Scribd Logo
Importer

Bienvenue sur Scribd !

  • Oracle Database Communication Protocol PDF

    Transféré par

    Jonah H. Harris
    391 vues65 pages
    The document discusses Oracle's Transparent Network Substrate (TNS) protocol. It describes the packet structure, including the packet size, type, flags, and checksum fields. It lists the different packet types used in the protocol such as CONNECT, ACCEPT, and DATA. It also notes some additional packet types observed in Oracle 12c, such as CONTROL INFORMATION and DATA DESCRIPTOR.

    Description originale:

    Titre original

    oracle-database-communication-protocol.pdf

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    The document discusses Oracle's Transparent Network Substrate (TNS) protocol. It describes the packet structure, including the packet size, type, flags, and checksum fields. It lists the different packet types used in the protocol such as CONNECT, ACCEPT, and DATA. It also notes some additional packet types observed in Oracle 12c, such as CONTROL INFORMATION and DATA DESCRIPTOR.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    391 vues65 pages

    Oracle Database Communication Protocol PDF

    Transféré par

    Jonah H. Harris
    The document discusses Oracle's Transparent Network Substrate (TNS) protocol. It describes the packet structure, including the packet size, type, flags, and checksum fields. It lists the different packet types used in the protocol such as CONNECT, ACCEPT, and DATA. It also notes some additional packet types observed in Oracle 12c, such as CONTROL INFORMATION and DATA DESCRIPTOR.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 65

    Oracle Database

    Communication Protocol
    a pentesters view, or rude Oracle experiments

    Roman Bazhin
    ZeroNights E.0x04
    @nezlooy
    Who am I
    Security researcher at Digital Security

    r.bazhin@dsec.ru
    @nezlooy
    Agenda
    Motivation
    Oracle Client Drivers
    Oracle Net Architecture
    Oracle Database Protocol
    TNSIntruder
    Limitations and defense
    Motivation

    Interaction Scheme

    RAC Node 1

    Client
    Oracle

    RAC Node 2
    Interaction Scheme

    RAC Node 1

    Client Over 50 requests


    Oracle per module

    RAC Node 2
    Testing Scheme

    Proxy / Fuzzer
    Oracle Client N
    Reverse Fuzzing

    Client
    SYN

    ACK
    Fuzz
    SYN-ACK server
    Reverse Fuzzing

    Client
    SYN

    ACK
    Fuzz
    SYN-ACK server
    REQUEST

    RESPONSE
    Reverse Fuzzing

    Client
    SYN

    ACK
    Fuzz
    SYN-ACK server
    REQUEST

    REQUEST RESPONSE

    RESPONSE
    Reverse Fuzzing
    - *!

    Client
    SYN

    ACK
    Fuzz
    SYN-ACK server
    REQUEST

    REQUEST RESPONSE

    RESPONSE
    Reverse Fuzzing
    Striped hat / Ethical gop-stopping

    Client
    SYN

    ACK
    Fuzz
    SYN-ACK server
    REQUEST

    REQUEST RESPONSE

    RESPONSE
    Pentester Requirements
    !

    MITM Proxy Client


    Oracle
    Replaying Spoofing
    Modifying Injecting
    etc.
    Hm, and what about protocol?
    ?

    ? ?
    Proxy / Fuzzer
    Oracle Client N
    Googling
    ?
    Oracle TNS Protocol
    http://www.thesprawl.org/research/oracle-tns-protocol/
    Basic information about headers, type of packets / For beginners / Outdated.
    Wireshark TNS data dissector.
    http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.c
    Only headers, type of packets / Already have one.
    Presentations by Jonah Harris
    http://oracle-internals.com/
    Basic information about headers, TTC, server internals / Good.
    Oracle Protocol by Gwen Shapira
    http://www.pythian.com/blog/repost-oracle-protocol/
    Description of some types of messages, marshalling / Very good but outdated :(
    Googling
    ?
    pytnsproxy by Lszl Tth
    http://soonerorlater.hu/index.khtml?article_id=515
    Oracle 9i, 10g and 11g MITM-attack tool.
    pytnspoison by Joxean Koret
    http://seclists.org/fulldisclosure/2012/Apr/204
    Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool.
    Amoeba
    https://code.google.com/p/amoeba/
    Amoeba is a Distributing database proxy / no longer supported.
    Code
    , :/

    pytnspoison
    Code
    , :/

    pytnsproxy
    Code
    :/

    Amoeba
    Client Drivers
    ?
    Oracle Client Drivers overview

    JDBC OCI .NET

    10g, 11g, 12c


    Oracle Client Drivers overview

    Thin JDBC OCI .NET Thin

    10g, 11g, 12c


    Oracle Net Architecture
    ?
    Oracle Net Architecture
    Application
    Client
    OCI/JDBC/.NET

