communication protocol
play

Communication Protocol a pentesters view, or rude Oracle experiments - PowerPoint PPT Presentation

Jan 05, 2023 •31 likes •681 views

Oracle Database Communication Protocol a pentesters view, or rude Oracle experiments Roman Bazhin ZeroNights E.0x04 @nezlooy Who am I Security researcher at Digital Security r.bazhin@dsec.ru @nezlooy Agenda Motivation Oracle

  1. Oracle Database Communication Protocol a pentester’s view, or rude Oracle experiments Roman Bazhin ZeroNights E.0x04 @nezlooy

  2. Who am I Security researcher at Digital Security r.bazhin@dsec.ru @nezlooy

  3. Agenda • Motivation • Oracle Client Drivers • Oracle Net Architecture • Oracle Database Protocol • TNSIntruder • Limitations and defense

  4. Motivation Всё началось с задачи

  5. Interaction Scheme RAC Node 1 Client Oracle RAC Node 2

  6. Interaction Scheme RAC Node 1 Client Over 50 requests Oracle per module RAC Node 2

  7. Testing Scheme Proxy / Fuzzer Client N Oracle

  8. Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK

  9. Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE

  10. Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE

  11. Reverse Fuzzing Опа - опа… На на *! Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE

  12. Reverse Fuzzing Striped hat / Ethical gop-stopping Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE

  13. Pentester Requirements Только давай без палева ! MITM Proxy Client Oracle Replaying Spoofing • • Modifying Injecting • • etc. •

  14. Hm, and what about protocol? Эу… Чё там с протоколом ? ? ? Proxy / Fuzzer Client N Oracle

  15. Googling И чё есть в этих ваших интернетах ? • Oracle TNS Protocol http://www.thesprawl.org/research/oracle-tns-protocol/ Basic information about headers, type of packets / For beginners / Outdated. • Wireshark TNS data dissector. http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.c Only headers, type of packets / Already have one. • Presentations by Jonah Harris http://oracle-internals.com/ Basic information about headers, TTC, server internals / Good. • Oracle Protocol by Gwen Shapira http://www.pythian.com/blog/repost-oracle-protocol/ Description of some types of messages, marshalling / Very good but outdated :(

  16. Googling И чё есть в этих ваших интернетах ? • pytnsproxy by László Tóth http://soonerorlater.hu/index.khtml?article_id=515 Oracle 9i, 10g and 11g MITM-attack tool. • pytnspoison by Joxean Koret http://seclists.org/fulldisclosure/2012/Apr/204 Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool. • Amoeba https://code.google.com/p/amoeba/ Amoeba is a Distributing database proxy / no longer supported.

  17. Code Ну норм, чё :/ pytnspoison

  18. Code Ваще норм, чё :/ pytnsproxy

  19. Code Тож норм :/ Amoeba

  20. Client Drivers Как проблему порешаем?

  21. Oracle Client Drivers overview JDBC OCI .NET 10g, 11g, 12c

  22. Oracle Client Drivers overview Thin JDBC OCI .NET Thin 10g, 11g, 12c

  23. Oracle Net Architecture Чё там в авторских доках?

  24. Oracle Net Architecture Application Client OCI/JDBC/.NET Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Net Oracle Protocol Support

  25. Oracle Net Architecture Application OCI/JDBC/.NET Network Naming (NN) Network Transport (NT) Two-Task Common (TTC) Network Session (NS) TNS Oracle Net Foundation Layer Oracle Net TCP TCPS NP SDP Oracle Protocol Support

  26. Oracle Net Architecture (OSI view) Application (OCI/JDBC/.NET) Two-Task Common (TTC) Oracle Net Transport layer Network layer Data link layer Physical layer

  27. Oracle Net Architecture (Server) Server RDBMS OPI Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Net Oracle Protocol Support

  28. Oracle Database Protocol Айда поподробнее! • Types and formats of messages • Sequence of messages • Fields • Serialization (Marshalling)

  29. Types and formats of messages Transparent Network Substrate (TNS) 0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

  30. Types and formats of messages Transparent Network Substrate (TNS) Packet Size 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Checksum 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 Packet Type 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 Header Flags 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 Header Checksum 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

