communication protocol
play

Communication Protocol a pentesters view, or rude Oracle experiments - PowerPoint PPT Presentation

Oracle Database Communication Protocol a pentesters view, or rude Oracle experiments Roman Bazhin ZeroNights E.0x04 @nezlooy Who am I Security researcher at Digital Security r.bazhin@dsec.ru @nezlooy Agenda Motivation Oracle


  1. Oracle Database Communication Protocol a pentester’s view, or rude Oracle experiments Roman Bazhin ZeroNights E.0x04 @nezlooy

  2. Who am I Security researcher at Digital Security r.bazhin@dsec.ru @nezlooy

  3. Agenda • Motivation • Oracle Client Drivers • Oracle Net Architecture • Oracle Database Protocol • TNSIntruder • Limitations and defense

  4. Motivation Всё началось с задачи

  5. Interaction Scheme RAC Node 1 Client Oracle RAC Node 2

  6. Interaction Scheme RAC Node 1 Client Over 50 requests Oracle per module RAC Node 2

  7. Testing Scheme Proxy / Fuzzer Client N Oracle

  8. Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK

  9. Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE

  10. Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE

  11. Reverse Fuzzing Опа - опа… На на *! Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE

  12. Reverse Fuzzing Striped hat / Ethical gop-stopping Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE

  13. Pentester Requirements Только давай без палева ! MITM Proxy Client Oracle Replaying Spoofing • • Modifying Injecting • • etc. •

  14. Hm, and what about protocol? Эу… Чё там с протоколом ? ? ? Proxy / Fuzzer Client N Oracle

  15. Googling И чё есть в этих ваших интернетах ? • Oracle TNS Protocol http://www.thesprawl.org/research/oracle-tns-protocol/ Basic information about headers, type of packets / For beginners / Outdated. • Wireshark TNS data dissector. http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.c Only headers, type of packets / Already have one. • Presentations by Jonah Harris http://oracle-internals.com/ Basic information about headers, TTC, server internals / Good. • Oracle Protocol by Gwen Shapira http://www.pythian.com/blog/repost-oracle-protocol/ Description of some types of messages, marshalling / Very good but outdated :(

  16. Googling И чё есть в этих ваших интернетах ? • pytnsproxy by László Tóth http://soonerorlater.hu/index.khtml?article_id=515 Oracle 9i, 10g and 11g MITM-attack tool. • pytnspoison by Joxean Koret http://seclists.org/fulldisclosure/2012/Apr/204 Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool. • Amoeba https://code.google.com/p/amoeba/ Amoeba is a Distributing database proxy / no longer supported.

  17. Code Ну норм, чё :/ pytnspoison

  18. Code Ваще норм, чё :/ pytnsproxy

  19. Code Тож норм :/ Amoeba

  20. Client Drivers Как проблему порешаем?

  21. Oracle Client Drivers overview JDBC OCI .NET 10g, 11g, 12c

  22. Oracle Client Drivers overview Thin JDBC OCI .NET Thin 10g, 11g, 12c

  23. Oracle Net Architecture Чё там в авторских доках?

  24. Oracle Net Architecture Application Client OCI/JDBC/.NET Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Net Oracle Protocol Support

  25. Oracle Net Architecture Application OCI/JDBC/.NET Network Naming (NN) Network Transport (NT) Two-Task Common (TTC) Network Session (NS) TNS Oracle Net Foundation Layer Oracle Net TCP TCPS NP SDP Oracle Protocol Support

  26. Oracle Net Architecture (OSI view) Application (OCI/JDBC/.NET) Two-Task Common (TTC) Oracle Net Transport layer Network layer Data link layer Physical layer

  27. Oracle Net Architecture (Server) Server RDBMS OPI Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Net Oracle Protocol Support

  28. Oracle Database Protocol Айда поподробнее! • Types and formats of messages • Sequence of messages • Fields • Serialization (Marshalling)

  29. Types and formats of messages Transparent Network Substrate (TNS) 0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

  30. Types and formats of messages Transparent Network Substrate (TNS) Packet Size 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Checksum 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 Packet Type 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 Header Flags 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 Header Checksum 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

  31. Types and formats of messages Transparent Network Substrate (TNS) in Oracle 12c Packet Size 0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Type 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 Header Flags 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 Header Checksum 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

  32. Types and formats of messages TNS / Packet Types: • CONNECT = 0x01 • ABORT = 0x09 • ACCEPT = 0x02 • RESEND = 0x0B • ACKNOWLEDGE = 0x03 • MARKER = 0x0C • REFUSE = 0x04 • ATTENTION = 0x0D • REDIRECT = 0x05 • CONTROL INFORMATION * = 0x0E • DATA = 0x06 • DATA DESCRIPTOR * = 0x0F • NULL = 0x07 * Observed in Oracle 12c

  33. Types and formats of messages TNS / Packet Types: • CONNECT = 0x01 • ABORT = 0x09 • ACCEPT = 0x02 • RESEND = 0x0B • ACKNOWLEDGE = 0x03 • MARKER = 0x0C • REFUSE = 0x04 • ATTENTION = 0x0D • REDIRECT = 0x05 • CONTROL INFORMATION * = 0x0E • DATA = 0x06 • DATA DESCRIPTOR * = 0x0F • NULL = 0x07 * Observed in Oracle 12c

  34. Types and formats of messages DATA Packet Type Data flag 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 DATA = 0x00 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 MORE * = 0x20 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 EOF = 0x40 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00 * Observed in Oracle 12c

  35. Types and formats of messages Additional Network Options Negotiation (ANO) Magic constant 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

  36. Types and formats of messages Two-Task Interface (TTI) Function ID 0000 00 00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07 Subfunction ID 0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D Sequence number * 0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07 0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48 0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44 0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01 0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B 0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08 0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00 0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E * Used only in the client request

  37. Types and formats of messages TTC / TTI commands: • TTIPRO # Set protocol • TTIRPA # Return OPI Parameter • TTIDTY # Set datatypes • TTISTA # Oracle func complete • TTIFUN # Start of user function • TTIIOV # I/O vector • TTIOER # Error / Selecting completed • TTILOBD # LOB/FILE data follows • TTIRXH # Row transfer header • TTIDCB # Describe information • TTIRXD # Row transfer data • TTIPFN # Piggyback func follows • … • …

Recommend


More recommend