    Two-Task Common (TTC)

    Oracle Net Foundation Layer


    Oracle Net
    Oracle Protocol Support
    Oracle Net Architecture
    Application

    OCI/JDBC/.NET Network Naming (NN)

    Two-Task Common (TTC) Network Transport (NT)

    Network Session (NS) TNS


    Oracle Net Foundation Layer
    Oracle Net TCP TCPS NP SDP
    Oracle Protocol Support
    Oracle Net Architecture (OSI view)
    Application (OCI/JDBC/.NET)

    Two-Task Common (TTC)

    Oracle Net

    Transport layer

    Network layer

    Data link layer

    Physical layer
    Oracle Net Architecture (Server)
    Server
    RDBMS
    OPI

    Two-Task Common (TTC)

    Oracle Net Foundation Layer


    Oracle Net
    Oracle Protocol Support
    Oracle Database Protocol
    !
    Types and formats of messages
    Sequence of messages
    Fields
    Serialization (Marshalling)
    Types and formats of messages
    Transparent Network Substrate (TNS)

    0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95
    0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
    0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
    0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
    0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
    0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
    0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
    0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
    0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
    0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
    Types and formats of messages
    Transparent Network Substrate (TNS)
    Packet Size
    0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Checksum
    0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
    Packet Type
    0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
    0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 Header Flags
    0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 Header Checksum
    0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
    0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
    0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
    0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
    0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
    Types and formats of messages
    Transparent Network Substrate (TNS) in Oracle 12c
    Packet Size
    0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Type
    0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
    Header Flags
    0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
    0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 Header Checksum
    0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
    0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
    0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
    0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
    0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
    0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
    Types and formats of messages
    TNS / Packet Types:
    CONNECT = 0x01 ABORT = 0x09
    ACCEPT = 0x02 RESEND = 0x0B
    ACKNOWLEDGE = 0x03 MARKER = 0x0C
    REFUSE = 0x04 ATTENTION = 0x0D
    REDIRECT = 0x05 CONTROL INFORMATION * = 0x0E
    DATA = 0x06 DATA DESCRIPTOR * = 0x0F
    NULL = 0x07

    * Observed in Oracle 12c


    Types and formats of messages
    TNS / Packet Types:
    CONNECT = 0x01 ABORT = 0x09
    ACCEPT = 0x02 RESEND = 0x0B
    ACKNOWLEDGE = 0x03 MARKER = 0x0C
    REFUSE = 0x04 ATTENTION = 0x0D
    REDIRECT = 0x05 CONTROL INFORMATION * = 0x0E
    DATA = 0x06 DATA DESCRIPTOR * = 0x0F
    NULL = 0x07

    * Observed in Oracle 12c


    Types and formats of messages
    DATA Packet Type
    Data flag
    0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
    0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 DATA = 0x00
    MORE * = 0x20
    0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 EOF = 0x40
    0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
    0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
    0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
    0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
    0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
    0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
    0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

    * Observed in Oracle 12c


    Types and formats of messages
    Additional Network Options Negotiation (ANO)
    Magic constant
    0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
    0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
    0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
    0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
    0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
    0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
    0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
    0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
    0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
    0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
    Types and formats of messages
    Two-Task Interface (TTI)
    Function ID
    0000 00 00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07 Subfunction ID
    0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D
    Sequence number *
    0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07
    0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48
    0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44
    0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01
    0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B
    0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08
    0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00
    0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E

    * Used only in the client request


    Types and formats of messages
    TTC / TTI commands:
    TTIPRO # Set protocol TTIRPA # Return OPI Parameter
    TTIDTY # Set datatypes TTISTA # Oracle func complete
    TTIFUN # Start of user function TTIIOV # I/O vector
    TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
    TTIRXH # Row transfer header TTIDCB # Describe information
    TTIRXD # Row transfer data TTIPFN # Piggyback func follows

