Yaping's Weblog

September 2, 2008

Network

Filed under: Oracle — Yaping @ 2:35 am
Tags:

Oracle Password Protocol (O3Logon)

O3Logon protocol is used in Oracle 10g and earlier, O5Logon used since 11g.

When client connect to db, it firstly sends the user to server, then the server checks whether it is a valid username, if it is not, the server sends a “login denied” error to client.

If the user exists, then the server extracts the users’ password hash value from the database, the server uses this hash value to create a secret number.

The secret number is then encrypted with the user’s password hash value, and the result becomes the AUTH_SESSKEY, it is sent to client.

After receiving the AUTH_SESSKEY, the client must decrypt the secret number. The user creates his/her password hash, this hash is then used as the key to decrypt the AUTH_SESSKEY. If everything goes well, then this should produce the secret number. This secret number is then used as a key to encrypt the user’s clear-text. The cipher text is then sent back to the server as the AUTH_PASSWORD.

The server decrypts the AUTH_PASSWORD with the secret number used as the key. The server now has a copy of the clear-text password. Then the server creates the password hash and compares it with the hash in the database. If they match, then the user is authenticated. Checks are then performed by the server to determine whether the user has the create session privilege, if so, the user is given access to the database server.

If not necessary, don’t set Oracle network trace, it can extract significant data.

Illuminate as following demo. Change sqlnet.ora file on server side, enable trace.

trace_file_server=srv.trc
trace_directory_server=/tmp
trace_level_server=support

Or add the following items on client side.

trace_file_client=cli.trc
trace_directory_client=/tmp
trace_level_client=support

Connect to db and submit one statement.
[oracle@chen tmp]$ sqlplus system@chen
SQL*Plus: Release 10.2.0.3.0 – Production on Fri Jan 11 20:10:20 2008
Copyright (c) 1982, 2006, Oracle.  All Rights Reserved.
Enter password: ******
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.4.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.4.0 – Production

system@CHEN>alter user system identified by system;
User altered.

Then check trace file, we can find significant content, including clear SQL statement text.

… …

[11-JAN-2008 20:10:23:529] nsprecv: 00 88 B6 FF BF 94 BC FF  |……..|
[11-JAN-2008 20:10:23:529] nsprecv: BF 06 73 79 73 74 65 6D  |..system|
[11-JAN-2008 20:10:23:529] nsprecv: 0D 00 00 00 0D 41 55 54  |…..AUT|
[11-JAN-2008 20:10:23:529] nsprecv: 48 5F 54 45 52 4D 49 4E  |H_TERMIN|
[11-JAN-2008 20:10:23:529] nsprecv: 41 4C 05 00 00 00 05 70  |AL…..p|
[11-JAN-2008 20:10:23:530] nsprecv: 74 73 2F 32 00 00 00 00  |ts/2….|
… …
[11-JAN-2008 20:10:23:545] nspsend: 00 00 08 01 00 0C 00 00  |……..|
[11-JAN-2008 20:10:23:545] nspsend: 00 0C 41 55 54 48 5F 53  |..AUTH_S|
[11-JAN-2008 20:10:23:545] nspsend: 45 53 53 4B 45 59 20 00  |ESSKEY..|
[11-JAN-2008 20:10:23:545] nspsend: 00 00 20 33 32 32 43 43  |…322CC|
[11-JAN-2008 20:10:23:546] nspsend: 38 34 31 30 33 43 36 33  |84103C63|
[11-JAN-2008 20:10:23:546] nspsend: 42 41 36 30 30 38 46 41  |BA6008FA|
[11-JAN-2008 20:10:23:546] nspsend: 33 44 39 36 37 42 45 46  |3D967BEF|
[11-JAN-2008 20:10:23:546] nspsend: 34 43 46 00 00 00 00 04  |4CF…..|
[11-JAN-2008 20:10:23:546] nspsend: 01 00 00 00 01 00 00 00  |……..|
… …
[11-JAN-2008 20:10:23:548] nsprecv: 00 8C E3 FF BF 7C F4 FF  |…..|..|
[11-JAN-2008 20:10:23:548] nsprecv: BF 06 73 79 73 74 65 6D  |..system|
[11-JAN-2008 20:10:23:549] nsprecv: 0D 00 00 00 0D 41 55 54  |…..AUT|
[11-JAN-2008 20:10:23:549] nsprecv: 48 5F 50 41 53 53 57 4F  |H_PASSWO|
[11-JAN-2008 20:10:23:549] nsprecv: 52 44 20 00 00 00 20 39  |RD…..9|
[11-JAN-2008 20:10:23:549] nsprecv: 41 43 42 46 37 34 33 38  |ACBF7438|
[11-JAN-2008 20:10:23:549] nsprecv: 43 38 41 39 41 42 36 30  |C8A9AB60|
[11-JAN-2008 20:10:23:549] nsprecv: 36 31 30 33 31 33 44 30  |610313D0|
[11-JAN-2008 20:10:23:549] nsprecv: 41 46 34 46 34 36 37 00  |AF4F467.|
[11-JAN-2008 20:10:23:549] nsprecv: 00 00 00 08 00 00 00 08  |……..|
… …
[11-JAN-2008 20:11:11:038] nsprecv: 24 ED 0A 08 00 00 00 00  |$…….|
[11-JAN-2008 20:11:11:038] nsprecv: 26 61 6C 74 65 72 20 75  |&alter.u|
[11-JAN-2008 20:11:11:038] nsprecv: 73 65 72 20 73 79 73 74  |ser.syst|
[11-JAN-2008 20:11:11:038] nsprecv: 65 6D 20 69 64 65 6E 74  |em.ident|
[11-JAN-2008 20:11:11:038] nsprecv: 69 66 69 65 64 20 62 79  |ified.by|
[11-JAN-2008 20:11:11:038] nsprecv: 20 73 79 73 74 65 6D 01  |.system.|
[11-JAN-2008 20:11:11:038] nsprecv: 00 00 00 01 00 00 00 00  |……..|
[11-JAN-2008 20:11:11:038] nsprecv: 00 00 00 00 00 00 00 00  |……..|

