCP | Standard Oracle listener port. Most instances use this. |
| 1526 Legacy | TCP | Old default in Oracle 7 and earlier. Still seen in long-running environments. |
| 1522 | TCP | Commonly used as a secondary or non-default listener port. |
| 2483 | TCP | Oracle listener over TCP with SSL/TLS (TCPS). |
| 2484 | TCP | Oracle listener over TCP/IP with SSL (alternate TCPS). |
Step-by-step: scanning your network
Find live hosts first (optional but recommended)
Before scanning for Oracle ports, identify which hosts are actually online. This makes the subsequent scan significantly faster.
# Replace 10.0.0.0/24 with your network range
nmap -sn 10.0.0.0/24 -oN live_hosts.txt
This creates a file live_hosts.txt containing only the hosts that responded. You can feed this into the next step.
Scan for Oracle listener ports
Run the core scan against all Oracle ports. This command checks all five Oracle ports, identifies the service version, and saves the results to a file.
# Scan a full subnet
nmap -sV -p 1521,1522,1526,2483,2484 --open -T4 -oN oracle_scan.txt 10.0.0.0/24
# Or use your live hosts file from step 1
nmap -sV -p 1521,1522,1526,2483,2484 --open -T4 -oN oracle_scan.txt -iL live_hosts.txt
| Flag | What it does |
|---|---|
-sV |
Detects service version — identifies the Oracle listener and its version number |
-p 1521,... |
Scans only the specified ports |
--open |
Only shows hosts with open ports — removes noise from the output |
-T4 |
Faster timing — safe to use on internal LANs |
-oN |
Saves results to a plain text file |
-iL |
Reads target hosts from a file |
Enumerate service names from found listeners
Once you have a list of IPs with open Oracle ports, you can query each listener for its registered database service names and SIDs. Run this against each IP you found:
# Get Oracle version from the listener
nmap -sV -p 1521 --script oracle-tns-version 10.0.0.50
# Enumerate registered SIDs (database names)
nmap -p 1521 --script oracle-sid-brute 10.0.0.50
The oracle-tns-version script returns the Oracle version (e.g. 19c, 12.2). The oracle-sid-brute script attempts to identify the database SID — useful for confirming which database instance is running.
Open your oracle_scan.txt output file. For each host with an open Oracle port, record:
- IP address and hostname (if resolvable)
- Port number the listener is using
- Oracle version (from
-sVor theoracle-tns-versionscript) - SID or service name (from
oracle-sid-brute)
Compare this list against your known asset register to identify untracked instances.
Understanding the results
Each host in the nmap output will show one of three port states:
| State | Meaning |
|---|---|
open |
A service is actively listening on this port. Likely an Oracle listener. |
closed |
The host is reachable but nothing is listening. No Oracle instance here. |
filtered |
A firewall is blocking the probe. The host may have a listener — flag for investigation. |
filtered result on port 1521 often means an Oracle listener exists but is protected by a host-based firewall. These hosts are worth following up with your DBA or network team.Non-standard port scan (advanced)
If you suspect Oracle instances are running on non-standard ports, run a broader scan on the port range DBAs commonly use:
# Broader scan for non-standard Oracle ports
nmap -sV -p 1500-1600 --open -oN oracle_nonstandard.txt 10.0.0.0/24
Review any open ports in this range with your DBA team to confirm whether they relate to Oracle.
Troubleshooting
| Issue | Likely cause | What to do |
|---|---|---|
| No hosts found | ICMP (ping) is blocked | Add -Pn to skip host discovery and treat all hosts as up |
| Scan is very slow | Network latency or T3 timing | Add -T4 on a LAN, or reduce the IP range and scan in batches |
| Permission denied error | SYN scan requires root/admin | Run with sudo (Linux/Mac) or as Administrator (Windows), or use -sT instead |
| oracle-sid-brute finds nothing | Listener is restricted | Try connecting directly with sqlplus or ask your DBA for the registered service names |