I have created a new Nmap script that attempts to determine valid Oracle instance names by guessing names from a dictionary against the TNS-listener. It’s available, together with my other scripts, from the nmap scripts page.
The script can be fed a dictionary file as argument using the following syntax:
nmap -sV --script oracle-sid-brute --script-args=oraclesids=/path/to/dic <host> -p 1521-1600
If no argument is given the default list under nselib/data (included in the zip file) is used. This list was compile by red database security and is available from here.