    Types and formats of messages
    TTC / TTI commands:
    TTIPRO # Set protocol TTIRPA # Return OPI Parameter
    TTIDTY # Set datatypes TTISTA # Oracle func complete
    TTIFUN # Start of user function TTIIOV # I/O vector
    TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
    TTIRXH # Row transfer header TTIDCB # Describe information
    TTIRXD # Row transfer data TTIPFN # Piggyback func follows

    Types and formats of messages
    TTC / TTI commands:
    TTIPRO # Set protocol TTIRPA # Return OPI Parameter
    TTIDTY # Set datatypes TTISTA # Oracle func complete
    TTIFUN # Start of user function TTIIOV # I/O vector
    TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
    TTIRXH # Row transfer header TTIDCB # Describe information
    TTIRXD # Row transfer data TTIPFN # Piggyback func follows

    Types and formats of messages
    TTC / TTI commands:
    TTIPRO # Set protocol TTIRPA # Return OPI Parameter
    TTIDTY # Set datatypes TTISTA # Oracle func complete
    TTIFUN # Start of user function TTIIOV # I/O vector
    TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
    TTIRXH # Row transfer header TTIDCB # Describe information
    TTIRXD # Row transfer data TTIPFN # Piggyback func follows

    Types and formats of messages
    TTC / TTI commands:
    TTIPRO # Set protocol TTIRPA # Return OPI Parameter
    TTIDTY # Set datatypes TTISTA # Oracle func complete
    TTIFUN # Start of user function TTIIOV # I/O vector
    TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
    TTIRXH # Row transfer header TTIDCB # Describe information
    TTIRXD # Row transfer data TTIPFN # Piggyback func follows

    Client data requests


    Types and formats of messages
    TTC / TTI subfunction:
    TTIFUN TTIPFN
    OSESSKEY O80SES
    OAUTH OCCA
    OVERSION
    OALL8
    OFETCH
    OLOBOPS
    OCOMMIT
    OROLLBACK
    OPING
    OCLOSE
    Types and formats of messages
    TTC / TTI subfunction:
    TTIFUN TTIPFN
    OSESSKEY O80SES
    OAUTH OCCA
    OVERSION
    OALL8
    OFETCH
    OLOBOPS
    OCOMMIT
    OROLLBACK
    OPING
    OCLOSE
    Types and formats of messages
    TTC / TTI commands:
    TTIPRO # Set protocol TTIRPA # Return OPI Parameter
    TTIDTY # Set datatypes TTISTA # Oracle func complete
    TTIFUN # Start of user function TTIIOV # I/O vector
    TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
    TTIRXH # Row transfer header TTIDCB # Describe information
    TTIRXD # Row transfer data TTIPFN # Piggyback func follows

    Server data responses


    Sequence of messages
    CONNECT
    Authentication
    ANO
    ACCEPT
    TTIPRO
    ANO
    TTIDTY

    Client Server
    TTIPRO
    TTIFUN -> OSESSKEY
    TTIDTY
    TTIFUN -> OAUTH
    TTIRPA
    TTIFUN -> OVERSION *
    TTIRPA

    TTIRPA
    * Thin client, OCI use TTIPFN -> O80SES or not used at all
    Sequence of messages
    Selecting

    TTIFUN -> OALL8

    TTIFUN -> OFETCH


    Client TTIDCB Server
    TTIRXH
    Sequence of messages
    Selecting

    TTIPFN -> OCCA

    TTIFUN -> OFETCH


    Client TTIDCB Server
    TTIOER
    Sequence of messages
    Selecting
    TTIFUN -> OALL8