  31. Types and formats of messages Transparent Network Substrate (TNS) in Oracle 12c Packet Size 0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Type 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 Header Flags 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 Header Checksum 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

  32. Types and formats of messages TNS / Packet Types: • CONNECT = 0x01 • ABORT = 0x09 • ACCEPT = 0x02 • RESEND = 0x0B • ACKNOWLEDGE = 0x03 • MARKER = 0x0C • REFUSE = 0x04 • ATTENTION = 0x0D • REDIRECT = 0x05 • CONTROL INFORMATION * = 0x0E • DATA = 0x06 • DATA DESCRIPTOR * = 0x0F • NULL = 0x07 * Observed in Oracle 12c

  33. Types and formats of messages TNS / Packet Types: • CONNECT = 0x01 • ABORT = 0x09 • ACCEPT = 0x02 • RESEND = 0x0B • ACKNOWLEDGE = 0x03 • MARKER = 0x0C • REFUSE = 0x04 • ATTENTION = 0x0D • REDIRECT = 0x05 • CONTROL INFORMATION * = 0x0E • DATA = 0x06 • DATA DESCRIPTOR * = 0x0F • NULL = 0x07 * Observed in Oracle 12c

  34. Types and formats of messages DATA Packet Type Data flag 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 DATA = 0x00 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 MORE * = 0x20 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 EOF = 0x40 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00 * Observed in Oracle 12c

  35. Types and formats of messages Additional Network Options Negotiation (ANO) Magic constant 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

  36. Types and formats of messages Two-Task Interface (TTI) Function ID 0000 00 00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07 Subfunction ID 0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D Sequence number * 0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07 0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48 0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44 0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01 0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B 0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08 0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00 0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E * Used only in the client request

  37. Types and formats of messages TTC / TTI commands: • TTIPRO # Set protocol • TTIRPA # Return OPI Parameter • TTIDTY # Set datatypes • TTISTA # Oracle func complete • TTIFUN # Start of user function • TTIIOV # I/O vector • TTIOER # Error / Selecting completed • TTILOBD # LOB/FILE data follows • TTIRXH # Row transfer header • TTIDCB # Describe information • TTIRXD # Row transfer data • TTIPFN # Piggyback func follows • … • …

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MULTIPLE ACCESS COMMUNICATION PROTOCOL (proposal of a new SnP) SpaceWire networking Protocol

MULTIPLE ACCESS COMMUNICATION PROTOCOL (proposal of a new SnP) SpaceWire networking Protocol

1 Giovanni Saldi saldi.g@laben.it MULTIPLE ACCESS COMMUNICATION PROTOCOL (proposal of a new SnP) SpaceWire networking Protocol Meeting 3 February 15, 2005 NASA GSFC - U.S.A. MACP keywords 2 ECSS-E-50-12 A MACP SnP Physical Network

483 views • 22 slides
Communication Complexity D 2 F : cost of the most efficient deterministic protocol R 2 F :

Communication Complexity D 2 F : cost of the most efficient deterministic protocol R 2 F :

June 20, 2016 Yassine Hamoudi Carnegie Mellon University Communication Complexity D 2 F : cost of the most efficient deterministic protocol R 2 F : cost of the most efficient randomized protocol with error 1 3 Alice Bob channel Number

1.15k views • 112 slides
Energy-Efficient Communication Protocol for Wireless Microsensor Networks Juhana Yrjl

Energy-Efficient Communication Protocol for Wireless Microsensor Networks Juhana Yrjl

Energy-Efficient Communication Protocol for Wireless Microsensor Networks Juhana Yrjl jayrjola@cc.hut.fi T-79.194 Seminar on theoretical computer science 2005 Algorithmics of sensor networks Energy-Efficient Communication Protocol for

387 views • 20 slides
Chapter 8 Communication Networks and Services The TCP/IP Architecture The Internet Protocol

Chapter 8 Communication Networks and Services The TCP/IP Architecture The Internet Protocol

Chapter 8 Communication Networks and Services The TCP/IP Architecture The Internet Protocol Internet Addressing Address Resolution protocol Internet Control Message Prototocol Chapter 8 Communication Networks and Services The TCP/IP

809 views • 46 slides
Interprocess Communication (IPC) The characteristics of protocols for communication between

Interprocess Communication (IPC) The characteristics of protocols for communication between

Interprocess Communication (IPC) The characteristics of protocols for communication between processes in a distributed system Exploring the Middleware Layers Applications, services RMI and RPC and Request Reply Protocol Marshalling and

883 views • 64 slides
Communication and DASH Presented by: Gabriel Loewen and Vivens Ndatinya Communication

Communication and DASH Presented by: Gabriel Loewen and Vivens Ndatinya Communication

Communication and DASH Presented by: Gabriel Loewen and Vivens Ndatinya Communication Hypertext Transfer Protocol SOAP web services RESTful web services and JSON Ajax HTTP: Hypertext Transfer Protocol Relatively simple

408 views • 40 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

U U U U U U U- U - - communication - - - - - communication communication communication communication communication communication communication Korea Mobile Market Trend for Convergence & Ubiquitous Communication 2004.

400 views • 16 slides
Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author: Hojung Bang Affiliation: KAIST Address: 373-1, Kuseong-dong, Yuseong-gu, Daejeon, 305-701, Korea Abstract: In this paper, we summarized our experience

285 views • 6 slides
Y ear 11 Parents Information Evening EXAM PROTOCOL Key Information No communication,

Y ear 11 Parents Information Evening EXAM PROTOCOL Key Information No communication,

The De Montfort School Welcome to the Y ear 11 Parents Information Evening EXAM PROTOCOL Key Information No communication, verbal or non-verbal Equipment (you must write in black biro), come prepared Any bottles or pencil

665 views • 31 slides
Routing Routing is done by the network layer protocol to guide packets through the communication

Routing Routing is done by the network layer protocol to guide packets through the communication

Routing Routing is done by the network layer protocol to guide packets through the communication subnet to their destinations The time when routing decisions are made depends on whether we are using virtual circuits or datagrams connections

664 views • 35 slides
A Communication Protocol for Distributed Process Management Lerina Aversano, Aniello Cimitile,

A Communication Protocol for Distributed Process Management Lerina Aversano, Aniello Cimitile,

A Communication Protocol for Distributed Process Management Lerina Aversano, Aniello Cimitile, Andrea De Lucia RCOST - Research Center On Software Technology Department of Engineering, University of Sannio Via Traiano, Palazzo ex-Poste

470 views • 5 slides
A Multipurpose Delegation Proxy rely on HTTP as communication protocol e.g. online stores

A Multipurpose Delegation Proxy rely on HTTP as communication protocol e.g. online stores

Motivation Most client-server applications on the Internet A Multipurpose Delegation Proxy rely on HTTP as communication protocol e.g. online stores / banking for WWW Credentials web-based e-mail virtual market places,

69 views • 5 slides
SDL Modelling of a Logical Link Layer Protocol SLACP (Satellite Link Aware Communication

SDL Modelling of a Logical Link Layer Protocol SLACP (Satellite Link Aware Communication

SDL Modelling of a Logical Link Layer Protocol SLACP (Satellite Link Aware Communication Protocol) SLACP Overview SLACP - a logical link layer protocol SLACP - to improve the performance of TCP in satellite links Uses selective

394 views • 14 slides
The REGRR protocol Daniel Kalchev, Register.BG ICANN48, Buenos Aires 16-21 Nov 2013 Register.BG

The REGRR protocol Daniel Kalchev, Register.BG ICANN48, Buenos Aires 16-21 Nov 2013 Register.BG

The REGRR protocol Daniel Kalchev, Register.BG ICANN48, Buenos Aires 16-21 Nov 2013 Register.BG REGRR Protocol Protocol design Signed XML messages over encrypted communication channel No need to keeping session or state at the server

430 views • 6 slides
Communication Protocol for Enhanced Errors and Notifications PCE WG, IETF104, Prague

Communication Protocol for Enhanced Errors and Notifications PCE WG, IETF104, Prague

