Nmap Development mailing list archives
Re: [NSE] Changes/Improvements to Oracle TNS library
From: Matt Selsky <selsky () columbia edu>
Date: Sun, 28 Aug 2011 21:10:57 -0400
On Aug 27, 2011, at 4:14 AM, Patrik Karlsson wrote:
On Aug 26, 2011, at 5:51 PM, Chris Woodbury wrote:Patrik- I was testing your improvements (which are fantastic, by the way) against several different versions and platforms, and I ran into a few issues. Specifically, I was unable to authenticate on Oracle XE 11g instances on Windows (11.2.0.2.0 x86) and Linux (11.2.0.2.0 x64). After some digging, I found a small problem in how PreAuth responses were parsed. Specifically, the encoding for key-value pairs is a bit more complex than the parsing function is looking for. For each of the strings (the key, and the value), they begin with a 32-bit length, and then a series of one or more chunks, each of which begins with the 8-bit chunk length. If there are multiple chunks, this is indicated by a 0xFE byte after the 32-bit length and a null byte after the last chunk. I updated the parsing function to properly handle multi-chunk strings, and, since they're used by both PreAuth and Auth messages, I factored the parser out into a separate class that both message types use. While I was at it, I also updated the logic to write KVPs to binary strings. The 11g servers I was testing against send the AUTH_SESSKEY as a 96-byte string (see example below), and TNS seems to chunk strings that are longer than 64 bytes, so the library couldn't complete authentication. With the patch, I'm able to authenticate to both 11g servers. Multi-chunk string example: 0000 08 03 00 0c 00 00 00 0c 41 55 54 48 5f 53 45 53 ........AUTH_SES 0010 53 4b 45 59 60 00 00 00 fe 40 35 45 36 30 33 35 SKEY`....@5E6035 0020 33 32 33 44 35 38 32 33 43 34 43 32 41 30 30 35 323D5823C4C2A005 0030 39 44 38 30 31 37 30 34 41 34 32 38 34 42 39 38 9D801704A4284B98 0040 46 41 30 46 35 37 36 39 38 45 46 31 30 37 33 34 FA0F57698EF10734 0050 36 43 33 37 32 31 30 42 33 32 20 34 44 35 35 39 6C37210B32 4D559 0060 38 37 30 46 32 44 34 44 34 37 36 36 33 38 32 43 870F2D4D4766382C 0070 42 44 38 43 46 38 45 37 39 42 30 00 00 00 00 00 BD8CF8E79B0..... After "AUTH_SESSKEY", 0x60000000 is the little-endian total length of the string; 0xFE is the multi-chunk indicator; 0x40 is the length of the first chunk; then the 40 bytes of the chunk itself; 0x20 is the length of the next chunk; the 20 bytes of that chunk are next; multi-chunk strings seem to be terminated by a 0x00; lastly, there are the 32-bit flags, 0x00000000. Let me know what you think, and feel free to make any changes you see fit. Great work on the improvements. I'm looking forward to testing out everything else. -chrisThanks for the patch! I've applied it as r26234. I tested it against the whole list of servers in the supported matrix and all worked great. In addition I added two more entries: -- +--------+---------------+---------+-------+-------------------------------+ -- | OS | DB Version | Edition | Arch | Functionality | -- +--------+---------------+---------+-------+-------------------------------| -- | Win | 10.2.0.1.0 | XE | 32bit | Authentication, Queries | -- | Win | 11.2.0.2.0 | XE | 32bit | Authentication, Queries | I didn't have a chance to test it against the Linux equivalent or 64bit versions. If anyone does, please let me know the results so I can add them to the matrix.
I'm seeing this against an Oracle 11gR2 instance on RHEL5 64-bit. $ ./nmap -sV -p 1521 --script=oracle-brute,oracle-enum-users,oracle-sid-brute,oracle-query --script-args="creds.oracle='user:password',tns.sid=sidname" oracle-host Starting Nmap 5.59BETA3 ( http://nmap.org ) at 2011-08-28 20:32 EDT Nmap scan report for oracle-host (10.1.1.1) Host is up (0.0039s latency). PORT STATE SERVICE VERSION 1521/tcp open oracle-tns Oracle TNS Listener | oracle-query: |_ ERROR: No query was supplied (see oracle-query.query) |_oracle-enum-users: ORA-03146: Invalid buffer length for TTC field | oracle-brute: | Accounts | No valid accounts found | Statistics |_ Performed 21365 guesses in 600 seconds, average tps: 36 The nsedoc for oracle-query says that "query" is optional and has a default value. The code doesn't implement that. I tried specifying the query: | oracle-query: |_ ERROR: Querying version x86_64/Linux 2.4.xx is not yet supported The server is running a 64-bit Linux 2.6 kernel. Any idea what's causing the ORA-03146 error in oracle-enum-users? Cheers, -- Matt _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Changes/Improvements to Oracle TNS library Patrik Karlsson (Aug 21)
- Re: [NSE] Changes/Improvements to Oracle TNS library Chris Woodbury (Aug 26)
- Re: [NSE] Changes/Improvements to Oracle TNS library Chris Woodbury (Aug 26)
- Re: [NSE] Changes/Improvements to Oracle TNS library Patrik Karlsson (Aug 27)
- Re: [NSE] Changes/Improvements to Oracle TNS library Patrik Karlsson (Aug 27)
- Re: [NSE] Changes/Improvements to Oracle TNS library Patrik Karlsson (Sep 05)
- Re: [NSE] Changes/Improvements to Oracle TNS library Patrik Karlsson (Aug 27)
- Re: [NSE] Changes/Improvements to Oracle TNS library Matt Selsky (Aug 28)
- Re: [NSE] Changes/Improvements to Oracle TNS library Chris Woodbury (Aug 26)
- Re: [NSE] Changes/Improvements to Oracle TNS library Chris Woodbury (Aug 26)