We can use AUTH_SESSKEY and AUTH_PASSWORD values to crack the password. In Oracle 11g, salt value is sent through AUTH_VFR_DATA.

When users connect to db, if the accounts don’t exist or the passwords don’t correct, display the same error message. But we can check information through trace file to determine if accounts exist or passwords correct.

Password not correct
[oracle@chen tmp]$ sqlplus test@chen
SQL*Plus: Release 10.2.0.3.0 – Production on Sat Jan 12 15:04:55 2008
Copyright (c) 1982, 2006, Oracle.  All Rights Reserved.
Enter password: *****
ERROR:
ORA-01017: invalid username/password; logon denied

Account not exist
[oracle@chen tmp]$ sqlplus dummy@chen
SQL*Plus: Release 10.2.0.3.0 – Production on Sat Jan 12 15:08:07 2008
Copyright (c) 1982, 2006, Oracle.  All Rights Reserved.
Enter password: *****
ERROR:
ORA-01017: invalid username/password; logon denied

LISTENER should be protected by password and other admin restrict, limit users access. If LISTENER has not been protected, users can obtain LISNTER information remotely and stop it.

[oracle@cheney sql]$ lsnrctl status 192.168.1.119
LSNRCTL for Linux: Version 9.2.0.4.0 – Production on 19-FEB-2008 21:14:45
Copyright (c) 1991, 2002, Oracle Corporation.  All rights reserved.
Connecting to (DESCRIPTION=(CONNECT_DATA=(SID=*)(SERVICE_NAME=192.168.1.119))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.119)(PORT=1521)))
STATUS of the LISTENER
————————
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 9.2.0.4.0 – Production
Start Date                13-FEB-2008 05:48:49
Uptime                    0 days 0 hr. 0 min. 25 sec
Trace Level               admin
Security                  OFF
SNMP                      OFF
Listener Parameter File   /opt/app/oracle/product/9.2.0/network/admin/listener.ora
Listener Log File         /opt/app/oracle/product/9.2.0/network/log/listener.log
Listener Trace File       /opt/app/oracle/product/9.2.0/network/trace/listener.trc
Listening Endpoints Summary…
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost.localdomain)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost.localdomain)(PORT=1522)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost.localdomain)(PORT=1526)))
Services Summary…
Service “chen” has 1 instance(s).
  Instance “chen”, status UNKNOWN, has 1 handler(s) for this service…
Service “stby” has 1 instance(s).
  Instance “stby”, status UNKNOWN, has 1 handler(s) for this service…
Service “test” has 1 instance(s).
  Instance “test”, status UNKNOWN, has 1 handler(s) for this service…
The command completed successfully
[oracle@cheney sql]$
[oracle@cheney sql]$
[oracle@cheney sql]$ lsnrctl stop 192.168.1.119
LSNRCTL for Linux: Version 9.2.0.4.0 – Production on 19-FEB-2008 21:16:39
Copyright (c) 1991, 2002, Oracle Corporation.  All rights reserved.
Connecting to (DESCRIPTION=(CONNECT_DATA=(SID=*)(SERVICE_NAME=192.168.1.119))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.119)(PORT=1521)))

The command completed successfully

Advertisements

1 Comment »

  1. Your blog is excellent. Basically we are also looking for a sniffer to monitor sql-net packages from-to client-host. Is any sniffer (opensource or commercial) into the market?

    thx,
    khair

    Comment by Kostas Hairopoulos — February 18, 2009 @ 6:01 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: