抓包oracle密码,Oracle TNS 协议抓包分析
TNS 協(xié)議傳輸可以使用 TCP/IP 協(xié)議、使用 SSL 的 TCP/IP 協(xié)議、命名管道和 IPC 協(xié)議傳輸,其中 TCP/IP 協(xié)議傳輸是使 用明文傳送。
這里只分析基于 TCP/IP 協(xié)議上的 TNS 數(shù)據(jù)。
簡介
TNS(Transparent Network Substrate) 協(xié)議用于客戶端連接Oracle數(shù)據(jù)庫,它可以使用其他一些協(xié)議進行通信,如:TCP/IP, IPX/SPX, IPC, Named Pipes等。
結(jié)構(gòu)
TNS 包由一個header和payload 組成
0 8 16 31
+--------------+--------------+
| Packet Length| Packet Chksm |
+------+-------+--------------+ 8 byte header
| Type | Rsrvd | Header Chksm |
+------+-------+--------------+
| P A Y L O A D |
+-----------------------------+
字段說明:
Packet Length: 包長度字段
Packet Chksm:檢測包
Header Chksm: 檢測頭
Type:??????? ?包類型
Rsrvd:?????? ?未使用
如上圖:Packet Chksm 和 Header Chksm 通常是不變的,值為0.
Type字段是包的類型字段, 下面列出type 值對應的類型說明:
Type
Description
1
Connect
2
Accept
3
ACK
4
Refuse
5
Redirect
6
Data
7
NULL
8
----
9
ABORT
10
----
11
Resend
12
Marker
13
Attention
14
Control
Payload
Connect
連接類型數(shù)據(jù)如下所示:
Transparent Network Substrate Protocol
Packet Length: 254
Packet Checksum: 0x0000
Packet Type: Connect (1)
Reserved Byte: 00
Header Checksum: 0x0000
Connect
Version: 313
Version (Compatible): 300
Service Options: 0x0000
Session Data Unit Size: 2048
Maximum Transmission Data Unit Size: 32767
NT Protocol Characteristics: 0xc60e
Line Turnaround Value: 0
Value of 1 in Hardware: 0100
Length of Connect Data: 196
Offset to Connect Data: 58
Maximum Receivable Connect Data: 512
Connect Flags 0: 0x61
Connect Flags 1: 0x61
Trace Cross Facility Item 1: 0x00000000
Trace Cross Facility Item 2: 0x00000000
Trace Unique Connection ID: 0x0000000000000000
Connect Data: (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=ORCL)(CID=(PROGRAM=
C:\oracle\product\10.2.0\client_1\bin\sqlplus.exe)
(HOST=WINXPSP2)(USER=vmware)))(ADDRESS=(PROTOCOL=TCP)
(HOST=192.168.1.102)(PORT=1521)))
0.018134 192.168.1.108 192.168.1.102 TNS Request, Connect (1), Connect
0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.
0010 01 26 05 0b 40 00 80 06 70 a4 c0 a8 01 6c c0 a8 .&..@...p....l..
0020 01 66 04 66 05 f1 ac 94 a7 3e 66 d2 7e ee 50 18 .f.f.....>f.~.P.
0030 ff ff 15 91 00 00 00 fe 00 00 01 00 00 00 01 39 ...............9
0040 01 2c 00 00 08 00 7f ff c6 0e 00 00 01 00 00 c4 .,..............
0050 00 3a 00 00 02 00 61 61 00 00 00 00 00 00 00 00 .:....aa........
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 28 44 45 53 43 52 49 50 54 49 4f 4e 3d 28 43 4f (DESCRIPTION=(CO
0080 4e 4e 45 43 54 5f 44 41 54 41 3d 28 53 45 52 56 NNECT_DATA=(SERV
0090 49 43 45 5f 4e 41 4d 45 3d 4f 52 43 4c 29 28 43 ICE_NAME=ORCL)(C
00a0 49 44 3d 28 50 52 4f 47 52 41 4d 3d 43 3a 5c 6f ID=(PROGRAM=C:\o
00b0 72 61 63 6c 65 5c 70 72 6f 64 75 63 74 5c 31 30 racle\product\10
00c0 2e 32 2e 30 5c 63 6c 69 65 6e 74 5f 31 5c 62 69 .2.0\client_1\bi
00d0 6e 5c 73 71 6c 70 6c 75 73 2e 65 78 65 29 28 48 n\sqlplus.exe)(H
00e0 4f 53 54 3d 57 49 4e 58 50 53 50 32 29 28 55 53 OST=WINXPSP2)(US
00f0 45 52 3d 76 6d 77 61 72 65 29 29 29 28 41 44 44 ER=vmware)))(ADD
0100 52 45 53 53 3d 28 50 52 4f 54 4f 43 4f 4c 3d 54 RESS=(PROTOCOL=T
0110 43 50 29 28 48 4f 53 54 3d 31 39 32 2e 31 36 38 CP)(HOST=192.168
0120 2e 31 2e 31 30 32 29 28 50 4f 52 54 3d 31 35 32 .1.102)(PORT=152
0130 31 29 29 29 1)))
Accept
接收類型數(shù)據(jù)如下所示:
Transparent Network Substrate Protocol
Packet Length: 32
Packet Checksum: 0x0000
Packet Type: Accept (2)
Reserved Byte: 04
Header Checksum: 0x0000
Accept
Version: 312
Service Options: 0x0000
Session Data Unit Size: 2048
Maximum Transmission Data Unit Size: 32767
Value of 1 in Hardware: 0100
Accept Data Length: 0
Offset to Accept Data: 32
Connect Flags 0: 0x61
Connect Flags 1: 0x61
00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00 ..)..=..).....E.
00 48 7c cf 40 00 80 06 f9 bd c0 a8 01 66 c0 a8 .H|.@........f..
01 6c 11 d9 04 67 b6 88 7a 22 0e a7 cb 81 50 18 .l...g..z"....P.
ff 01 1d 97 00 00 00 20 00 00 02 04 00 00 01 38 ....... .......8
00 00 08 00 7f ff 01 00 00 00 00 20 61 61 00 00 ........... aa..
00 00 00 00 00 00 ......
Refuse
拒絕類型數(shù)據(jù)如下所示:
0.047753 192.168.1.102 192.168.1.108 TNS Response, Refuse (4), Refuse
00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00 ..)..=..).....E.
00 8f 53 e2 40 00 80 06 22 64 c0 a8 01 66 c0 a8 ..S.@..."d...f..
01 6c 05 f1 04 0d e8 a0 2d 2b 67 0d 99 85 50 18 .l......-+g...P.
fe ff 59 03 00 00 00 67 00 00 04 00 00 00 22 00 ..Y....g......".
00 5b 28 44 45 53 43 52 49 50 54 49 4f 4e 3d 28 .[(DESCRIPTION=(
54 4d 50 3d 29 28 56 53 4e 4e 55 4d 3d 31 35 33 TMP=)(VSNNUM=153
30 39 32 33 35 32 29 28 45 52 52 3d 31 32 35 31 092352)(ERR=1251
34 29 28 45 52 52 4f 52 5f 53 54 41 43 4b 3d 28 4)(ERROR_STACK=(
45 52 52 4f 52 3d 28 43 4f 44 45 3d 31 32 35 31 ERROR=(CODE=1251
34 29 28 45 4d 46 49 3d 34 29 29 29 29 4)(EMFI=4))))
如果有下面的錯誤則產(chǎn)生拒絕包:
TNS-12514 - TNS:listener could not resolve SERVICE_NAME given in connect descriptor?caused by invalid SID string provided in the connect string.
Data Packet
DATA 包是類型6,包括2個字節(jié)的 flag 標志位,1字節(jié)的 packet id,可選的 TTI id,還有數(shù)據(jù)本身。
0 16 24 31
+-----------+----+-----+
| Data Flag | ID ||
+----------------------+
| D A T A |
+----------------------+
字段說明:
l? Data Flag: 數(shù)據(jù)標識
l? ID:????? 包ID
l? TTI:?????? TTI(Two-Task Interface) ID
l? DATA:???? 有效數(shù)據(jù)
Data Flag 通常是 0x0000, 當所有數(shù)據(jù)發(fā)送完畢指示文件結(jié)尾,值為 0x0040
下面是列出了有效的數(shù)據(jù)包ID:
ID:0x01
描述:協(xié)議協(xié)商。下面這些標識是可以接受的協(xié)議版本:
0x06 0x05 0x04 0x03 0x02 0x01 0x00
客戶端平臺字符串像:IBMPC/WIN_NT-8.1.0
示例:
0.277372 192.168.1.108 192.168.1.102 TCP kwdb-commn > iax
[PSH, ACK] Seq=786 Ack=425 Win=65111 Len=37
0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.
0010 00 4d 05 14 40 00 80 06 71 74 c0 a8 01 6c c0 a8 .M..@...qt...l..
0020 01 66 04 67 11 d9 0e a7 cd 94 b6 88 7b ca 50 18 .f.g........{.P.
0030 fe 57 a0 d0 00 00 00 25 00 00 06 04 00 00 00 00 .W.....%........