Extensions to the Path Computation Element Communication Protocol for Enhanced Errors and Notifications PCE WG, IETF104, Prague draft-ietf-pce-enhanced-errors-05 Helia Pouyllau(helia.pouyllau@alcatel-lucent.com) Remi

488 views • 7 slides
Analytic Combinatorics in Several Variables Robin Pemantle and Mark Wilson A of A conference, 30

Analytic Combinatorics in Several Variables Robin Pemantle and Mark Wilson A of A conference, 30

Analytic Combinatorics in Several Variables Robin Pemantle and Mark Wilson A of A conference, 30 May, 2013 Pemantle Analytic Combinatorics in Several Variables About the book Pemantle Analytic Combinatorics in Several Variables Pemantle

1.23k views • 89 slides
1 Ikegamis Theorem for zero-dimensional Polish spaces Let I be a -ideal on a set X . We call

1 Ikegamis Theorem for zero-dimensional Polish spaces Let I be a -ideal on a set X . We call

1 Ikegamis Theorem for zero-dimensional Polish spaces Let I be a -ideal on a set X . We call I proper if I contains all singletons but not the whole set. From now on every ideal shall be proper. Let X be an uncountable Polish space and let I

324 views • 10 slides
TagYoure It! TagYoure It! Michelle Cummings M.S. Training Wheels Michelle

TagYoure It! TagYoure It! Michelle Cummings M.S. Training Wheels Michelle

TagYoure It! TagYoure It! Michelle Cummings M.S. Training Wheels Michelle Cummings M.S. Training Wheels www.training-wheels.com Energizer Games Pair Tag Evolution Viper Tag Wagon Wheel Tag

617 views • 16 slides
AN ALGEBRA APPROACH TO TROPICAL MATHEMATICS Louis Rowen, Department of Mathematics, Bar-Ilan

AN ALGEBRA APPROACH TO TROPICAL MATHEMATICS Louis Rowen, Department of Mathematics, Bar-Ilan

Emory University: Saltman Conference AN ALGEBRA APPROACH TO TROPICAL MATHEMATICS Louis Rowen, Department of Mathematics, Bar-Ilan University Ramat-Gan 52900, Israel (Joint work with Zur Izhakian) May, 2011 1. Brief introduction to

648 views • 50 slides
Photos of Real Microscope Views of Bacterial Slides As you go through this presentation ask

Photos of Real Microscope Views of Bacterial Slides As you go through this presentation ask

Photos of Real Microscope Views of Bacterial Slides As you go through this presentation ask yourself if these are in the domain Bacteria or Eukarya Amoeba proteus Is this a prokaryote or eukaryote? 1 Amoeba proteus at a higher magnification

242 views • 10 slides
CSci 5103 Operating Systems Jon Weissman The Landscape at 50K feet OSPP ~ Chap. 2; Review A

CSci 5103 Operating Systems Jon Weissman The Landscape at 50K feet OSPP ~ Chap. 2; Review A

CSci 5103 Operating Systems Jon Weissman The Landscape at 50K feet OSPP ~ Chap. 2; Review A First Look at Some Key Concepts: #1 kernel The software component that controls the hardware directly, and implements the core privileged OS

618 views • 24 slides
VIRTUAL ARCHITECTURAL PRACTICE - AN ALTERNATE REALITY PRODUCED BY AIA PMKC + AIA TRUST 1.5

VIRTUAL ARCHITECTURAL PRACTICE - AN ALTERNATE REALITY PRODUCED BY AIA PMKC + AIA TRUST 1.5

Peter S. Macrae, AIA SPEAKERS: VIRTUAL PRACTICE FRAMEWORK Charles R. Heuer, Esq, FAIA MANAGING RISK WHEN RUNNING A VIRTUAL PRACTICE Kevin J. Collins, RPLU, Associate AIA CHALLENGES TO PROFESSION AND PRACTICE IN A VIRTUAL PRACTICE Lira Luis,

630 views • 37 slides
E

E

E H Batrice de Tilire University Paris-Dauphine work in progress with Cdric Boutillier (Sorbonne) & David

660 views • 40 slides

More recommend