    TTIFUN -> OFETCH


    TTIDCB
    TTIFUN -> OLOBOPS
    TTIRXH
    Client Server
    TTILOBD
    DATA *
    TTIFUN -> OLOBOPS DATA
    DATA

    TTIRPA

    * Observed in Oracle 10g and 11g


    Sequence of messages
    Logging Off

    TTIFUN -> OCOMMIT

    TTIFUN -> OROLLBACK

    Client Server
    TTISTA
    TTIFUN -> OLOGOFF *
    TTISTA
    EOF
    TTISTA

    * OCI, Thin client use TTIPFN -> OCCA


    Fields
    length seqNumber lag0 A_MAGIC1
    pkt_checksum packetVersion flag1 dataLen
    type lowestVersion noAnoServices intVersion
    flag options noAnoServices strVersion
    hdr_checksum sduSize extended Supervisor
    data_flag tduSize timeout options
    data_flag protocolCharacteristics tick serviceSv
    data_id undefined1 timeout serviceSvSub
    data_id HWByteOrder reconnectAddrLen serviceSvMarker
    sig dataLen reconnectAddrOff serviceSvShortVer1
    data_id dataOff largeSDU serviceSvShortVer2
    ano maxReceivedData sduSize serviceSvIntVersion
    overall_data_size anoFlags tduSize serviceSvStrVersion
    version_int_1 anoEnabled session drivers
    version_str_1 b4padding poolEnabled driversType
    service largeSDU timestampLastIO curPID
    options_flag_or_service_to_be_used sduSize sduSize junk
    service_sv tduSize tduSize objLen
    timeout func isBreak objType
    Fields
    length seqNumber lag0 A_MAGIC1
    pkt_checksum packetVersion flag1 dataLen
    type lowestVersion noAnoServices intVersion
    flag options noAnoServices strVersion
    hdr_checksum sduSize extended Supervisor
    data_flag tduSize timeout options
    data_flag protocolCharacteristics tick serviceSv
    data_id undefined1 timeout serviceSvSub
    data_id HWByteOrder reconnectAddrLen serviceSvMarker
    sig dataLen reconnectAddrOff serviceSvShortVer1
    data_id dataOff largeSDU serviceSvShortVer2
    ano maxReceivedData sduSize serviceSvIntVersion
    overall_data_size anoFlags tduSize serviceSvStrVersion
    version_int_1 anoEnabled session drivers
    version_str_1 b4padding poolEnabled driversType
    service largeSDU timestampLastIO curPID
    options_flag_or_service_to_be_used sduSize sduSize junk
    service_sv tduSize tduSize objLen
    timeout func isBreak objType
    Serialization (Marshalling)
    Data Types:
    UB1, SB1 (UBInt8, SBInt8) CLR (B1Array[64])
    UB2, SB2 (UBInt16, SBInt16) CHR (UB1Array)
    UB4, SB4 (UBInt32, SBInt32) TEXT (CString)
    SB8 (SBInt64) DALC (SB4, CLR)
    UWORD, SWORD (UBInt32, SBInt32) KEYVAL (DALC, DALC, UB4)
    B1Array (UB1 Array) KPDKV (DALC, DALC, UB2)
    B4Array (UB4 Array) UCS2 (UB2)
    O2U (B1/B4Array) RefCursor (SB4)
    NULLPTR (O2U(False)) BFILE / BLOB / CLOB
    PTR (O2U(True))
    Serialization (Marshalling)
    Some magic
    TNSIntruder
    , !
    TNSIntruder
    Utility written in Python, works as a database proxy.
    Support Oracle Databases 10g, 11g, 12c

    Features:
    Classes and marshalling engine
    Collector of sequences
    Injecting arbitrary SQL queries (Session hijacking)
    Demo
    , !
    TNSIntruder
    Necessary to implement:
    PL/SQL support
    Network Data Encryption and Integrity Checks support

    Whish list:
    SQL-parser
    Java-backdoors uploader in hijacked session *

    * And ODAT (Oracle Database Attacking Tool) features supporting


    TNSIntruder

    https://github.com/nezlooy
    Limitations and defense
    !
    Limitations and defense
    Channel
    Network Data Encryption and Integrity Checks
    PKI (Oracle wallets)
    Data protection
    Authentication
    Database attacks
    Oracle Database Firewall
    Antifraud solutions
    Bonus
    !
    Gop-stopping of Instant Clients
    Fuzzing with pyZZUF and Radamsa
    OCI
    Was fuzzed only 6 server responses

    10.2.0.5.0 11.2.0.4.0 12.1.0.2.0


    Gop-stopping of Instant Clients
    Fuzzing with pyZZUF and Radamsa
    OCI
    Was fuzzed only 6 server responses
    Unique faults

    10.2.0.5.0 (9) 11.2.0.4.0 (7) 12.1.0.2.0 (9)

    AV_READ, AV_WRITE, AV_EXEC, HEAP_CORRUPTS


    Questions?
    ? ?
    Thank You
    , !

    nezlooy

    Vous aimerez peut-être aussi