0040 01 06 05 04 03 02 01 00 49 42 4d 50 43 2f 57 49 ........IBMPC/WI
0050 4e 5f 4e 54 2d 38 2e 31 2e 30 00 N_NT-8.1.0.
ID:0x02
描述:交換數(shù)據(jù)類型
示例:
0.437308 192.168.1.108 192.168.1.102 TCP kwdb-commn > iax
[PSH, ACK] Seq=823 Ack=589 Win=64947 Len=67
0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.
0010 00 6b 05 15 40 00 80 06 71 55 c0 a8 01 6c c0 a8 .k..@...qU...l..
0020 01 66 04 67 11 d9 0e a7 cd b9 b6 88 7c 6e 50 18 .f.g........|nP.
0030 fd b3 81 e2 00 00 00 43 00 00 06 04 00 00 00 00 .......C........
0040 02 b2 00 b2 00 52 21 06 01 01 01 0d 01 01 04 01 .....R!.........
0050 01 01 01 01 01 01 ff ff 03 08 03 00 01 00 3f 01 ..............?.
0060 07 3f 01 01 01 01 03 01 05 02 01 00 00 18 80 00 .?..............
0070 00 00 3c 3c 3c 80 00 00 00 ..<<<....>
ID:0x03
描述:?TTI (Two-Task Interface)功能,作用是描述即將到來的數(shù)據(jù)包ID下面是一個TTI ID列表:
0x02 Open
0x03 Query
0x04 Execute
0x05 Fetch
0x08 Close
0x09 Disconnect/logoff
0x0C AutoCommit ON
0x0D AutoCommit OFF
0x0E Commit
0x0F Rollback
0x14 Cancel
0x2B Describe
0x30 Startup
0x31 Shutdown
0x3B Version
0x43 K2 Transactions
0x47 Query
0x4A OSQL7
0x5C OKOD
0x5E Query
0x60 LOB Operations
0x62 ODNY
0x67 Transaction - end
0x68 Transaction - begin
0x69 OCCA
0x6D Startup
0x51 Logon (present password)
0x52 Logon (present username)
0x73 Logon (present password - send AUTH_PASSWORD)
0x76 Logon (present username - request AUTH_SESSKEY)
0x77 Describe
0x7F OOTCM
0x8B OKPFC
示例:
0.475183 192.168.1.108 192.168.1.102 TCP kwdb-commn > iax
[PSH, ACK] Seq=890 Ack=611 Win=64925 Len=224
00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.
01 08 05 16 40 00 80 06 70 b7 c0 a8 01 6c c0 a8 ....@...p....l..
01 66 04 67 11 d9 0e a7 cd fc b6 88 7c 84 50 18 .f.g........|.P.
fd 9d 8a 2d 00 00 00 e0 00 00 06 04 00 00 00 00 ...-............
03 76 02 6c c8 d5 00 06 00 00 00 01 00 00 00 38 .v.l...........8
c3 12 00 05 00 00 00 e0 bf 12 00 08 c5 12 00 06 ................
53 59 53 54 45 4d 0d 00 00 00 0d 41 55 54 48 5f SYSTEM.....AUTH_
54 45 52 4d 49 4e 41 4c 08 00 00 00 08 57 49 4e TERMINAL.....WIN
58 50 53 50 32 00 00 00 00 0f 00 00 00 0f 41 55 XPSP2.........AU
54 48 5f 50 52 4f 47 52 41 4d 5f 4e 4d 0b 00 00 TH_PROGRAM_NM...
00a0 00 0b 73 71 6c 70 6c 75 73 2e 65 78 65 00 00 00 ..sqlplus.exe...
00b0 00 0c 00 00 00 0c 41 55 54 48 5f 4d 41 43 48 49 ......AUTH_MACHI
00c0 4e 45 12 00 00 00 12 57 4f 52 4b 47 52 4f 55 50 NE.....WORKGROUP
00d0 5c 57 49 4e 58 50 53 50 32 00 00 00 00 08 00 00 \WINXPSP2.......
00e0 00 08 41 55 54 48 5f 50 49 44 07 00 00 00 07 36 ..AUTH_PID.....6
00f0 36 38 3a 39 33 32 00 00 00 00 08 00 00 00 08 41 68:932.........A
55 54 48 5f 53 49 44 06 00 00 00 06 76 6d 77 61 UTH_SID.....vmwa
72 65 00 00 00 00 re....
ID:0x08
描述:“OK”服務器給客戶端的響應
示例:
0.568852 192.168.1.102 192.168.1.108 TCP iax > kwdb-commn
[PSH, ACK] Seq=611 Ack=1114 Win=64422 Len=165
0000 00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00 ..)..=..).....E.
0010 00 cd 7c d5 40 00 80 06 f9 32 c0 a8 01 66 c0 a8 ..|.@....2...f..
0020 01 6c 11 d9 04 67 b6 88 7c 84 0e a7 ce dc 50 18 .l...g..|.....P.
0030 fb a6 21 cf 00 00 00 a5 00 00 06 04 00 00 00 00 ..!.............
0040 08 01 00 0c 00 00 00 0c 41 55 54 48 5f 53 45 53 ........AUTH_SES
0050 53 4b 45 59 20 00 00 00 20 32 33 42 37 31 36 30 SKEY ... 23B7160
0060 34 42 42 42 38 44 39 43 37 31 32 44 43 35 35 44 4BBB8D9C712DC55D
0070 34 30 38 36 43 32 32 42 32 00 00 00 00 04 01 00 4086C22B2.......
0080 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ................
00b0 00 00 00 36 01 00 00 00 00 00 00 0c 41 21 00 00 ...6........A!..
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 ...........
ID:0x11
描述:TTI (Two-Task Interface)功能擴展,下面是一些附加的標志
0x6b 開關(guān)或者分離會話
0x78 關(guān)閉
0x87 OSCID
0x9A OKEYVAL
示例:
0.972469 192.168.1.108 192.168.1.102 TCP kwdb-commn > iax
[PSH, ACK] Seq=2104 Ack=1162 Win=64374 Len=44
0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.
0010 00 54 05 19 40 00 80 06 71 68 c0 a8 01 6c c0 a8 .T..@...qh...l..
0020 01 66 04 67 11 d9 0e a7 d2 ba b6 88 7e ab 50 18 .f.g........~.P.
0030 fb 76 0e be 00 00 00 2c 00 00 06 04 00 00 00 00 .v.....,........
0040 11 6b 04 09 00 00 00 d3 00 00 00 01 00 00 00 03 .k..............
0050 3b 05 94 fb 12 00 f4 01 00 00 70 fa 12 00 6c fa ;.........p...l.
0060 12 00
ID:0x20
描述:使用外部的程序和服務注冊
示例:
ID:0x44
描述:使用外部的程序和服務注冊
示例:
ID:0xdeadbeef
描述:附加網(wǎng)絡選項,客戶端可協(xié)商附加連接熟悉,例如:認證,加密,數(shù)據(jù)完整性,監(jiān)控,
注意:wireshark 中叫這個包為 Secure Network Services
示例:
0.094489 192.168.1.108 192.168.1.102 TNS Response, Data (6), SNS
0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.
0010 00 d0 05 11 40 00 80 06 70 f4 c0 a8 01 6c c0 a8 ....@...p....l..
0020 01 66 04 67 11 d9 0e a7 cb 81 b6 88 7a 42 50 18 .f.g........zBP.
0030 ff df 98 ef 00 00 00 a8 00 00 06 04 00 00 00 00 ................
0040 dead beef 00 9e 0a 20 01 00 00 04 00 00 04 00 ....... ........
0050 03 00 00 00 00 00 04 00 05 0a 20 01 00 00 08 00 .......... .....
0060 01 00 00 02 9c 00 c7 c7 f3 00 12 00 01 de ad be ................
0070 ef 00 03 00 00 00 04 00 04 00 01 00 01 00 02 00 ................
0080 01 00 05 00 00 00 00 00 04 00 05 0a 20 01 00 00 ............ ...
0090 02 00 03 e0 e1 00 02 00 06 fc ff 00 01 00 02 01 ................
00a0 00 03 00 00 4e 54 53 00 02 00 02 00 00 00 00 00 ....NTS.........
00b0 04 00 05 0a 20 01 00 00 0c 00 01 00 11 06 10 0c .... ...........
00c0 0f 0a 0b 08 02 01 03 00 03 00 02 00 00 00 00 00 ................
00d0 04 00 05 0a 20 01 00 00 03 00 01 00 03 01 .... .........
根據(jù) "Oracle Hacker's Handbook" 這是一個bug 在所有版本的oracle。
當一個服務器解析一個 DATA 數(shù)據(jù)包時,DATA? flags的第二個bit 設(shè)置但第一個bit(最低位)未設(shè)置(例如:2,6,10,14等等)。當服務器接收這樣的包,它會陷入一個無限循環(huán),占有所有的CPU處理時間。顯然這對服務器性能產(chǎn)生負面影響。
上面是翻譯國外的一篇博客,原文連接如下:
總結(jié)
以上是生活随笔為你收集整理的抓包oracle密码,Oracle TNS 协议抓包分析的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: matlab信道均衡,使用LMS算法做信
- 下一篇: oracle maa全称,OracleM